AWS Vpn 路由到多个子网
AWS Vpn routing to multiple subnets
我们有一个带有两条静态路由的 VPN 设置
10.254.18.0/24
10.254.19.0/24
我们有一个问题,我们一次只能从 AWS 与上述块之一进行通信。有时是 .18,有时是 .19 - 我不知道触发器是什么。
我从任何一个本地子网同时与 aws 通信都没有任何问题。
有点卡在这里。有什么建议吗?
我们尝试了什么? 'firewall' 人说他们没有看到任何被阻止的东西。但我 read another post here 说了同样的话,问题仍然是防火墙。
在玩这个游戏的过程中,"good" 子网翻转了 3 次。含义
- 现在我可以和 .19 通话,但不能和 .18 通话
- 10 分钟前我可以和 .18 通话但不能和 .19 通话
它一直在翻转。
我们已经解决了这个问题。我们更改了 AWS 中配置的静态路由:
- 10.254.18.0/24
- 10.254.19.0/24
改为使用:
- 10.254.18.0/23
这将包含我们需要的所有地址并已解决问题。这是亚马逊的回应:
Hello,
Thank you for contacting AWS support. I can understand you have issues
with reaching your two subnets: 10.254.18.0/24 and 10.254.19.0/24 at
the same time from AWS.
I am pretty sure I know why this is happening. On AWS, we can accept
only one SA (security association) pair. On your firewall, the
"firewall" guys must have configured policy based VPN. In policy/ACL
based VPN, if you create following policys for eg: 1) source
10.254.18.0/24 and destination "VPC CIDR" 2) source 10.254.19.0/24 and destination "VPC CIDR"
OR 1) source "10.254.18.0/24, 10.254.19.0/24" and destination "VPC CIDR"
In both the cases, you will form 2 SA pairs as we have two different
source mentioned in the policy/ACL. You just have to use source as
"ANY" or "10.254.0.0/16" or "10.254.0.0/25", etc. We would prefer if
you can use source as "ANY" then micro-manage the traffic using
VPN-filters if you are using Cisco ASA device. How to use VPN-filters
is given in the configuration file for CISCO ASA. If you are using
some other device then you will have to find a solution accordingly.
If your device supports route based VPN then I would advice you to
configure route based VPN. Route based VPNs always create only one SA
pair.
Once you find a solution to create only one ACL/Policy on your
firewall, you will be able to reach both the networks at the same
time. I can see multiple SA formation on your VPN. This is the reason
why you cannot reach both the subnets at the same time.
If you have any additional questions feel free to update the case and
we will respond to them.
我们有一个带有两条静态路由的 VPN 设置
10.254.18.0/24
10.254.19.0/24
我们有一个问题,我们一次只能从 AWS 与上述块之一进行通信。有时是 .18,有时是 .19 - 我不知道触发器是什么。
我从任何一个本地子网同时与 aws 通信都没有任何问题。
有点卡在这里。有什么建议吗?
我们尝试了什么? 'firewall' 人说他们没有看到任何被阻止的东西。但我 read another post here 说了同样的话,问题仍然是防火墙。
在玩这个游戏的过程中,"good" 子网翻转了 3 次。含义
- 现在我可以和 .19 通话,但不能和 .18 通话
- 10 分钟前我可以和 .18 通话但不能和 .19 通话
它一直在翻转。
我们已经解决了这个问题。我们更改了 AWS 中配置的静态路由:
- 10.254.18.0/24
- 10.254.19.0/24
改为使用:
- 10.254.18.0/23
这将包含我们需要的所有地址并已解决问题。这是亚马逊的回应:
Hello,
Thank you for contacting AWS support. I can understand you have issues with reaching your two subnets: 10.254.18.0/24 and 10.254.19.0/24 at the same time from AWS.
I am pretty sure I know why this is happening. On AWS, we can accept only one SA (security association) pair. On your firewall, the "firewall" guys must have configured policy based VPN. In policy/ACL based VPN, if you create following policys for eg: 1) source 10.254.18.0/24 and destination "VPC CIDR" 2) source 10.254.19.0/24 and destination "VPC CIDR" OR 1) source "10.254.18.0/24, 10.254.19.0/24" and destination "VPC CIDR"
In both the cases, you will form 2 SA pairs as we have two different source mentioned in the policy/ACL. You just have to use source as "ANY" or "10.254.0.0/16" or "10.254.0.0/25", etc. We would prefer if you can use source as "ANY" then micro-manage the traffic using VPN-filters if you are using Cisco ASA device. How to use VPN-filters is given in the configuration file for CISCO ASA. If you are using some other device then you will have to find a solution accordingly. If your device supports route based VPN then I would advice you to configure route based VPN. Route based VPNs always create only one SA pair.
Once you find a solution to create only one ACL/Policy on your firewall, you will be able to reach both the networks at the same time. I can see multiple SA formation on your VPN. This is the reason why you cannot reach both the subnets at the same time.
If you have any additional questions feel free to update the case and we will respond to them.