[Help needed] Stack always failing on rVpnGatewayWaitCondition1 and no log stream

aws-samples / vpn-gateway-strongswan

AWS CloudFormation template to deploy the open source strongSwan VPN solution to act as a VPN gateway in support of site-to-site VPN connections.

Apache License 2.0

68 stars 37 forks source link

[Help needed] Stack always failing on rVpnGatewayWaitCondition1 and no log stream #21

Closed ericct closed 3 years ago

ericct commented 3 years ago

Hello,

Thanks for this sample! I'm surely doing something wrong but I cannot initiate the stack. I'm using the CLI way (same problem using the Web UI) and PSK mode. It always fails with "The following resource(s) failed to create: [rVpnGatewayWaitCondition1]. Rollback requested by user." (from scfn stack creation event stream).

Before this, everything looks fine (EIP association seems OK, the instance comes up, ...), but I cannot verify anything because even though the Cloudwatch Log Group is created (with the default path from the script /infra/vpngw/ec2/test15), no Log Stream is created.

What can I do to get more information and troubleshoot the issue?

Thanks a lot!

ericct commented 3 years ago

Ahem... Sorry for the noise here. Looking at the User Data for EC2 init, I've realized that the ACK of rVpnGatewayWaitCondition1 is made from here and the first step is to install Cloud Agent. And then, I've checked my routes to notice that there was none to the IGW. After fixing this silly error, it works!

yetanotherbot commented 3 years ago

Hi @ericct , I am having the same issue. Could you please elaborate on how you fixed the issue? Thanks so much!

nghtm commented 2 years ago

+1 to this issue, would appreciate it if you can elaborate on the solution you found involving an IGW. Thanks!

rfc2119 commented 2 years ago

What @ericct meant is simply there was no route to the internet in his VPC (via an IGW). They simply added it and it worked for them. However, this was not the case for me. It turned out that, in the original blog post, this paragraph:

AWS Secrets Manager secret must be in the form of psk: where psk is the key and is the private shared key value.

Simple meant that, if you're using a pre-shared key for authentication, then your AWS Secrets Manager secret must be a key/value pair, the key being literally psk and the value is your key. Hence, if you viewed your secret in the console in plain text, it should look like {"psk":"<long-string>"}

NOTE: To debug similar errors, inspect the system logs for the terminated EC2 instance (whose ID is output upon failure in the Cloudformation console). Look for messages starting with [cloud-init]