0

I want to establish host to host libreswan ipsec VPN. I have done following.

  1. Created ubuntu instance ubuntu-1 in default vpc in 1st account.
  2. Assigned EIP and security group to my ubuntu instance allowing TCP port 1701, UDP port 4500,500 and Enabled All ICMP anywhere.
  3. Created ubuntu instance ubuntu-2 in non-default VPC in public subnet of 2nd account.
  4. Assigned EIP and security group to ubuntu instance allowing TCP port 1701, UDP port 4500,500 and Enabled all ICMP anywhere.

I am able to ping to ubuntu-2 from ubuntu-1 instance however I am not able to ping to ubuntu-1 from ubuntu-2 instance.

I am not sure what is wrong with my ubuntu-2 instance. It has internet gateway assigned to its public subnet. All the security group rules are mirrored for both server.

Improve this question
6
  • They're in different accounts? I assume you're pinging using EIP addresses? You've allowed all ICMP to 0.0.0.0/0 in the security group for both instances? Your network ACL isn't blocking it? It's probably something not quite right with security groups. Commented Dec 2, 2016 at 23:48
  • Also check if you can ping each machine from your non-AWS workstation. Commented Dec 2, 2016 at 23:56
  • @Tim I can ping both the machine from my macbook. Irrespective of any network I am in. Commented Dec 3, 2016 at 0:09
  • @Tim Yes Both servers are in different account. Both have EIP. Allowed all ICMP to 0.0.0.0/32. Network ACL? Which one inbound or outbound and for which account? 1st account or 2nd account? Since 1st account has default setup in it. I am not sure which ACL to check inbound or outbound. Commented Dec 3, 2016 at 0:18
  • 0.0.0.0/0 means "anywhere", I don't know what 0.0.0.0/32 means - I'm not a networking expert. NACL is not stateless so you need to allow inbound and outbound on both accounts, whereas security groups are stateless. Given you can ping from your machine in/out NACL of the machine you can't is to check. Default is permit all so if you haven't changed them they should be ok. Edit your post to show your full security group setup, both servers. Commented Dec 3, 2016 at 2:23

1 Answer 1

Reset to default
1

Instance security depends on the Security Group. In your scenario as you mentioned already that you have allowed ICMP port from anywhere in both your security group. Another security aspect we can consider is that Network ACL. Network ACLs are stateless. You should check Network ACLs for ubuntu-2 instance's subnet. ICMP protocol is request and response kind of protocol so Inbound and outbound rule should be allow by Network ACL of ubuntu-2's subnet.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.