Working on setting up an RRAS VPN gateway on an EC2 instance. I now have it working ok but stuck on an item. In addition to the RRAS, I also have a site-to-site vpn to AWS (using AWS virtual private gateway), let’s say the remote site is 192.168.1.0/24, and my AWS VPC is 192.168.20.0/24. My RRAS box is using 192.168.30.0/24 for its static IP pool.
If I try to reach out to the remote site from the RRAS client, I can’t get anywhere. I ran wireshark on a box there and can’t even see pings. I even tried pinging the default gateway of the VPC (192.168.20.1) and it doesn’t ping, while it does internally.
On the VPC itself, I added a route to the VPC so that .30.0 gets to the internal NIC of the RRAS box. Thats all fine and works great, my RRAS client, let’s say 192.168.30.10 can talk to anything on the VPC subnets.
Also, on the RRAS box, I have a route to point the remote site’s subnet to the VPC router (.1). This seems to work at least for the RRAS box itself as it can reach the remote site, but I can’t from the RRAS client.
Source/destination check has been disabled on RRAS box.
Is there a source-destination check set on the VPC router as well? Any ideas on how to get my RRAS client to talk to resources on the remote site? (I can ping and communicate fine from the native VPC subnets). Its almost as if the VPC router is blocking the RRAS client IP pool, which it may be.
Do you have a route on your VPC route table destined to your remote site via VPC Gateway?
Yes…can access the AWS VPC from the remote site and vice versa, just not from the RRAS client.
You can enable VPC flow logs to see what is happening to your RRAS client traffic. Hope you’ve allowed the necessary ports on the security groups of the RRAS server.
Well I did that, ran them for a bit, I might try again tomorrow and just download all the log files, however I only saw DNS lookups between the RRAS and DNS server on the AWS subnet, nothing else.
I did confirm the VPN client is sending the traffic up, as doing a tracert shows the RRAS server, but beyond that, nothing. I also confirmed the gateway on the remote site side does have a route, but no ping and tracert shows no real info.
I’m starting to wonder if it would make more sense to put the RRAS box into a subnet of it’s own with the client IPs so that that VPC can be aware of it via the VPC CIDR entries.
You mentioned, your VPC CIDR is 192.168.20.0/24 and Your RRAS is in 192.168.30.0/24 subnet? Can you confirm if your VPC CIDR is really using /24 or is it 192.168.0.0 /16?
I am pretty sure it is, I can confirm in a bit. Yeah mistakes were made lol.
Confirmed its .20.0/24. It seems that if I add a CIDR to it, it automatically adds that to the route table as “local”, which…I’m not sure if that would fix it or not. I could technically add it as a subnet and add that CIDR to the VPC as well.
Well looks like that is the problem, if your VPC CIDR is .20.0/24 then .30.0/24 is not part of your VPC. So you may want to add .30.0/24 to your VPC CIDR.
Or you can change your VPC CIDR to 192.168.16.0/20 so it includes 192.168.16.0 - .31.255 which includes both of your subnets but keeps your remote subnet separate.
Yeah I can’t modify it after the fact, but I can add subnets to it. I might try spinning up the RRAS in it’s own subnet and see if that makes a difference.