Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
mk1
Collaborator

No, your configuration is wrong. AWS give you two separate IPsec peer IPs which are public. Let's say they are 1.1.1.1 and 2.2.2.2.
The first thing you have to create with SmartConsole are the Interoperable Devices of remote VPN peers, in our case AWS_GW1 which is 1.1.1.1 and AWS_GW2 which is 2.2.2.2.

AWS give you also two separate IPs part of 169.254.x.x range. Let's say IPs for the first tunnel are 169.254.1.99 (AWS) and 169.254.1.100 (you) and the IPs for the second tunnel are 169.254.2.99 (AWS) and 169.254.2.100 (you).

Then you have the following config in the CLI:

GW1
add vpn tunnel 1 type numbered local 169.254.1.1 remote 169.254.1.99 peer AWS_GW1
set interface vpnt1 state on
set interface vpnt1 mtu 1436

add vpn tunnel 2 type numbered local 169.254.2.1 remote 169.254.2.99 peer AWS_GW2
set interface vpnt2 state on
set interface vpnt2 mtu 1436

GW2
add vpn tunnel 1 type numbered local 169.254.1.2 remote 169.254.1.99 peer AWS_GW1
set interface vpnt1 state on
set interface vpnt1 mtu 1436

add vpn tunnel 2 type numbered local 169.254.2.2 remote 169.254.2.99 peer AWS_GW2
set interface vpnt2 state on
set interface vpnt2 mtu 1436


The main purpose here is to have different IPs on each VPN tunnel interface, and then you will configure the VIP via GUI with the proper IP provided by AWS, in our case 169.254.1.100 will be VIP for vpnt1 and 169.254.2.100 for vpnt2. Then you have to add your static routes pointing to 169.254.1.99 and 169.254.2.99 (if you don't use BGP). One of them should be with priority.

On your questions:
Should the cluster ip address be a specific ip address, or just any ip address in the 169.254.92.x subnet? - Cluster IP address must be the one given by AWS. Member IP addresses could be any IP address.


Also, does it matter what local and remote ip address we use for the tunnel configuration or just any from the 169.254.x.x range? - Yes, it does. You have to use the IPs given by AWS for both sides of the tunnels, and you can use another IPs for each member interfaces different from VIP.

View solution in original post

(1)
Who rated this post