Site-to-Site VPN - On-prem network connectivity across AWS VPC subnets?

0

I've configured a single Site-to-Site VPN connection between my on-prem lab network and my AWS VPC subnet (see sample diagram at https://docs.aws.amazon.com/vpn/latest/s2svpn/Examples.html#SingleVPN )

Site-to-Site VPN Connection configuration details

On-Prem subnet:  192.168.0.0./24  
AWS subnet:  172.31.32.0/20  

I'm able to ping private IP addresses both to/from EC2 instances residing in both subnets with no problems.

192.168.0.0./24 <------> 172.31.32.0/20 GOOD

However, I need to be able to also access my on-prem lab subnet from another AWS Subnet-- 172.31.64.0/20.

192.168.0.0./24 <------> 172.31.64.0/20

Is this supported or do I need another S2S VPN connection? So far, I've seen and recorded inconsistent behavior. At one point, I was able to ping from 172.31.64.0/20 to the on-prem subnet 192.168.0.0/24. It no longer works. And as far as I know, I've never been able to ping from the on-prem subnet to the subnet 172.31.64.0/20.

I've had trouble finding any support docs regarding what seems to be a very basic issue. I may be missing something simple here, so any advice would be greatly appreciated. I realize there may be limitations due to my on-prem VPN device, Meraki MX60 (does not support BGP, nor active/standby tunnels).

Thanks in Advance.

Edited by: djl2 on Apr 8, 2019 2:41 PM

More info-- It appears my on-prem Meraki VPN device can support only 1 AWS subnet per VPN connection. Final (dumb) question: Is there any possible way to configure the network so that traffic from my on-prem network to the AWS subnet can be routed through to an additional AWS subnet?

From the AWS S2S VPN configuration text file--

! AWS hosted VPN solution is a route-based solution, since Cisco Meraki only supports policy-based solution you will need to limit to a single SA. So please make sure to
! select "yes" for just one subnet, if you have more than one subnet, consolidate them into a single subnet before proceeding with the VPN configuration.

Under Organization-wide settings --> Non-Meraki VPN peers  
Name: ipsec-vpn-0xxxxxxxxxxx  
Public IP: 18.x.x.x  
Private subnets: <vpc_subnet>/<vpc_subnet_mask>  
IPsec policies: Click “Default”, select “AWS” under the Preset menu and "Update"  
Preshared secret: t4xxxxxxxxxxxxxxx  
Availability: All networks
djl2
asked 5 years ago597 views
1 Answer
0

I found the answer for my situation. It's quite simple actually (as I figured it would be).

On my on-prem network's VPN connection settings (Meraki device), I changed the "private subnets" value to use the entire VPC CIDR block value (172.31.0.0/16) instead of a single subnet CIDR blocK (172.31.32.0/20). I'm now able to ping all AWS subnets from my on-prem lab network.

Final note: Even though I was originally attempting access another single subnet from my on-prem network, I'm fine with allowing S2S VPN connectivity to all other subnets on the VPC as well.

djl2
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions