Why is IKE (phase 1 of my VPN tunnel) failing in Amazon VPC?

2 minute read

When creating a virtual private network (VPN) in Amazon Virtual Private Cloud (Amazon VPC), the Internet Key Exchange (IKE) phase of my configuration fails.


Check the AWS Virtual Private Network (AWS VPN) configuration to confirm the following:

If acceleration is turned on for an AWS Site-to-Site VPN connection, then be sure that NAT-Traversal is turned on for the customer gateway device.

If the customer gateway device is behind a network address translation (NAT) device, then make sure of the following:

  • UDP packets on port 500 (and port 4500, if NAT-traversal is used) are allowed to pass between your network and the AWS VPN endpoints.
  • The intermediate internet service providers (ISPs) aren't blocking UDP port 500 (or port 4500, if NAT-Traversal is used).

Note: It's a best practice to turn off NAT-traversal if your customer gateway isn't behind a port address translation (PAT) device.

Related information

Troubleshooting your customer gateway device

Your customer gateway device

AWS OFFICIALUpdated a year ago