In order to allow instances in a VPC in Oregon (us-west-2) to contact instances on another VPC in Ireland (eu-west-1), I've installed OpenSwan gateway machines on both regions and established an IPSEC tunnel between the two regions which operates properly.
Details:
Oregon VPC CIDR: 172.31.0.0/16
Ireland VPC CIDR: 172.91.0.0/16
In Ireland, I've used a CloudFormation template which I wrote to create a new stack which among other stuff creates a new isolated VPC and one of the tasks that CloudFormation is running is to peer between the default Ireland VPC and the newly created (isolated) VPC.
The new isolated VPC CIDR: 172.52.0.0/16.
At the moment, if I run a ping command from an instance residing in the default VPC in Oregon (172.31.x.x) toward an instance residing in the Ireland default VPC (172.91.x.x) it works like a charm.
Next, I would like machines in the new isolated VPC (172.52.x.x) to be able to reach instances in the default VPC in Oregon (172.31.x.x).
The route table which is associated with the default VPC in Oregon is configured to route traffic:
to: 172.52.0.0/16 GW: Interface of the OpenSwan server in Oregon.
to: 172.91.0.0/16 GW: Interface of the OpenSwan server in Oregon.
The route table which is associated with the default VPC in Ireland is configured to route traffic:
to: 172.31.0.0/16 GW: Interface of the OpenSwan server in Ireland.
to: 172.52.0.0/16 GW: The peering connection ID (between 172.52.x.x and 172.91.x.x)
Security group which is attached to OpenSwan instance @ Oregon:
Allows all traffic to 172.52.x.x/16, 172.91.x.x/16, 172.31.x.x/16.
Allows UDP 500 and 4500 to the EIP of the OpenSwan instance in Ireland.
Security group which is attached to OpenSwan instance @ Ireland:
Allows all traffic to 172.52.x.x/16, 172.91.x.x/16, 172.31.x.x/16.
Allows UDP 500 and 4500 to the EIP of the OpenSwan instance in Oregon.
ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:172.91.0.0/16,%v4:172.52.0.0/16,%v4:25.0.0.0/8,%v4:172.31.0.0/16,%v4:172.59.0.0/20,%v6:fd00::/8,%v6:fe80::/10
oe=off
include /etc/ipsec.d/*.conf
I am able to ping an instance residing in the default VPC of Oregon from each one of the OpenSwan machines (Oregon/Ireland) and vice versa but I'm unable to ping that instance from an instance residing in the 172.52.x.x/16 subnet.
Which route you think I'm missing? I need to allow instances in the isolated VPC in Ireland to reach the default VPC in Oregon.