Why is IPsec/Phase 2 for AWS Site-to-Site VPN failing to establish a connection?

2 minuto de leitura
0

When I try to set up an AWS Site-to-Site VPN connection in Amazon Virtual Private Cloud (Amazon VPC), the IPsec/Phase 2 of my configuration fails to establish a connection.

Resolution

If your Site-to-Site VPN Internet Protocol security (IPsec/Phase 2) fails to establish a connection, then try the following steps to resolve the problem:

  • Verify that the Site-to-Site VPN Phase 2 parameters are configured correctly on your customer gateway device. To do so, compare your settings against the VPN configuration file that you downloaded from the Site-to-Site VPN console.
  • Verify that the supported Phase 2 parameters for IKEv1 and IKEv2 are configured correctly:
    Example IKEv1 and IKEv2 parameters:
    IKEv1 Encryption: AES-128, AES-256, AES128-GCM-16, AES256-GCM-16
    IKEv1 Data Integrity: SHA-1, SHA2-256, SHA2-384, SHA2-512
    IKEv1 DH groups: 2, 5, and 14-24
    Lifetime: 3600 seconds
    Diffie-Hellman Perfect Forward Secrecy: Enabled
    Note: The example IKEv1 and IKEv2 Phase 2 and IKEv2 Child_SA parameters specify the minimum requirements for a Site-to-Site VPN connection of:
    AWS Phase 2 parameters: AES128, SHA1, Diffie-Hellman group 2
    AWS GovCloud (US) Phase 2 parameters: AES128, SHA2, Diffie-Hellman group 14
  • Verify that Diffie-Hellman Perfect Forward Secrecy (PFS) is active and is using Diffie-Hellman groups for key generation. For more information, see the Use Diffie-Hellman Perfect Forward Secrecy section.
  • Verify that there is no security association or traffic selector mismatch between AWS and the customer gateway device.
  • Verify whether the configured Site-to-Site VPN connection options, including remote and local IP addresses, match the security association specified on the customer gateway device. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
  • Verify if traffic is initiated inbound towards AWS. Site-to-Site VPN works in responder mode by default, allowing configuration changes to IKE negotiations, peer timeout settings, and other configuration settings. For more information, see Site-to-Site VPN tunnel initiation options.

If your issue still persists, try the following:


Related information

Example customer gateway device configurations for dynamic routing (BGP)

Example customer gateway device configurations for static routing

Modifying Site-to-Site VPN tunnel options

What is AWS Site-to-Site VPN?

AWS OFICIAL
AWS OFICIALAtualizada há um ano