Forum Discussion

shopkeeper56_23's avatar
shopkeeper56_23
Icon for Cirrostratus rankCirrostratus
Jun 28, 2016

IPSec VPN in AWS Not Routing

Hi,

 

I have a Big IP set up in AWS and I am attempting to join it with my internal network by configuring an IPsec VPN between the Big IP and the VPN concentrator in my network. The VPN itself seems to be functioning, but I seem to be having issues with the routing in AWS. I have successfully performed similar scenarios of setting up VPN concentrators inside EC2 and joining on-prem networks to them as an alternative to using a VPC provisioned VPN, but never with a Big IP.

 

The high level configuration is as follows...

 

On Prem Network: 192.168.1.0/24

 

VPC: 10.0.0.0/16

 

Public Subnet: 10.0.0.0/24

 

Private Subnet: 10.0.1.0/24

 

Management Subnet: 10.0.100.0/25

 

F5 IP's

 

Management: 10.0.100.1

 

External: 10.0.0.1 (EIP NAT)

 

Internal: 10.0.1.1

 

Virtual Server: 10.0.0.2

 

Public Server: 10.0.0.10

 

Private Server: 10.0.1.10

 

I have configured IKE peer on the public interface of my on prem firewall as per this guide, using the external self IP of the F5 and the VPN is connected fine. I have a Bi-directional traffic selection which uses 10.0.0.0/16 and 192.168.1.0/24 on any protocol. I have a static route on my firewall which directs 10.0.0.0/16 down the tunnel. I have set up routing inside the VPC to point traffic destined to 192.168.1.0/24 to the external ENI of the F5.

 

Here is how connectivity stands...

 

192.168.1.0/24 > F5 External Self IP | SUCCESS

 

192.168.1.0/24 > F5 Virtual Server | SUCCESS

 

192.168.1.0/24 > F5 Private Self IP | FAILED

 

192.168.1.0/24 > F5 Management IP | FAILED

 

192.168.1.0/24 > Public Server | FAILED

 

192.168.1.0/24 > Private Server | FAILED

 

F5 > 192.168.1.0/24 | SUCCESS

 

Public/Private Server | FAILED

 

TCP dumps from the F5 reveal that in every case of failed connectivity sourced from 192.168.1.0/24, the F5 see's the ICMP request but it doesnt seem to go further than that. Even for IP's that are directly connected like the Private Self IP do not respond to ping, which I find baffling. Pings sourced from EC2 instances do not even seem to reach the F5 instance, which I again dont understand. As i mentioned before, I have performed similar setups of routing traffic to the ENI of a Firewall which then routes traffic down a VPN. Is this behaviour not supported by the Big IP?

 

I realise this is more of an AWS routing question than an F5 question, but like I say I have done very similar implementations with the AWS VPC routing and it has worked fine - hence my confusion.

 

Thanks

 

application delivery
AWS
cloud
security
No RepliesBe the first to reply