Can't ping from local network to Amazon VPC

RouterOS General
1

Regards,

I'm new to the world of routing and I have a question about the settings made in a RB2011UiAS. This router works very well within my local network, managing NAT and rules, and connecting my local network with my DMZ as well as access to the Internet. The problem I have is that I have implemented an Amazon VPC, without using BGP, and the settings you have given me I have implemented following guide: Amazon AWS VPN -- A Working Configuration Example and Bug

This guide is the most complete I've found on the subject, and through it, the IPSec necessary tunnels to connect my LAN to the VPC work properly, but I can not ping from my LAN to the internal network of the VPC (in 11.0.0.0/16 range), nor to the public IP of that VPC. Interestingly if I can ping from remote internal network to my internal network (192.168.1.0/24)

To implement the IPSec I used one of my IP's public interface (ether9) and IPSec tunnels work properly:

0 E spi=0x91BA9B src-address=y.y.y.y dst-address=x.x.x.x
auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key="" enc-key="" addtime=jan/03/1970 11:46:20
expires-in=24m26s add-lifetime=48m/1h current-bytes=4394

1 E spi=0xB8CA5BF9 src-address=x.x.x.x dst-address=y.y.y.y
auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key="" enc-key="" add-lifetime=48m/1h

Currently only one tunnel. This is the policy settings

0 ;;; AWS
src-address=0.0.0.0/0 src-port=any dst-address=11.0.0.0/16 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=x.x.x.x sa-dst-address=y.y.y.y proposal=aws
priority=0

1 src-address=169.254.13.18/32 src-port=any dst-address=169.254.13.17/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=x.x.x.x
sa-dst-address=y.y.y.y proposal=aws priority=0

2 src-address=169.254.13.17/32 src-port=any dst-address=169.254.13.18/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=y.y.y.y
sa-dst-address=x.x.x.x proposal=aws priority=0

3 src-address=169.254.12.146/32 src-port=any dst-address=169.254.12.145/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=z.z.z.z
sa-dst-address=x.x.x.x proposal=aws priority=0

4 src-address=169.254.12.146/32 src-port=any dst-address=169.254.12.145/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=z.z.z.z
sa-dst-address=x.x.x.x proposal=aws priority=0

5 src-address=169.254.12.145/32 src-port=any dst-address=169.254.12.146/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=x.x.x.x
sa-dst-address=z.z.z.z proposal=aws priority=0

I have also added a static route to that remote network:

Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 201.234.50.49 1
1 X S 0.0.0.0/0 192.168.50.1 2
2 ADC 10.0.0.0/24 10.0.0.1 dmz 0
3 ADC 10.0.1.0/24 10.0.1.1 Local 0
4 A S ;;; AWS
11.0.0.0/16 169.254.12.145 1
169.254.13.17
5 ADC 169.254.12.144/30 169.254.12.146 ether9 0
6 ADC 169.254.13.16/30 169.254.13.18 ether9 0
7 ADC 192.168.1.0/24 192.168.1.253 Local_01 0
8 ADC 192.168.100.0/24 192.168.100.1 ether8 0
9 ADC 201.234.50.48/29 201.234.50.54 ether9 0

It should be noted that my local network passes through a proxy running IPTables. To rule, I made a ping from my Mikrotik, using the ether9 interface (which is my ip's public) to the public IP of the VPC, and if I respond (but ip response is the private IP of that network). If I do a ping to private ip, I get no response.

I also added a couple of rules to accept all packets going to or coming from the network 11.0.0.0/16, and I have placed above all rules.

The configuration file downloaded from amazon specifies the following:

*Tunnel1:

Outside IP Addresses:

  • Customer Gateway : x.x.x.x
  • Virtual Private Gateway : y.y.y.y

Inside IP Addresses

  • Customer Gateway : 169.254.13.18/30
  • Virtual Private Gateway : 169.254.13.17/30

Configure your tunnel to fragment at the optimal size:

  • Tunnel interface MTU : 1436 bytes


    #4: Static Routing Configuration:

To route traffic between your internal network and your VPC,
you will need a static route added to your router.

Static Route Configuration Options:

  • Next hop : 169.254.13.17

You should add static routes towards your internal network on the VGW.
The VGW will then send traffic towards your internal network over
the tunnels.

*Tunnel2:

Outside IP Addresses:

  • Customer Gateway : x.x.x.x
  • Virtual Private Gateway : z.z.z.z

Inside IP Addresses

  • Customer Gateway : 169.254.12.146/30
  • Virtual Private Gateway : 169.254.12.145/30

Configure your tunnel to fragment at the optimal size:

  • Tunnel interface MTU : 1436 bytes


    #4: Static Routing Configuration:

To route traffic between your internal network and your VPC,
you will need a static route added to your router.

Static Route Configuration Options:

  • Next hop : 169.254.12.145

You should add static routes towards your internal network on the VGW.
The VGW will then send traffic towards your internal network over
the tunnels.

I hope you can help me solve this problem.

Thank you very much