Why is IPsec/Phase 2 for AWS Site-to-Site VPN failing to establish a connection?

2 minute read

Content level: Advanced

When I try to set up an AWS Site-to-Site VPN connection in Amazon Virtual Private Cloud (Amazon VPC), the IPsec/Phase 2 of my configuration fails to establish a connection.

Resolution

If your Site-to-Site VPN Internet Protocol security (IPsec/Phase 2) fails to establish a connection, then try the following steps to resolve the problem:

Verify that the Site-to-Site VPN Phase 2 parameters are configured correctly on your customer gateway device. To do so, compare your settings against the VPN configuration file that you downloaded from the Site-to-Site VPN console.
Verify that the supported Phase 2 parameters for IKEv1 and IKEv2 are configured correctly: Example IKEv1 and IKEv2 parameters:

IKEv1 Encryption: AES-128, AES-256, AES128-GCM-16, AES256-GCM-16
IKEv1 Data Integrity: SHA-1, SHA2-256, SHA2-384, SHA2-512
IKEv1 DH groups: 2, 5, and 14-24
Lifetime: 3600 seconds
Diffie-Hellman Perfect Forward Secrecy: Enabled

Note: The example IKEv1 and IKEv2 Phase 2 and IKEv2 Child_SA parameters specify the minimum requirements for a Site-to-Site VPN connection of:

AWS Phase 2 parameters: AES128, SHA1, Diffie-Hellman group 2.
AWS GovCloud (US) Phase 2 parameters: AES128, SHA2, Diffie-Hellman group 14.

Verify that Diffie-Hellman Perfect Forward Secrecy (PFS) is active and is using Diffie-Hellman groups for key generation. For more information, see the Use Diffie-Hellman Perfect Forward Secrecy section.
Verify that there is no security association or traffic selector mismatch between AWS and the customer gateway device.
Verify whether the configured Site-to-Site VPN connection options, including remote and local IP addresses, match the security association specified on the customer gateway device. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
Verify if traffic is initiated inbound towards AWS. Site-to-Site VPN works in responder mode by default, allowing configuration changes to IKE negotiations, peer timeout settings, and other configuration settings. For more information, see Site-to-Site VPN tunnel initiation options.

If your issue still persists, try the following:

Turn on Site-to-Site VPN logs.

Examine the IPsec debug logs to learn the cause of the failure and troubleshooting steps.

Topics

Networking & Content Delivery

Relevant content

BGP Negotiation over AWS Site-to-Site VPN and Direct Connect: Troubleshooting Strategies for Efficient Networking
EXPERT
Vinay Gugueoth
published 9 months ago
Configuration of Dynamic Routing (BGP) - Based AWS Site-to-Site VPN with MikroTik Router for Secure Data Transmission
EXPERT
Vinay Gugueoth
published 9 months ago
Secure way to set up IPsec VPN between IBM Cloud and an AWS-managed VPN endpoint with static routing
EXPERT
Vinay Gugueoth
published 6 months ago
NETWORK NOT ESTABLISHED AFTER AWS VPN TUNNEL IS UP
Accepted Answer
Kpododo
asked 7 months ago
Unable to establish a connection on VPN Tunnel 2
DB
asked a year ago
AWS Client VPN is connecting to VPC but can't access to Internet
Accepted Answer
buraktas
asked a year ago
Why is IPsec/Phase 2 for AWS Site-to-Site VPN failing to establish a connection?
AWS OFFICIALUpdated a year ago
How do I create a backup VPN for my AWS Site-to-Site VPN connection?
AWS OFFICIALUpdated 8 months ago
Why is my AWS Site-to-Site VPN failing to establish connectivity?
AWS OFFICIALUpdated a year ago
Why is my AWS Site-to-Site VPN down?
AWS OFFICIALUpdated a year ago