Why is my AWS Site-to-Site VPN connection in the DOWN IPSEC UP status when the customer gateway is UP?

Short description

When you establish Internet Protocol Security (IPsec), but not Border Gateway Protocol (BGP), your connection status might be IPSEC UP but the VPN tunnel status might be DOWN. For your dynamic Site-to-Site VPN connection to have an UP status on the AWS side, you must establish both IPsec and BGP.

Resolution

Confirm that the customer gateway supports BGP

Confirm that your customer gateway supports BGP. Then, check whether you configured BGP on your customer gateway. On the on-premises side, check whether your connection uses dynamic or static routing. If the on-premises side uses static routing, then you must recreate the Site-to-Site VPN connection on the AWS side. You can't modify the routing option for an existing Site-to-Site VPN connection.

Note: When you create a Site-to-Site VPN connection, the default routing option is dynamic routing.

When you delete a Site-to-Site VPN connection and create a new connection, Site-to-Site assigns a new pair of public IP addresses to the VPN tunnels. You must reconfigure the customer gateway device, and update the public peer IP addresses.

When you create a new connection, you can use the VPN tunnel that's inside IP addresses and the pre-shared secret key from your previous Site-to-Site VPN connection. You don't need to use the details that AWS automatically generates.

Check the encryption domain and proxy ID

Complete the following steps:

1. On the customer gateway, follow the vendor instructions to get the encryption domain and proxy ID.
2. Check whether the encryption domain or proxy ID that you configured on AWS and your customer gateway device is 0.0.0.0/0 = 0.0.0.0/0.
3. On the AWS side, check the local IPV4 network on-premises CIDR and remote IPv4 network AWS CIDR.
4. If you turned on Site-to-Site VPN logs for your connection, then complete the following steps:
   Review the Amazon CloudWatch log group that contains your Site-to-Site VPN logs.
   Choose the log stream for the associated Site-to-Site VPN endpoint.
   Choose AWS tunnel Phase 2 SA is established with SPI to view the traffic selector that the customer gateway negotiated.
   Note: The AWS side must be the default of 0.0.0.0/0 = 0.0.0.0/0.
   The log stream format is similar to the vpn-id-VPN_Peer_IP-IKE.log format.
   Example log output:

   {"event_timestamp": 1673252138,
   "details": "AWS tunnel Phase 2 SA is established with
   inbound SPI: 0xcbf7f2e3: outbound SPI: 0xc9be76cd: traffic selectors:
   (AWS-side) 172.31.0.0/16 <=> (CGW-side) 10.0.0.0/16",
   "dpd_enabled": true,
   "nat_t_detected": true,
   "ike_phase1_state": "established",
   "ike_phase2_state": "established"}

   Note: If you use a dynamic Site-to-Site VPN connection, then the traffic selector must be broad enough for all traffic, including Automatic Private IP Addressing (APIPA) IP addresses for BGP peers.

If you defined a specific encryption domain on the AWS side of your connection, then modify the Site-to-Site VPN connection options. Make sure that you set both the local IPv4 network CIDR and remote IPv4 network CIDR to 0.0.0.0/0.

Turn on NAT-T for accelerated Site-to-Site VPN

If you have an accelerated Site-to-Site VPN that stops on a transit gateway, then make sure to activate NAT-traversal (NAT-T) on the customer gateway device.

Note: For an accelerated Site-to-Site connection, you must activate NAT-T on the customer gateway device. If you don't activate NAT-T, then IPsec initiates but no traffic flows over the Site-to-Site VPN connection, including BGP traffic. For more information, see Rules and restrictions.

Troubleshoot BGP

If you continue to experience issues, then see How do I troubleshoot BGP connection issues over VPN?