AWS TransitGateway VPN Routes Remain in Blackhole State

1
votes

Has someone here succeeded in implementing an AWS VPN Connection with AWS TransitGateway service?

I've created and configured my transit gateway and attachement of type VPN, with a transit gateway route table and association. I've downloaded the resulting vpn connection with static routing configuration and configured my on-prem routers, and my tunnels are up.

However :

  • I can reach my tunnels' public IP addresses from the on-prem network and AWS VPC
  • I can reach my tunnels' public IP addresses from my on-prem network
  • I can't reach my on-prem router's public IP address
  • I can't reach any host from my on-prem network to AWS VPC, and inversely

When I look at the corresponding transit gateway route table, I can see all VPN routes are in blackhole state. If I set them to the active state, but they still come back to blackhole state. In this blackhole state the TransitGateway drops packets silently...

Any help?

1
amazon-web-servicesvpn
Do you have the routes in both your TG route table as well as your VPC route table? For example, do you have routes (CIDRs) pointing to your TG in your VPC route table, and then have the same CIDR pointing to the VPN in your TG route table?programmerj
Yes @progrmmerj it’s the least to do, so yes I've all things donenixmind
And I can also notice that vpn tgw routes change from active to blackhole randomlynixmind
When I created the VPN tgw attachment, it created implicitly a vpn connection but I can't add static route to that vpn connection as my customer gateway uses static routing. I get this error when trying to add static route to my vpn connection : Edit Static Routes Editing Static RoutesFailed Hide details API error message Static routes for vpn-XXXXXXXXXXXXXX must be added through the Transit Gateway API. nixmind

1 Answers

0
votes

I've also added the route to the onpremise network 10.0.0.0/8 in the transit gateway route associated to the VPC attachement (not the VPN attachement) attached to the concerned aws VPC , and now I can reach the onpremise network through the TGW from aws.

I think packets first leaves the VPC they belong to, and need a route to get to the VPN, this route is the VPN attachement (the route I've added to the tgw VPN attachment route table, has the VPN attachment as the target), and then from the VPN attachment, the rest of the flow is handled by the VPN attachment through VPN connection.

So to conclude, in order your AWS TGW achieving VPN connection, you need a VPN attachment to establish VPN connections, and a VPC attachement associated to the AWS VPC you want to connect to your onpremise network, and then route to onpremise network in both VPN and VPC attachments related transit gateway route tables.

The above disposition is in the case you don't work with transit gateway default route table, and make specific transit gateway route table for each attachment