Este contenido no está disponible en el idioma seleccionado

Trabajamos constantemente para que el contenido esté disponible en el idioma seleccionado. Gracias por tu paciencia.

Why is my AWS Site-to-Site VPN failing to establish connectivity?

4 minutos de lectura

My AWS Site-to-Site VPN in an Amazon Virtual Private Cloud (Amazon VPC) fails either IKE/Phase 1 or IPSec/Phase 2 of connectivity establishment.

Resolution

IKE/Phase 1 failures

If the IKE phase of your configuration fails, then check the Site-to-Site VPN configuration to confirm that it meets the following requirements:

Customer gateway requirements.
Uses the appropriate IKE version for your use case. Note: AWS supports both IKEv1 and IKEv2.
Uses the appropriate lifetime in seconds for IKE (Phase 1) for your IKE version. To configure the tunnel options that you require, see Tunnel options for your Site-to-Site VPN connection.
Has a customer gateway device that's configured with the correct pre-shared key (PSK) or valid certificates.
Can successfully ping Site-to-Site VPN endpoints from your customer gateway.

If acceleration is turned on for a Site-to-Site VPN connection, then be sure that NAT-Traversal is turned on for the customer gateway device.

If the customer gateway device is behind a network address translation (NAT) device, then confirm the following:

UDP packets on port 500 (and port 4500, if NAT-traversal is used) are allowed to pass between your network and the Site-to-Site VPN endpoints.
The intermediate internet service providers (ISPs) aren't blocking UDP port 500 (or port 4500, if NAT-Traversal is used).

Note: If your customer gateway isn't behind a port address translation (PAT) device, then it's a best practice to turn off NAT-traversal.

IPsec/Phase 2 failures when IKE/Phase 1 is UP

After IKE/Phase 1 of the Site-to-Site VPN connection is established, then the customer gateway tries to establish IPsec/Phase 2. Note that the Site-to-Site VPN status is UP only when both Phase 1 and Phase 2 statuses are UP. For dynamic Site-to-Site VPN, BGP must also be in UP status. If the IKE/Phase 1 connection establishes, but your IPsec/Phase 2 connection is in the DOWN status, then the Site-to-Site VPN status is DOWN also.

If your Site-to-Site VPN IPsec/Phase 2 fails to establish a connection, then try the following steps to resolve the problem:

Compare your settings against the Site-to-Site VPN configuration file to verify that the Site-to-Site VPN Phase 2 parameters are configured correctly on your customer gateway device. You can download this file from the Site-to-Site VPN console.
Verify that the supported Phase 2 parameters for IKEv1 and IKEv2 are configured correctly. See the following example IKEv1 and IKEv2 parameters:
IKEv1 Encryption: AES-128, AES-256, AES128-GCM-16, AES256-GCM-16
IKEv1 Data Integrity: SHA-1, SHA2-256, SHA2-384, SHA2-512
IKEv1 DH groups: 2, 5, and 14-24
Lifetime: 3600 seconds
Diffie-Hellman Perfect Forward Secrecy: Turned on
Note: The example IKEv1 and IKEv2 Phase 2 and IKEv2 Child_SA parameters specify the minimum requirements for a Site-to-Site VPN connection of:
AWS Phase 2 parameters: AES128, SHA1, Diffie-Hellman group 2
AWS GovCloud (US) Phase 2 parameters: AES128, SHA2, Diffie-Hellman group 14
Verify that Diffie-Hellman Perfect Forward Secrecy (PFS) is active and is using Diffie-Hellman groups for key generation. See Requirements for your customer gateway device, and review the information for Use Diffie-Hellman Perfect Forward Secrecy in the table that's provided.
Check that there's no security association or traffic selector mismatch between AWS and the customer gateway device.
Check whether the configured Site-to-Site VPN connection options, including remote and local IP addresses, match the security association that's specified on the customer gateway device. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
Check if traffic is initiated inbound towards AWS. Site-to-Site VPN works in responder mode by default, and allows configuration changes to IKE negotiations, peer timeout settings, and other configuration settings. For more information, see Site-to-Site VPN tunnel initiation options.