[英]AWS: Can't ping from VPN to instance in other region
I have an inter-region VPN setup in AWS, along the lines of this guide: 我在AWS中有一个区域间VPN设置,与本指南一致:
http://fortycloud.com/interconnecting-two-aws-vpc-regions/ http://fortycloud.com/interconnecting-two-aws-vpc-regions/
So, I have got things working to some extent, but I cannot ping from one instance to the VPN host. 所以,我已经在某种程度上工作了,但我不能从一个实例ping到VPN主机。
So the network looks like this: 所以网络看起来像这样:
instance A <---> vpn A <--- (cross region) ---> vpn B <---> instance B 实例A <---> vpn A <---(交叉区域)---> vpn B <--->实例B.
I can ping from VPN to VPN. 我可以从VPN ping到VPN。 I can ping from VPN A to instance B. I can ping from instance A to VPN A. I can ping from VPN B to instance B.
我可以从VPN A ping到实例B.我可以从实例A ping到VPN A.我可以从VPN B ping到实例B.
But I CANNOT ping from VPN B to instance A, or vice versa. 但我无法从VPN B ping到实例A,反之亦然。 All the routing tables and security groups appear to be correct.
所有路由表和安全组似乎都是正确的。
Anything else I may be missing? 还有什么我可能会失踪?
Here is the info: 这是信息:
VPN A openswan config: VPN A openswan配置:
[root@ip-10-1-200-220 ipsec.d]# cat me-to-or.conf
conn me-to-or
type=tunnel
authby=secret
left=%defaultroute
leftid=52.8.x.x
leftnexthop=%defaultroute
leftsubnet=10.1.0.0/16
right=54.213.x.x
rightsubnet=10.0.0.0/16
pfs=yes
auto=start
VPN B openswan: VPN B openswan:
conn me-to-ca
type=tunnel
authby=secret
left=%defaultroute
leftid=54.213.x.x
leftnexthop=%defaultroute
leftsubnet=10.0.0.0/16
right=52.8.x.x
rightsubnet=10.1.0.0/16
pfs=yes
auto=start
Instance A Security Group: 实例A安全组:
All traffic FROM ANYWHERE
Instance B sec group: 实例B秒组:
All traffic FROM ANYWHERE
VPN A Sec Group: VPN A Sec组:
All traffic FROM ANYWHERE
VPN B Sec group: VPN B Sec组:
All traffic FROM ANYWHERE
Ping results: Ping结果:
On VPN A (To Instance B): 在VPN A(到实例B):
[root@ip-10-1-200-220 ipsec.d]# ping 10.0.5.130
PING 10.0.5.130 (10.0.5.130) 56(84) bytes of data.
64 bytes from 10.0.5.130: icmp_seq=1 ttl=63 time=21.0 ms
on VPN B (to Instance A): 在VPN B(到实例A):
[root@ip-10-0-200-251 ipsec.d]# ping 10.1.5.54
PING 10.1.5.54 (10.1.5.54) 56(84) bytes of data.
100% packet loss
If I ping from VPN B to Instance A, I can watch the ping hit VPN A (with TcpDump), but it never gets to Instance A. However, if I ping from VPN A to Instance A, that works. 如果我从VPN B ping到实例A,我可以看到ping命中VPN A(使用TcpDump),但它永远不会到达实例A.但是,如果我从VPN A ping到实例A,那就可以了。
Here's an image from the linked article, to help think about the topology: 这是链接文章中的图像,以帮助考虑拓扑:
Finally found it. 终于找到了。
I missed this step on VPN A: 我在VPN A上错过了这一步:
Select the Instance in the Instance List and then Click on the “Action button”.
在Instance List中选择Instance,然后单击“Action按钮”。 Select the “Change Source/Dest.
选择“更改来源/目的地”。 Check”.
校验”。 Click on the “Yes disable” button (this is a critical step, without it the Virtual Routers will not accept or forward traffic that is not intended to the Routers themselves, hence they won't function as Virtual Routers).
单击“是禁用”按钮(这是关键步骤,如果没有它,虚拟路由器将不接受或转发不适用于路由器本身的流量,因此它们将不能用作虚拟路由器)。
Thanks you guys for your help in clarifying my thinking. 谢谢你们帮助我们澄清我的想法。
Happened to me too, I was able to ping to the openswan instance, but couldn't ping anything behind it. 也发生在我身上,我能够ping到openswan实例,但无法ping通它背后的任何内容。 Once I disabled the Source/Dest check the traffic flowed through nicely.
一旦我禁用Source / Dest检查流量就很好了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.