Wednesday, October 9, 2019

AWS VPN - Multiple site-to-site VPN connections - Juniper SRX

Hi all, not sure if this should fall under the AWS subreddit instead, but seem like this sub would be a good place to get started.

I am trying to set up 4 site-to-site VPN connections using AWS's VPN solution, the specific scenario is listed under "Multiple Site-to-Site VPN Connections" in the s2s examples page, https://docs.aws.amazon.com/vpn/latest/s2svpn/Examples.html

I have 4 offices, each office has a Juniper SRX on site. the requirement is that the EC2 instance in the VPC needs to be able to communicate with servers on each office location.

Ip addresses:

AWS VPC Subnet: 10.0.1.0/16
Office "A" subnet: 172.21.25.0/24
Office "B" subnet: 172.21.26.0/24

I followed the AWS Administration documentation and got the IPSec Tunnels up on the SRX in office "A". This route propagates successfully to the subnet (adds 0.0.0.0/0 to the routing table linked to the subnet), and from the SRX I can ping the EC2 instance successfully.

My next step was to get Office "B" up and running. I followed the same step for office "B" and the tunnels come up successfully. As soon as the tunnel from Office "B" was up and running, I was no longer able to ping the EC2 instance from Office "A".
I guessed this was due to the route 0.0.0.0/0 being advertised by both my SRX devices, so I tried adding the correct subnet route, on each of the SRX devices, as following:

On the office A router:
set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 172.21.25.0/24 exact

On the office B router:
set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 172.21.26.0/24 exact

I also removed the 0.0.0.0/0 route-filter from both devices.

Once these commands were commited, the routes were advertised to AWS, and they propagated the routing table, but I am still not able to get any traffic to the VPC/EC2 instance.

How do I get traffic from my VPC/EC2 instance to both my connected offices via the AWS VPN?
This line in the AWS generated config bothers me:

# To advertise additional prefixes to Amazon VPC, add additional prefixes to the "default" term
# EXPORT-DEFAULT policy. Make sure the prefix is present in the routing table of the device with
# a valid next-hop.
What does the above refer to, exactly? this cant be a static route for the local subnet i each office.

At the moment I can only get once office to communicate with the VPC/EC2 instance at a time.

Config generated by AWS located here (sensitive details removed): https://pastebin.com/AP09QC19

Many thanks



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)