AWS:无法从VPN ping到其他区域的实例
[英]AWS: Can't ping from VPN to instance in other region
问题描述
I have an inter-region VPN setup in AWS, along the lines of this guide: 
我在AWS中有一个区域间VPN设置,与本指南一致:
http://fortycloud.com/interconnecting-two-aws-vpc-regions/ http://fortycloud.com/interconnecting-two-aws-vpc-regions/
So, I have got things working to some extent, but I cannot ping from one instance to the VPN host. 所以,我已经在某种程度上工作了,但我不能从一个实例ping到VPN主机。
So the network looks like this: 所以网络看起来像这样:
instance A <---> vpn A <--- (cross region) ---> vpn B <---> instance B 实例A <---> vpn A <---(交叉区域)---> vpn B <--->实例B.
I can ping from VPN to VPN. 我可以从VPN ping到VPN。 I can ping from VPN A to instance B. I can ping from instance A to VPN A. I can ping from VPN B to instance B. 我可以从VPN A ping到实例B.我可以从实例A ping到VPN A.我可以从VPN B ping到实例B.
But I CANNOT ping from VPN B to instance A, or vice versa. 但我无法从VPN B ping到实例A,反之亦然。 All the routing tables and security groups appear to be correct. 所有路由表和安全组似乎都是正确的。
Anything else I may be missing? 还有什么我可能会失踪?
Here is the info: 这是信息:
VPN A openswan config: VPN A openswan配置:
[root@ip-10-1-200-220 ipsec.d]# cat me-to-or.conf
conn me-to-or
type=tunnel
authby=secret
left=%defaultroute
leftid=52.8.x.x
leftnexthop=%defaultroute
leftsubnet=10.1.0.0/16
right=54.213.x.x
rightsubnet=10.0.0.0/16
pfs=yes
auto=start
VPN B openswan: VPN B openswan:
conn me-to-ca
type=tunnel
authby=secret
left=%defaultroute
leftid=54.213.x.x
leftnexthop=%defaultroute
leftsubnet=10.0.0.0/16
right=52.8.x.x
rightsubnet=10.1.0.0/16
pfs=yes
auto=start
Instance A Security Group: 实例A安全组:
All traffic FROM ANYWHERE
Instance B sec group: 实例B秒组:
All traffic FROM ANYWHERE
VPN A Sec Group: VPN A Sec组:
All traffic FROM ANYWHERE
VPN B Sec group: VPN B Sec组:
All traffic FROM ANYWHERE
Ping results: Ping结果:
On VPN A (To Instance B): 在VPN A(到实例B):
[root@ip-10-1-200-220 ipsec.d]# ping 10.0.5.130
PING 10.0.5.130 (10.0.5.130) 56(84) bytes of data.
64 bytes from 10.0.5.130: icmp_seq=1 ttl=63 time=21.0 ms
on VPN B (to Instance A): 在VPN B(到实例A):
[root@ip-10-0-200-251 ipsec.d]# ping 10.1.5.54
PING 10.1.5.54 (10.1.5.54) 56(84) bytes of data.
100% packet loss
If I ping from VPN B to Instance A, I can watch the ping hit VPN A (with TcpDump), but it never gets to Instance A. However, if I ping from VPN A to Instance A, that works. 如果我从VPN B ping到实例A,我可以看到ping命中VPN A(使用TcpDump),但它永远不会到达实例A.但是,如果我从VPN A ping到实例A,那就可以了。
If I ping from Instance A to VPN B, I see the ping go to VPN A, VPN B, back to VPN A, but it never gets to Instance A. 如果我从实例A ping到VPN B,我看到ping转到VPN A,VPN B,回到VPN A,但它永远不会到达实例A.
Here's an image from the linked article, to help think about the topology: 这是链接文章中的图像,以帮助考虑拓扑:
2 个解决方案
解决方案1
5 2015-04-17 12:19:35
Finally found it. 终于找到了。
I missed this step on VPN A: 我在VPN A上错过了这一步:
Select the Instance in the Instance List and then Click on the “Action button”.
Thanks you guys for your help in clarifying my thinking. 谢谢你们帮助我们澄清我的想法。
解决方案2
0 2016-09-02 17:46:00
Happened to me too, I was able to ping to the openswan instance, but couldn't ping anything behind it. 也发生在我身上,我能够ping到openswan实例,但无法ping通它背后的任何内容。 Once I disabled the Source/Dest check the traffic flowed through nicely. 一旦我禁用Source / Dest检查流量就很好了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.