Starting point
This entry has been a couple days in the works. Mainly because I didn't want to be writing up everything I was doing while I was also trying to Google and troubleshoot.
So after all my hard work trying to set up a VPN tunnel, I realized that my local network at home (where my virtual W2016 server had its "external" IP) used part of the same IP range (10.0.0.0/24) as my VPC (10.0.0.0/16).
So after all my hard work trying to set up a VPN tunnel, I realized that my local network at home (where my virtual W2016 server had its "external" IP) used part of the same IP range (10.0.0.0/24) as my VPC (10.0.0.0/16).
Moving ahead
I took the easy way out and changed my home network to use a 172.* private address range instead.
Unfortunately, my VPN tunnels still weren't working. EC2 showed them both down. Tracert'ing shows that my VM was trying to route VPC-destined packets into my local network instead of over the VPN tunnel.
I wasn't totally sure what I did last night, so I decided to wipe out RRAS and related roles on W2016 and start from scratch.
Didn't help either. At this point I realized I didn't know nearly enough about IPSec to understand what I was doing, so I put it on hold.
By a lucky coincidence, I happened to be reading about IPSec in my CCNA study guide yesterday, which got me at least a basic understanding of what I was actually trying to do.
Armed with this, I gave it another shot last night.
First realization: I have a NAT router between my home network and the Internet. This is a problem since IPSec is stateless at the network/transport layers. I added port forwarding to the router to make sure the IPSec packets were able to make it back to the VM.
Still no dice. For reference, here's what my setup at home looks like right now:
So I started running Wireshark on my host machine to watch for packets going to the AWS gateway.
I discovered that packets were making it to the local LAN, but with a source address on the 10.* network. It was at this point that I realized that I never set up NAT on the Win2016 VM like I'd intended (which would have made the Win2016 VM the single entry/exit point for traffic going in/out of the VPN) - so I went ahead and did that. I also set up a static route on the VM to route traffic destined for 10.0.0.0/16 to itself.
Finally, after watching Event Viewer and the Windows Firewall monitor, it looked like I was having some limited success! Windows was negotiating with the VPN gateway and setting up the tunnel successfully.
Unfortunately, watching Wireshark... I noticed that after the VPN tunnel was established, all the data packets headed for the VPN got an ICMP "Port Unreachable" response.
At this point, I found myself wondering if AWS was returning that response as a "translation" that something was misconfigured on the other side of the VPN gateway. (The port shouldn't have been actually unreachable since that's how the tunnel was set up.)
Minor correction to the graphic: at this point, I still had my VM LAN set up as 10.0.2.0/24. I figured I should probably change this to make sure I wasn't having more subnetting issues, so I switched the VM LAN over to 10.1.0.0/16.
For some reason, at this point, the IPsec rule stopped working. I called it a night since it was past midnight.
That's where I'm at now. More to come when I get home...
Didn't help either. At this point I realized I didn't know nearly enough about IPSec to understand what I was doing, so I put it on hold.
By a lucky coincidence, I happened to be reading about IPSec in my CCNA study guide yesterday, which got me at least a basic understanding of what I was actually trying to do.
Armed with this, I gave it another shot last night.
First realization: I have a NAT router between my home network and the Internet. This is a problem since IPSec is stateless at the network/transport layers. I added port forwarding to the router to make sure the IPSec packets were able to make it back to the VM.
Still no dice. For reference, here's what my setup at home looks like right now:
 |
| Don't hate - I made this in PowerPoint, from memory, at work. |
So I started running Wireshark on my host machine to watch for packets going to the AWS gateway.
I discovered that packets were making it to the local LAN, but with a source address on the 10.* network. It was at this point that I realized that I never set up NAT on the Win2016 VM like I'd intended (which would have made the Win2016 VM the single entry/exit point for traffic going in/out of the VPN) - so I went ahead and did that. I also set up a static route on the VM to route traffic destined for 10.0.0.0/16 to itself.
Finally, after watching Event Viewer and the Windows Firewall monitor, it looked like I was having some limited success! Windows was negotiating with the VPN gateway and setting up the tunnel successfully.
Unfortunately, watching Wireshark... I noticed that after the VPN tunnel was established, all the data packets headed for the VPN got an ICMP "Port Unreachable" response.
At this point, I found myself wondering if AWS was returning that response as a "translation" that something was misconfigured on the other side of the VPN gateway. (The port shouldn't have been actually unreachable since that's how the tunnel was set up.)
Minor correction to the graphic: at this point, I still had my VM LAN set up as 10.0.2.0/24. I figured I should probably change this to make sure I wasn't having more subnetting issues, so I switched the VM LAN over to 10.1.0.0/16.
For some reason, at this point, the IPsec rule stopped working. I called it a night since it was past midnight.
That's where I'm at now. More to come when I get home...
No comments:
Post a Comment