Este conteúdo não está disponível no idioma selecionado
Estamos trabalhando constantemente para disponibilizar conteúdo no idioma selecionado. Agradecemos sua paciência.
Why is IPsec/Phase 2 for AWS Site-to-Site VPN failing to establish a connection?
2 minuto de leitura
0
When I try to set up an AWS Site-to-Site VPN connection in Amazon Virtual Private Cloud (Amazon VPC), the IPsec/Phase 2 of my configuration fails to establish a connection.
Resolution
If your Site-to-Site VPN Internet Protocol security (IPsec/Phase 2) fails to establish a connection, then try the following steps to resolve the problem:
- Verify that the Site-to-Site VPN Phase 2 parameters are configured correctly on your customer gateway device. To do so, compare your settings against the VPN configuration file that you downloaded from the Site-to-Site VPN console.
- Verify that the supported Phase 2 parameters for IKEv1 and IKEv2 are configured correctly:
Example IKEv1 and IKEv2 parameters:
IKEv1 Encryption: AES-128, AES-256, AES128-GCM-16, AES256-GCM-16
IKEv1 Data Integrity: SHA-1, SHA2-256, SHA2-384, SHA2-512
IKEv1 DH groups: 2, 5, and 14-24
Lifetime: 3600 seconds
Diffie-Hellman Perfect Forward Secrecy: Enabled
Note: The example IKEv1 and IKEv2 Phase 2 and IKEv2 Child_SA parameters specify the minimum requirements for a Site-to-Site VPN connection of:
AWS Phase 2 parameters: AES128, SHA1, Diffie-Hellman group 2
AWS GovCloud (US) Phase 2 parameters: AES128, SHA2, Diffie-Hellman group 14 - Verify that Diffie-Hellman Perfect Forward Secrecy (PFS) is active and is using Diffie-Hellman groups for key generation. For more information, see the Use Diffie-Hellman Perfect Forward Secrecy section.
- Verify that there is no security association or traffic selector mismatch between AWS and the customer gateway device.
- Verify whether the configured Site-to-Site VPN connection options, including remote and local IP addresses, match the security association specified on the customer gateway device. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
- Verify if traffic is initiated inbound towards AWS. Site-to-Site VPN works in responder mode by default, allowing configuration changes to IKE negotiations, peer timeout settings, and other configuration settings. For more information, see Site-to-Site VPN tunnel initiation options.
If your issue still persists, try the following:
- Turn on Site-to-Site VPN logs.
- Examine the IPsec debug logs to learn the cause of the failure and troubleshooting steps.
Related information
Example customer gateway device configurations for dynamic routing (BGP)
Example customer gateway device configurations for static routing
AWS OFICIALAtualizada há um ano
Sem comentários
Conteúdo relevante
- AWS OFICIALAtualizada há 8 meses
- AWS OFICIALAtualizada há 7 meses
- AWS OFICIALAtualizada há um ano
- AWS OFICIALAtualizada há 2 anos