I have an ipsec VPN tunnel up between my home LAN and my Amazon AWS VPC.
Here’s the overall setup. Home LAN is on left, AWS VPC is on the right. I’ve got public, static IPs on the home LAN, which technically bypasses the double NAT; the second layer router has a public IP that is ‘passed through’ the Comcast cable modem with 5x static IPs assigned to it.
I have put in static routes on the gateways for both left and right networks to point to the VyOS VPN tunnel endpoints (192.168.1.5, 10.50.0.5) for the gateway for VPN traffic.
Everything works well, except from time to time, the tunnel seems to break down one way only. Doing a “show vpn ipsec sa” shows tunnels as up on both ends. However, if I ping from AWS VPC to Home LAN, the traffic never makes it through the tunnel. The VPC VyOS endpoint shows traffic counters going up for traffic leaving the tunnel, but nothing ever makes it “in” to the Home LAN VPN tunnel. Traffic counter won’t increment, but it still shows as “up”. Pinging the remote VPN endpoint IP address from either the local VPN endpoint or another server on the network yields the same result.
However, as soon as I ping the other way, from LAN into the AWS VPC, both pings from both directions make it through just fine. Within a few minutes, though, the same scenario happens; AWS VPC to LAN won’t go through.
To explain further:
Ping from 10.50.0.63 to 192.168.1.201 does not work
Ping from 10.50.0.5 to 192.168.1.5 does not work
Ping from 192.168.1.31 to 10.50.0.63 does work
Ping from 10.50.0.63 to 192.168.1.201 does work
Ping from 10.50.0.5 to 192.168.1.5 does work
I have set dead peer detection on both endpoints:
vyos@vyos# show vpn ipsec ike-group IKE-1W dead-peer-detection
Any idea what is going on?
(IP addresses above are modified)
EDIT: Fixed. See below.