Extending VPN Connectivity to Amazon AWS VPC using AWS VPC VPN Gateway Service

[lefty]

Hi all,

The tutorial seems not to be functional: https://docs.openvpn.net/how-to-tutoria ... y-service/


Following this tutorial it seems that the tunnel is properly UP but at the end is not possiblem to ping the instances using the private IPs.
Here is a stackoverflow thread: https://stackoverflow.com/questions/431 ... iled-error

Problem seems to be that specific log part:
generating INFORMATIONAL_V1 request 932342866 [ HASH N(DPD) ]
Jun 6 12:45:39 charon: 09[NET] sending packet: from 172.21.0.3[4500] to xx.xx.xx.xx[4500] (92 bytes)
Jun 6 12:45:39 charon: 07[KNL] querying policy failed: No such file or directory (2)
Jun 6 12:45:39 charon: 07[KNL] querying policy failed: No such file or directory (2)


Any idea how to solve the problem?

Thank you!

[TinCanTech]

The tutorial seems not to be functional: https://docs.openvpn.net/how-to-tutoria ... y-service/

Quoth "The Raven" ..

• Prerequisites
  
  To begin, you will need a working OpenVPN Access Server setup ..

Which version of Access Server etc are you using ?

[novaflash]

That tutorial is based on our VMWare ESXi image of OpenVPN Access Server and has been tested to work with Amazon's gateway systems.

If you can't ping private IP addresses, find out why you can't do that, by doing ping tests. Generally on AWS you need to adjust security groups, and you need to disable source checking, and set up static routing, and so on. It's not an easy thing to do but the guide is still good.

[lefty]

Hi all,

I am using the following openvpn server:
openvpn --version
OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016
library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no

Link on amazon console seems to be UP, and all necessary routing seems to be ok.
Any hint on how I can debug the situation?

Thank you.

[novaflash]

Okay, well, that is not OpenVPN Access Server, that is the open source version of OpenVPN. So the guide you found doesn't even relate to the program you're using at the moment.

[lefty]

Hi,
Thank you for the help.
I just run a proper openvpn access server:


Active Configuration
Access Server version: 2.1.6
Server Name: 172.21.0.3
Authenticate users with: pam
Accepting VPN client connections on IP address: ens3: 172.21.0.3
Port for VPN client connections: tcp/443, udp/1194
OSI Layer: 3 (routing/NAT)
Clients access private subnets using: NAT
Node: stc-latency-test


Still same issue. Any hint on how to debug the situation?

Thank you.

[lefty]

Here some logs:

sending DPD request
Jun 7 09:57:20 stc-latency-test charon: 10[ENC] generating INFORMATIONAL_V1 request 166231393 [ HASH N(DPD) ]
Jun 7 09:57:20 stc-latency-test charon: 10[NET] sending packet: from 172.21.0.3[4500] to PUBLIC_REMOTE_IP(amazonVPN_GW)[4500] (92 bytes)
Jun 7 09:57:21 stc-latency-test charon: 09[NET] received packet: from PUBLIC_REMOTE_IP(amazonVPN_GW)[4500] to 172.21.0.3[4500] (92 bytes)
Jun 7 09:57:21 stc-latency-test charon: 09[ENC] parsed INFORMATIONAL_V1 request 536456897 [ HASH N(DPD_ACK) ]
Jun 7 09:57:24 stc-latency-test charon: 12[KNL] querying policy failed: No such file or directory (2)
Jun 7 09:57:24 stc-latency-test charon: 11[KNL] querying policy failed: No such file or directory (2)
Jun 7 09:57:24 stc-latency-test charon: 11[IKE] sending DPD request
Jun 7 09:57:24 stc-latency-test charon: 11[ENC] generating INFORMATIONAL_V1 request 877258589 [ HASH N(DPD) ]
Jun 7 09:57:24 stc-latency-test charon: 11[NET] sending packet: from 172.21.0.3[4500] to PUBLIC_REMOTE_IP(amazonVPN_GW)[4500] (92 bytes)
Jun 7 09:57:25 stc-latency-test charon: 13[NET] received packet: from PUBLIC_REMOTE_IP(amazonVPN_GW)[4500] to 172.21.0.3[4500] (92 bytes)
Jun 7 09:57:25 stc-latency-test charon: 13[ENC] parsed INFORMATIONAL_V1 request 1117701502 [ HASH N(DPD_ACK) ]
Jun 7 09:57:30 stc-latency-test charon: 14[KNL] querying policy failed: No such file or directory (2)
Jun 7 09:57:30 stc-latency-test charon: 15[KNL] querying policy failed: No such file or directory (2)
Jun 7 09:57:30 stc-latency-test charon: 15[IKE] sending DPD request


As explained before, on amazon console it seems that the tunnel is up. Problem is that not possible to ping different nodes.
Thank you

[novaflash]

I'm sorry, but you were pointing to a guide that uses IPSEC to connect to AWS VPN gateway service, and you posted information for an OpenVPN open source client, this got me mightily confused.

You have some options;

IF you have our image for VMWare ESXi running on your local network, and you want to connect that to AWS using AWS VPN gateway service, then follow the guide you linked to originally.

If you don't, and you are running OpenVPN Access Server on your own local network, or on AWS, and you want to connect them together, set up a site-to-site connection using OpenVPN protocol itself, or install software/hardware for an IPSEC connection and use that to connect to AWS VPN gateway service.

To diagnose problems with connectivity use standard diagnostics tools:
ping
traceroute
tcpdump
wireshark

Ensure that the routes are set up and ensure that there are no firewalls in the way. Use ping to try to reach a system on the other side. If it fails, run tcpdump or wireshark and monitor these pings, see if they are leaving the source machine and see if they arrive at the target machine. It's just a matter of logical elimination of possibilities.

[lefty]

Hi,

Actually I downloaded the Access server from here: https://openvpn.net/index.php/access-se ... ily=Ubuntu

I guess that this should be the same like running the VMWare ESXi machine provided. Is that correct?

Then I use the same confugration files that provided from the tutorial. As welll I use IPSEC to connect to the AWS VPN but still same issue. Even though amazon console seems up, ping is not working.

When starting the openvpn AS, a lot of routing roules have been added, and virtual interfaces as well..

Thank you.

[novaflash]

> I guess that this should be the same like running the VMWare ESXi machine provided. Is that correct?

Not as far as the guide you linked to originally goes. Unless you install the required software and configuration for the IPSEC connection, then it's about the same.

> As welll I use IPSEC to connect to the AWS VPN but still same issue. Even though amazon console seems up, ping is not working.

Okay, great.

Then you just need to do diagnostics. Use ping, use tcpdump, use wireshark, use common sense. Eliminate possibilities. 99% of these problems are down to a firewall or missing routes.