Why is my AWS Site-to-Site VPN failing to establish connectivity?
My AWS Site-to-Site VPN in an Amazon Virtual Private Cloud (Amazon VPC) fails either IKE/Phase 1 or IPSec/Phase 2 of connectivity establishment.
Resolution
IKE/Phase 1 failures
If the IKE phase of your configuration fails, then check the Site-to-Site VPN configuration to confirm that it meets the following requirements:
- Customer gateway requirements.
- Uses the appropriate IKE version for your use case. Note: AWS supports both IKEv1 and IKEv2.
- Uses the appropriate lifetime in seconds for IKE (Phase 1) for your IKE version. To configure the tunnel options that you require, see Tunnel options for your Site-to-Site VPN connection.
- Has a customer gateway device that's configured with the correct pre-shared key (PSK) or valid certificates.
- Can successfully ping Site-to-Site VPN endpoints from your customer gateway.
If acceleration is turned on for a Site-to-Site VPN connection, then be sure that NAT-Traversal is turned on for the customer gateway device.
If the customer gateway device is behind a network address translation (NAT) device, then confirm the following:
- UDP packets on port 500 (and port 4500, if NAT-traversal is used) are allowed to pass between your network and the Site-to-Site VPN endpoints.
- The intermediate internet service providers (ISPs) aren't blocking UDP port 500 (or port 4500, if NAT-Traversal is used).
Note: If your customer gateway isn't behind a port address translation (PAT) device, then it's a best practice to turn off NAT-traversal.
IPsec/Phase 2 failures when IKE/Phase 1 is UP
After IKE/Phase 1 of the Site-to-Site VPN connection is established, then the customer gateway tries to establish IPsec/Phase 2. Note that the Site-to-Site VPN status is UP only when both Phase 1 and Phase 2 statuses are UP. For dynamic Site-to-Site VPN, BGP must also be in UP status. If the IKE/Phase 1 connection establishes, but your IPsec/Phase 2 connection is in the DOWN status, then the Site-to-Site VPN status is DOWN also.
If your Site-to-Site VPN IPsec/Phase 2 fails to establish a connection, then try the following steps to resolve the problem:
- Compare your settings against the Site-to-Site VPN configuration file to verify that the Site-to-Site VPN Phase 2 parameters are configured correctly on your customer gateway device. You can download this file from the Site-to-Site VPN console.
- Verify that the supported Phase 2 parameters for IKEv1 and IKEv2 are configured correctly. See the following example IKEv1 and IKEv2 parameters:
IKEv1 Encryption: AES-128, AES-256, AES128-GCM-16, AES256-GCM-16
IKEv1 Data Integrity: SHA-1, SHA2-256, SHA2-384, SHA2-512
IKEv1 DH groups: 2, 5, and 14-24
Lifetime: 3600 seconds
Diffie-Hellman Perfect Forward Secrecy: Turned on
Note: The example IKEv1 and IKEv2 Phase 2 and IKEv2 Child_SA parameters specify the minimum requirements for a Site-to-Site VPN connection of:
AWS Phase 2 parameters: AES128, SHA1, Diffie-Hellman group 2
AWS GovCloud (US) Phase 2 parameters: AES128, SHA2, Diffie-Hellman group 14 - Verify that Diffie-Hellman Perfect Forward Secrecy (PFS) is active and is using Diffie-Hellman groups for key generation. See Requirements for your customer gateway device, and review the information for Use Diffie-Hellman Perfect Forward Secrecy in the table that's provided.
- Check that there's no security association or traffic selector mismatch between AWS and the customer gateway device.
- Check whether the configured Site-to-Site VPN connection options, including remote and local IP addresses, match the security association that's specified on the customer gateway device. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
- Check if traffic is initiated inbound towards AWS. Site-to-Site VPN works in responder mode by default, and allows configuration changes to IKE negotiations, peer timeout settings, and other configuration settings. For more information, see Site-to-Site VPN tunnel initiation options.
If the issue still persists, try the following:
- Turn on Site-to-Site VPN logs.
- Examine the IPsec debug logs to learn the cause of the failure and troubleshooting steps.
Related Information
Troubleshooting your customer gateway device
Modify Site-to-Site VPN tunnel options
Example customer gateway device configurations for static routing
Example customer gateway device configurations for dynamic routing (BGP)
Contenuto pertinente
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata 2 anni fa