Can't ping from local network to Amazon VPC

RouterOS General
1

Regards,

I’m new to the world of routing and I have a question about the settings made in a RB2011UiAS. This router works very well within my local network, managing NAT and rules, and connecting my local network with my DMZ as well as access to the Internet. The problem I have is that I have implemented an Amazon VPC, without using BGP, and the settings you have given me I have implemented following guide: http://forum.mikrotik.com/t/amazon-aws-vpn-a-working-configuration-example-and-bug/79770/1

This guide is the most complete I’ve found on the subject, and through it, the IPSec necessary tunnels to connect my LAN to the VPC work properly, but I can not ping from my LAN to the internal network of the VPC (in 11.0.0.0/16 range), nor to the public IP of that VPC. Interestingly if I can ping from remote internal network to my internal network (192.168.1.0/24)

To implement the IPSec I used one of my IP’s public interface (ether9) and IPSec tunnels work properly:

0 E spi=0x91BA9B src-address=y.y.y.y dst-address=x.x.x.x
auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key=“” enc-key=“” addtime=jan/03/1970 11:46:20
expires-in=24m26s add-lifetime=48m/1h current-bytes=4394

1 E spi=0xB8CA5BF9 src-address=x.x.x.x dst-address=y.y.y.y
auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key=“” enc-key=“” add-lifetime=48m/1h

Currently only one tunnel. This is the policy settings

0 ;;; AWS
src-address=0.0.0.0/0 src-port=any dst-address=11.0.0.0/16 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=x.x.x.x sa-dst-address=y.y.y.y proposal=aws
priority=0

1 src-address=169.254.13.18/32 src-port=any dst-address=169.254.13.17/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=x.x.x.x
sa-dst-address=y.y.y.y proposal=aws priority=0

2 src-address=169.254.13.17/32 src-port=any dst-address=169.254.13.18/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=y.y.y.y
sa-dst-address=x.x.x.x proposal=aws priority=0

3 src-address=169.254.12.146/32 src-port=any dst-address=169.254.12.145/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=z.z.z.z
sa-dst-address=x.x.x.x proposal=aws priority=0

4 src-address=169.254.12.146/32 src-port=any dst-address=169.254.12.145/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=z.z.z.z
sa-dst-address=x.x.x.x proposal=aws priority=0

5 src-address=169.254.12.145/32 src-port=any dst-address=169.254.12.146/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=x.x.x.x
sa-dst-address=z.z.z.z proposal=aws priority=0

I have also added a static route to that remote network:

Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 201.234.50.49 1
1 X S 0.0.0.0/0 192.168.50.1 2
2 ADC 10.0.0.0/24 10.0.0.1 dmz 0
3 ADC 10.0.1.0/24 10.0.1.1 Local 0
4 A S ;;; AWS
11.0.0.0/16 169.254.12.145 1
169.254.13.17
5 ADC 169.254.12.144/30 169.254.12.146 ether9 0
6 ADC 169.254.13.16/30 169.254.13.18 ether9 0
7 ADC 192.168.1.0/24 192.168.1.253 Local_01 0
8 ADC 192.168.100.0/24 192.168.100.1 ether8 0
9 ADC 201.234.50.48/29 201.234.50.54 ether9 0

It should be noted that my local network passes through a proxy running IPTables. To rule, I made a ping from my Mikrotik, using the ether9 interface (which is my ip’s public) to the public IP of the VPC, and if I respond (but ip response is the private IP of that network). If I do a ping to private ip, I get no response.

I also added a couple of rules to accept all packets going to or coming from the network 11.0.0.0/16, and I have placed above all rules.

The configuration file downloaded from amazon specifies the following:

*Tunnel1:

Outside IP Addresses:

  • Customer Gateway : x.x.x.x
  • Virtual Private Gateway : y.y.y.y

Inside IP Addresses

  • Customer Gateway : 169.254.13.18/30
  • Virtual Private Gateway : 169.254.13.17/30

Configure your tunnel to fragment at the optimal size:

  • Tunnel interface MTU : 1436 bytes


    #4: Static Routing Configuration:

To route traffic between your internal network and your VPC,
you will need a static route added to your router.

Static Route Configuration Options:

  • Next hop : 169.254.13.17

You should add static routes towards your internal network on the VGW.
The VGW will then send traffic towards your internal network over
the tunnels.

*Tunnel2:

Outside IP Addresses:

  • Customer Gateway : x.x.x.x
  • Virtual Private Gateway : z.z.z.z

Inside IP Addresses

  • Customer Gateway : 169.254.12.146/30
  • Virtual Private Gateway : 169.254.12.145/30

Configure your tunnel to fragment at the optimal size:

  • Tunnel interface MTU : 1436 bytes


    #4: Static Routing Configuration:

To route traffic between your internal network and your VPC,
you will need a static route added to your router.

Static Route Configuration Options:

  • Next hop : 169.254.12.145

You should add static routes towards your internal network on the VGW.
The VGW will then send traffic towards your internal network over
the tunnels.

I hope you can help me solve this problem.

Thank you very much