Questo contenuto non è disponibile nella lingua selezionata
Lavoriamo costantemente per rendere disponibili i contenuti nella lingua selezionata. Ti ringraziamo per la comprensione.
Why is IPsec/Phase 2 for AWS Site-to-Site VPN failing to establish a connection?
2 minuti di lettura
0
When I try to set up an AWS Site-to-Site VPN connection in Amazon Virtual Private Cloud (Amazon VPC), the IPsec/Phase 2 of my configuration fails to establish a connection.
Verify that the Site-to-Site VPN Phase 2 parameters are configured correctly on your customer gateway device. To do so, compare your settings against the VPN configuration file that you downloaded from the Site-to-Site VPN console.
Verify that the supported Phase 2 parameters for IKEv1 and IKEv2 are configured correctly:
Example IKEv1 and IKEv2 parameters:
IKEv1 Encryption: AES-128, AES-256, AES128-GCM-16, AES256-GCM-16
IKEv1 Data Integrity: SHA-1, SHA2-256, SHA2-384, SHA2-512
IKEv1 DH groups: 2, 5, and 14-24
Lifetime: 3600 seconds
Diffie-Hellman Perfect Forward Secrecy: Enabled Note: The example IKEv1 and IKEv2 Phase 2 and IKEv2 Child_SA parameters specify the minimum requirements for a Site-to-Site VPN connection of:
AWS Phase 2 parameters: AES128, SHA1, Diffie-Hellman group 2
AWS GovCloud (US) Phase 2 parameters: AES128, SHA2, Diffie-Hellman group 14
Verify that Diffie-Hellman Perfect Forward Secrecy (PFS) is active and is using Diffie-Hellman groups for key generation. For more information, see the Use Diffie-Hellman Perfect Forward Secrecy section.
Verify that there is no security association or traffic selector mismatch between AWS and the customer gateway device.
Verify if traffic is initiated inbound towards AWS. Site-to-Site VPN works in responder mode by default, allowing configuration changes to IKE negotiations, peer timeout settings, and other configuration settings. For more information, see Site-to-Site VPN tunnel initiation options.