Site to Site VPN Phase 2 Down
Site to site VPN, when trying to establish connection with customer gateway - IKE Phase 1 is established, but IKE phase 2 is down. In the logs - { "event_timestamp": 1690951183, "details": "received packet: from XXXXXX [UDP 4500] to XXXXXXXX [UDP 4500] (92 bytes)", "dpd_enabled": true, "nat_t_detected": true, "ike_phase1_state": "established", "ike_phase2_state": "down" }
Customer Gateway Configuration
Aws Tunnel Configuration
Why is the phase 2 connection not getting established.
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
According to the screenshot of the configuration on Customer Gateway that you provided, the Perfect Forward Secrecy (PFS) is disabled. You must enable it on the Customer Gateway. It is one of the requirements to establish IKE Phase 2.
The following documents are common troubleshooting methods.
Common cases are that the DH Group numbers do not match and the connection fails, etc.
By the way, is it possible to check the VPN logs and other information on the Customer Gateway?
Perhaps there is some error message that can be helpful in the investigation.
https://repost.aws/knowledge-center/vpn-tunnel-phase-2-ipsec
Check the DPD (Dead Peer Detection) settings on your customer gateway. https://repost.aws/knowledge-center/vpn-tunnel-instability-inactivity
Relevanter Inhalt
AWS OFFICIALAktualisiert vor 10 Monaten- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor einem Jahr
Thanks. We don't have access to customer gateway logs as it is an external vendor. I have checked all settings from the above answer still not able to troubleshoot the issue.