Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Cisco ISR VPN to Transit GW VPC VPN

0

For a new IPv6 project, we are attempting to connect our office network to a VPC VPN "IPv6 Inside" attached to a Transit Gateway. IKE phase 1 establishes, but IKE phase 2 fails to establish with the following errors:

The error from the Cloudwatch logs is: "AWS tunnel was unable to decrypt the security payload(s)". I am unable to reference this error message in any AWS documentation.

The error on the Cisco ISR is: "NOTIFY INVALID_ID_INFO protocol 3".

I suspect the issue is with PFS or a cipher suite conflict?

However, when I attached a "IPv4 Inside" Tunnel to the same Cisco ISR, the connection is established immediately. I cannot find any documentation concerning this and the "Download configuration" option shows no difference. Should there be any difference?

Themen
Vernetzung & Bereitstellung von Inhalten
Tags
Amazon VPCAWS Transit GatewayVirtuelles privates VPC-GatewayIPv6AWS Virtuelles Privates Netzwerk (VPN)
Sprache
English
rePost-User-1338443
gefragt vor 3 Monaten230 Aufrufe
1 Antwort
1

Managed to resolve this issue. The documentation should be updated when using "Download Configuration" to say that the tunnel interface must instead use:

tunnel mode ipsec ipv4 v6-overlay instead of tunnel mode ipsec ipv4

Plus, the PtP IPv6 address should be used on the interface instead of the IPv4 address. Hopefully this post will save someone a weekend of work!

rePost-User-1338443
beantwortet vor 3 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt