Questo contenuto non è disponibile nella lingua selezionata
Lavoriamo costantemente per rendere disponibili i contenuti nella lingua selezionata. Ti ringraziamo per la comprensione.
Why is IPsec/Phase 2 for AWS Site-to-Site VPN failing to establish a connection?
3 minuti di lettura
0
IPsec/Phase 2 fails when I set up an AWS Site-to-Site Virtual Private Network (VPN) connection. I want to troubleshoot this error.
Resolution
If an Internet Protocol security (IPsec/Phase 2) connection fails, then complete the following:
- Make sure that the Site-to-Site VPN Phase 2 parameters on your customer gateway device match the VPN's tunnel settings.
Note: You can download an example configuration file for your VPN, and then compare that file to the tunnel settings for the customer gateway. However, if your VPN tunnels have customized settings, then the example configuration file might not exactly match the Phase 2 parameters of the VPN tunnels. - Verify that the Phase 2 parameters for IKEv1 and IKEv2 conform to Best practices for your customer gateway device.
In the following example, all parameters conform to best practices:
IKEv1 Encryption: AES-128, AES-256, AES128-GCM-16, AES256-GCM-16
IKEv1 Data Integrity: SHA-1, SHA2-256, SHA2-384, SHA2-512
IKEv1 DH groups: 2, 5, and 14-24
Lifetime: 3600 seconds
Diffie-Hellman Perfect Forward Secrecy (PFS): Active
AWS Phase 2 parameters: AES128, SHA1, Diffie-Hellman group 2
AWS GovCloud (US) Phase 2 parameters: AES128, SHA2, Diffie-Hellman group 14 - Make sure that Diffie-Hellman PFS is active and uses Diffie-Hellman groups for key generation. For more information, see Tunnel options for your Site-to-Site VPN connection.
- Verify that security associations and traffic selectors match on the customer gateway and AWS. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
- If the connection uses Ikev2 IDi Identification - Initiator and IDr Identification, then make sure that the responder parameter is configured correctly. For more information, see Internet Key Exchange Protocol Version 2 (IKEv2) on the Internet Engineering Task Force (IETF) Datatracker website.
- Verify that the configured Site-to-Site VPN connection options for both remote and local IP addresses match the security associations on the customer gateway. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
- Make sure that inbound traffic is initiated towards AWS. For more information, see Site-to-Site VPN tunnel initiation options.
Note: Site-to-Site VPN works in responder mode by default. - Activate Site-to-Site VPN logs, and then review logs for errors that correspond with your connection failure. After you do that, troubleshoot connection errors that correspond with the errors that you identify.
- Review the IPsec debug logs on a customer gateway for errors that correspond with your connection failure, and then troubleshoot those errors on your customer gateway.
Related information
Example customer gateway device configurations for dynamic routing (BGP)
Example customer gateway device configurations for static routing
AWS UFFICIALEAggiornata un mese fa
Nessun commento
Contenuto pertinente
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata un anno fa