Why is IKEv2 VPN tunnel negotiation failing with AWS VPN?

Resolution

If the IKE exchange of your VPN tunnel is failing, check the following settings:

Note: The VPN category must be set to AWS VPN. IKEv2 isn't supported on AWS Classic VPN connections. Make any necessary changes to be sure that your configuration meets the requirements.

Customer gateway settings

• Establish an IKE security association using pre-shared keys or digital certificates.
• Establish IPsec security associations in Tunnel mode.
• Turn on IKEv2 dead peer detection.
• Bind the tunnel to a logical interface (only for route-based VPNs, not for policy-based VPNs).
• Fragment IP packets before encryption.
• Establish Border Gateway Protocol (BGP) peering (optional).
• Allow ISAKMP (UDP port 500) and Encapsulating Security Payload (IP protocol 50) traffic to route between your network and VPN endpoints. If you're using Network Address Translation Traversal (NAT-T), also be sure to allow UDP port 4500.
• Ping your AWS VPN endpoints.
• Use the correct pre-shared key or digital certificate.

IKE profile settings

• Set the lifetime to a value configured on the AWS side between 900 and 28,800 (default) seconds.
• Set the encryption algorithm to either AES-128 or AES-256.
• Set the hashing algorithm to either SHA-1 or SHA-2(256).
• Set the Pseudo Random Function (PRF) to the same algorithm as the hashing algorithm.
• Turn on one of the following Diffie-Hellman groups: 2, 14-18, 22, 23, or 24.

IPsec profile settings

• Set the lifetime to a value configured on the AWS side between 900 and 3,600 (default) seconds, with less than phase 1 lifetime.
• Set the encryption algorithm to either AES-128 or AES-256.
• Set the hashing algorithm to either SHA-1 or SHA-2(256).
• Turn on perfect forward secrecy (PFS) using one of the following Diffie-Hellman groups: 2, 5, 14-18, 22, 23, or 24.

For more information, see the Amazon Virtual Private Cloud Network Administrator Guide.