Can’t ping or traceroute through AWS IPSec VPN

My VPC is connected to my premises via IPSec VPN, tunnel is shown to be UP on AWS console.

Things that work:

I can see the traffic from my premises (subnet 192.168.0.0/16) to AWS VPC ( 10.0.0.0/16) on VPC flowlogs, marked as accepted.
When I do a tcp dump of the ICMP traffic on terminal using sudo tcpdump -i eth0 icmp and icmp[icmptype]=icmp-echo , I do see the ping:

06:32:13.446579 IP ip-192-168-234-254.ap-southeast-1.compute.internal > graylog: ICMP echo request, id 17473, seq 18722, length 44 .

I can get ping replies when I ping the AWS instance using its public IP, from everywhere.
I can get ping replies when I ping the AWS instance using its private IP from another AWS instance in the same VPC.

Things that don't work:

I can't get a ping reply when pinging from my premises to any of the
AWS instances, including the one that receives my icmp ping.
I can't get a ping reply when pinging from my AWS instance to my premises.
I can't do a traceroute from my AWS instance to 192.168.234.254 or
any of the other private IPs in my premises. These traceroutes end up
with timeouts, just asterisk all the way.
I can't do a traceroute
from my premises to any of the AWS instances. These traceroutes end
up with timeouts, just asterisk all the way.

Configurations:

Route Table for the subnet:

Destination        target        status    propagated
10.0.0.0/16        local         Active    No
0.0.0.0/16       igw-f06e2d95    Active    No
192.168.0.0/16   vgw-d1084e83    Active    No

Security group of AWS instances:
Inbound:

Type          Protocol    Port Range    Source
All ICMP      All          N/A      0.0.0.0/0

Outbound:

Type          Protocol    Port Range    Source
All Traffic      All          N/A      0.0.0.0/0
All Traffic      All          N/A      192.168.0.0/16

Network ACL inbound:

Rule#    Type            Protocol     Port Range        Source        Allow/Deny
100      All Traffic      ALL          ALL          0.0.0.0/0          ALLOW
200      All Traffic      ALL          ALL          192.168.0.0/16     ALLOW
*        All Traffic      ALL          ALL          0.0.0.0/0          DENY

Network ACL outbound

Rule#    Type            Protocol     Port Range        Source        Allow/Deny
100      All Traffic      ALL          ALL          0.0.0.0/0          ALLOW
200      All Traffic      ALL          ALL          192.168.0.0/16     ALLOW
\*        All Traffic      ALL          ALL          0.0.0.0/0          DENY

Trace path from my AWS instance to the IP on my premises shows:

tracepath ip-192-168-234-254.ap-southeast-1.compute.internal
 1?: \[LOCALHOST\]                                         pmtu 9001
 1:  ip-10-0-2-1.ap-southeast-1.compute.internal           0.082ms pmtu 1500
 1:  no reply
 2:  no reply
 3:  no reply
 4:  no reply
 5:  no reply
 6:  no reply

Other info:
My AWS instance is running Ubuntu 14.04

In short: Traffic from my premises does reach my VPC instance, but I can't get a ping reply or traceroutes in both directions, even though the security groups and network ACLs are set up properly and even though I can get ping replies from within my VPC.

Best Answer

It was actually the Static Route at the VPN Connections page - I had missed out the step to add a static route to route traffic of certain IPs through the VPN.

For example, if the subnet at your premises uses IPs 173.112.0.0/16:

Add 173.112.0.0/16 under 'IP Prefixes'.

Note that the IP Prefixes column only accepts CIDR blocks. You can add individual IPs by using a /32 CIDR block if you wish to be more restrictive.

Best Answer

Related Solutions

Can’t Connect to EC2 Instance in VPC – Troubleshooting Guide

Pfsense ipsec vpn to amazon aws not connecting

Related Topic