Why is my AWS Site-to-Site VPN failing to establish connectivity?

4 minute read

My AWS Site-to-Site VPN in an Amazon Virtual Private Cloud (Amazon VPC) fails either IKE/Phase 1 or IPSec/Phase 2 of connectivity establishment.

Resolution

IKE/Phase 1 failures

If the IKE phase of your configuration fails, then check the Site-to-Site VPN configuration to confirm that it meets the following requirements:

Customer gateway requirements.
Uses the appropriate IKE version for your use case. Note: AWS supports both IKEv1 and IKEv2.
Uses the appropriate lifetime in seconds for IKE (Phase 1) for your IKE version. To configure the tunnel options that you require, see Tunnel options for your Site-to-Site VPN connection.
Has a customer gateway device that's configured with the correct pre-shared key (PSK) or valid certificates.
Can successfully ping Site-to-Site VPN endpoints from your customer gateway.

If acceleration is turned on for a Site-to-Site VPN connection, then be sure that NAT-Traversal is turned on for the customer gateway device.

If the customer gateway device is behind a network address translation (NAT) device, then confirm the following:

UDP packets on port 500 (and port 4500, if NAT-traversal is used) are allowed to pass between your network and the Site-to-Site VPN endpoints.
The intermediate internet service providers (ISPs) aren't blocking UDP port 500 (or port 4500, if NAT-Traversal is used).

Note: If your customer gateway isn't behind a port address translation (PAT) device, then it's a best practice to turn off NAT-traversal.

IPsec/Phase 2 failures when IKE/Phase 1 is UP

After IKE/Phase 1 of the Site-to-Site VPN connection is established, then the customer gateway tries to establish IPsec/Phase 2. Note that the Site-to-Site VPN status is UP only when both Phase 1 and Phase 2 statuses are UP. For dynamic Site-to-Site VPN, BGP must also be in UP status. If the IKE/Phase 1 connection establishes, but your IPsec/Phase 2 connection is in the DOWN status, then the Site-to-Site VPN status is DOWN also.

If your Site-to-Site VPN IPsec/Phase 2 fails to establish a connection, then try the following steps to resolve the problem:

Compare your settings against the Site-to-Site VPN configuration file to verify that the Site-to-Site VPN Phase 2 parameters are configured correctly on your customer gateway device. You can download this file from the Site-to-Site VPN console.
Verify that the supported Phase 2 parameters for IKEv1 and IKEv2 are configured correctly. See the following example IKEv1 and IKEv2 parameters:
IKEv1 Encryption: AES-128, AES-256, AES128-GCM-16, AES256-GCM-16
IKEv1 Data Integrity: SHA-1, SHA2-256, SHA2-384, SHA2-512
IKEv1 DH groups: 2, 5, and 14-24
Lifetime: 3600 seconds
Diffie-Hellman Perfect Forward Secrecy: Turned on
Note: The example IKEv1 and IKEv2 Phase 2 and IKEv2 Child_SA parameters specify the minimum requirements for a Site-to-Site VPN connection of:
AWS Phase 2 parameters: AES128, SHA1, Diffie-Hellman group 2
AWS GovCloud (US) Phase 2 parameters: AES128, SHA2, Diffie-Hellman group 14
Verify that Diffie-Hellman Perfect Forward Secrecy (PFS) is active and is using Diffie-Hellman groups for key generation. See Requirements for your customer gateway device, and review the information for Use Diffie-Hellman Perfect Forward Secrecy in the table that's provided.
Check that there's no security association or traffic selector mismatch between AWS and the customer gateway device.
Check whether the configured Site-to-Site VPN connection options, including remote and local IP addresses, match the security association that's specified on the customer gateway device. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
Check if traffic is initiated inbound towards AWS. Site-to-Site VPN works in responder mode by default, and allows configuration changes to IKE negotiations, peer timeout settings, and other configuration settings. For more information, see Site-to-Site VPN tunnel initiation options.

If the issue still persists, try the following:

Turn on Site-to-Site VPN logs.
Examine the IPsec debug logs to learn the cause of the failure and troubleshooting steps.

Related Information

What is AWS Site-to-Site VPN?

Troubleshooting your customer gateway device

Modify Site-to-Site VPN tunnel options

Example customer gateway device configurations for static routing

Example customer gateway device configurations for dynamic routing (BGP)

Topics

Networking & Content Delivery

Relevant content

Site to Site VPN Phase 2 Down
Accepted Answer
Ankit Bajpai
asked 8 months ago
VPN site to site connexion, IKE-phase 1 Negociation failed as initiator, ... due to timeout
Andria
asked a month ago
S2S VPN Configuration
rePost-User-4906584
asked 4 months ago
S2S VPN tunnel IKE initiation when using Static routing with Policy-Based VPN
aws_moe
asked 9 months ago
Unable to establish a connection on VPN Tunnel 2
DB
asked a year ago
Why is IPsec/Phase 2 for AWS Site-to-Site VPN failing to establish a connection?
AWS OFFICIALUpdated a year ago
Why is IKE (phase 1 of my VPN tunnel) failing in Amazon VPC?
AWS OFFICIALUpdated a year ago
How do I check the current status of my VPN tunnel?
AWS OFFICIALUpdated 2 years ago
Why is my AWS Site-to-Site VPN down?
AWS OFFICIALUpdated a year ago
Why is IPsec/Phase 2 for AWS Site-to-Site VPN failing to establish a connection?
EXPERT
Narinder Singh Kharbanda
published 8 months ago