0

I have been trying for a long time now to configure a site-to-site VPN connection between Amazon and a Checkpoint R75.20 (previously i tried with Azure) unsuccessfully. I have tried everything and followed lots of manuals, and i managed to have the tunnels up and connected, but im not able to see the private network from any of my instances.

When i try to do a traceroute to the server, it stops at the Virtual Private Gateway, and im sure that the problem is that it doesn't know where to send the packages (the VPG and the Customer Gateway are linked trough the VPN tunnels), so i'm trying to configure the route tables and the static addresses, but it's not working.

Any leads on this? I'm still learning about VPNs, but other examaples i have seen are pretty straightforward, so i cant find too many documentation. The best i had was that when i pinged the server, it returned "Destination Net Unreachable".

Also the configuration of the VPN says something about the "next hop", is that configuration mine or for the firewall admin?

Thank you, and if you need any information please ask.

Configuration right now: 2 Subnets: 1 private, 1 public

1 Virtual Private Gateway

1 Internet Gateway

1 Customer Gateway (pointing to the firewall) (static)

2 Route tables (here i think i can fix everything, but i have 3 items, the local subnet, internet and the VPN subnet, this last one pointing to the Virtual Private Gateway)

1 VPN connection with 2 tunnels (this firewall only admits 1 tunnel per ip range, so i can have only one active at the same time, and in the configuration i can add static addresses, where i have the VPN subnet)

1 Linux Instance in the VPC network, public subnet.

Asfura
  • 11
  • 1
  • 2
  • 4
  • 1
    Under the "VPN Connection" object in VPC there is a tab where you also need to declare static routes to your corporate network's private IP address space. Is that set? "Destination net unreachable" messages may include the IP of the networking device that is "reporting" the unreachability to you. Which device is that? Also, see if [any of this overview](http://stackoverflow.com/questions/19793111/aws-vpc-public-web-application-connecting-to-database-via-vpn/19801443#19801443) helps. – Michael - sqlbot Nov 12 '13 at 00:54
  • Yes it is set (it's actually only one ip, so I declared it with /32). – Asfura Nov 12 '13 at 01:09
  • Yes it is set, and because it is only one ip I declared it with /32. Thank you for that page, the names are very counter-intuitive, and the instructions on the manuals are way too vague. – Asfura Nov 12 '13 at 01:10
  • There's only one IP address on your corporate network that needs access to/from the VPC servers? This is configuration for the address the machine (or machines, typically) inside the corporate network that need to access the VPC. One seems like a small number. (Just trying to make sure we're discussing the same thing). – Michael - sqlbot Nov 12 '13 at 01:15
  • I'm trying to connect, form an amazon instance (or azure, i really don't care) to a SMPP server behind a firewall, and of course get the answer from the server on the instance in th VPC. – Asfura Nov 12 '13 at 01:25
  • The people that offer the SMPP server have a firewall that only allows to do site-to-site – Asfura Nov 12 '13 at 01:25

1 Answers1

0

I solved it, by doing a classic "have you tried turning it off and on again?", in other words, i removed everything and started by scratch using the VPC Wizard, creating 2 subnets, one private and one public, and after the Wizard adding the Virtual Private Gateway in the route table, in Route Propagation, so it adds the static route to my company's (SMPP server in this case) subnet.

One problem i faced is that the tunnel keep dying after a while without packet transfer, so i added a cron job to ping it every minute.

Asfura
  • 11
  • 1
  • 2
  • 4
  • perhaps you could mark your answer as correct, to prevent the question being bumped to the home page occasionally. – Tim Dec 10 '18 at 07:00