AWS Site-to-Site VPN Configuration doesn't allow inbound traffic

Question

I've been following the instructions here: https://aws.amazon.com/blogs/networking-and-content-delivery/simulating-site-to-site-vpn-customer-gateways-strongswan/

I can successfully get the VPN up and running, but I can't successfully ping internal IP addresses from behind the VPN.

Here's my setup: "On-prem" is simulated using a VPC with IP address: 172.19.0.0/16. The VPN is deployed on an EC2 instance in the subnet 172.19.16.0/20. This subnet has the following route table:

Destination	Target
172.19.0.0/16	local
172.21.0.0/16	eni-XXXXXXXXX
0.0.0.0/0	igw-XXXXXXXXX

Where eni-XXXXXXXXX is the network interface of the EC2 instance that has the VPN deployed on it.

My cloud VPC has the CIDR range: 172.21.0.0/16. I have an EC2 instance deployed in the 172.21.32.0/20 subnet which has the following route table:

Destination	Target
172.21.0.0/16	local
172.19.0.0/16	vgw-XXXXXXXXX
0.0.0.0/0	igw-XXXXXXXXX

Where the vgw-XXXXXXXXX is the virtual gateway associated with the VPN I have.

I can send traffic from my "on-prem" VPC into my cloud VPC successfully, but no traffic comes back out. I've tested this by SSHing into an EC2 instance in my "on-prem" VPC and then pinging a private IP address of an EC2 instance in my cloud VPC and I can see the pings are received by the EC2 instance in the cloud VPC, but my "on-prem" instance never receives the response.

I have checked my security groups and NACLs and they are not preventing this type of traffic.

Is there something misconfigured here?

Answer 1

This is not an entirely satisfying answer, but I moved from using a Virtual Private Gateway to using a Transit Gateway and I was able to get it to work.