Cisco ISR VPN to Transit GW VPC VPN

Question

For a new IPv6 project, we are attempting to connect our office network to a VPC VPN "IPv6 Inside" attached to a Transit Gateway. IKE phase 1 establishes, but IKE phase 2 fails to establish with the following errors:

The error from the Cloudwatch logs is: "AWS tunnel was unable to decrypt the security payload(s)". I am unable to reference this error message in any AWS documentation.

The error on the Cisco ISR is: "NOTIFY INVALID_ID_INFO protocol 3".

I suspect the issue is with PFS or a cipher suite conflict?

However, when I attached a "IPv4 Inside" Tunnel to the same Cisco ISR, the connection is established immediately. I cannot find any documentation concerning this and the "Download configuration" option shows no difference. Should there be any difference?

Answer

Managed to resolve this issue. The documentation should be updated when using "Download Configuration" to say that the tunnel interface must instead use:

tunnel mode ipsec ipv4 v6-overlay
instead of
tunnel mode ipsec ipv4

Plus, the PtP IPv6 address should be used on the interface instead of the IPv4 address. Hopefully this post will save someone a weekend of work!

Cisco ISR VPN to Transit GW VPC VPN

관련 콘텐츠