Why can't my AWS Site-to-Site VPN establish connectivity?
My AWS Site-to-Site VPN in an Amazon Virtual Private Cloud (Amazon VPC) can't establish either an Internet Key Exchange (IKE)/Phase 1 or Internet Protocol Security (IPsec)/Phase 2 connection. I want to troubleshoot these connection errors.
Resolution
If the VPN can't establish connectivity, then either IKE/Phase 1 or IPsec/Phase 2 is down.
Turn on Site-to-Site VPN logs. Use the logs to check the status of each phase. You can also check their statuses on the customer gateway device.
Then, troubleshoot the failed connection based on the phase that doesn't connect.
Note: The VPN's status is UP only when both Phase 1 and Phase 2 statuses are UP. On a dynamic VPN, the border gateway protocol (BGP) status must also be UP. If the IKE/Phase 1 connection is established but the IPsec/Phase 2 connection's status is DOWN, then the VPN's status is also DOWN.
IKE/Phase 1 failures
Check the customer gateway device
On the customer gateway device, verify the following configurations:
- The VPN configuration meets the customer gateway device's requirements. For more information, see Troubleshooting AWS Site-to-Site VPN customer gateway device.
- AWS and the customer gateway use the same version of IKE.
Note: AWS supports both IKEv1 and IKEv2. - The Phase 1 parameters on the customer gateway device match the Phase 1 parameters on AWS. For more information, see Tunnel options for your AWS Site-to-Site VPN connection.
- The VPN connection's Phase 1 lifetime option is long enough for the version of IKE that you use. If the option is too short, then reconfigure the tunnel options so that the Phase 1 lifetime is long enough.
- The customer gateway device has the correct pre-shared key or valid certificates.
- You can ping the VPN endpoints:
Note: Replace example_IP with the AWS VPN endpoint's public IP address.ping example_IP
- Inbound traffic is initiated towards AWS.
Note: AWS VPN services work in responder mode by default and allow configuration changes to IKE negotiations, peer timeout settings, and other configuration settings. For more information, see AWS Site-to-Site VPN tunnel initiation options.
Check the Startup action
If the tunnel's Startup action is Start, then take the following actions:
- If the VPN endpoint is the VPN tunnel IKE initiator, then verify that the tunnel options on the customer gateway device and AWS match.
- For pre-shared key authentication, verify that the customer gateway device's local ID and the public IP address on AWS match. For certificate authentication, verify that the customer gateway device's local ID is the subject of the certificate.
Confirm that traffic moves through required ports
If the customer gateway is behind a NAT device, then use mytraceroute (MTR) to confirm that traffic moves through the required ports:
- Verify that Unified Data Provider (UDP) packets can pass between the network and the VPN endpoints on port 500. If NAT-traversal is active, then also check port 4500.
- Verify that the intermediate internet service provider (ISP) allows traffic on port 500. If you use NAT-traversal, then verify that the ISP allows traffic on port 4500.
For more information, see How do I troubleshoot packet loss on my AWS VPN connection?
Note: If your customer gateway isn't behind a port address translation (PAT) device, then it's a best practice to turn off NAT-traversal. If acceleration is turned on for a Site-to-Site VPN connection, then verify that NAT-traversal is active on the customer gateway device.
Troubleshoot IPsec/Phase 2 failures when IKE/Phase 1 is UP
Check the following configurations:
- Compare the customer gateway device settings with the Site-to-Site VPN configuration file to verify that the Phase 2 parameters are configured correctly. For a customer gateway device with non-default options, use the AWS Management Console to verify the Phase 2 parameters.
- On the customer gateway device, confirm that the supported Phase 2 parameters for IKEv1 and IKEv2 are configured correctly.
- Verify that Diffie-Hellman Perfect Forward Secrecy (PFS) is active and uses Diffie-Hellman groups for key generation.
- Confirm that the security associations and traffic selectors on AWS and the customer gateway device match.
- Verify that the VPN connection options for the remote and local IP addresses match the security associations on the customer gateway device. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
Troubleshoot other common VPN connectivity failures
If the issue persists, then take the following actions:
- Review Site-to-Site VPN logs for errors that correspond with the connection error.
- Check the IPsec debug logs to determine the cause of the failure and how to troubleshoot it.
Related information
How do I check the current status of my VPN tunnel?
Modify AWS Site-to-Site VPN tunnel options
Downloadable static routing configuration files for an AWS Site-to-Site VPN customer gateway device
Downloadable dynamic routing configuration files for AWS Site-to-Site VPN customer gateway device
Conteúdo relevante
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 3 meses
- AWS OFICIALAtualizada há um ano
- AWS OFICIALAtualizada há 2 anos