- Newest
- Most votes
- Most comments
If you change the IKE initiation option so that AWS VPN endpoint bring the tunnel UP, you would have to use IKEv2 + Change "Startup action" from Add to Start.
Note that this is valid for when establishing a new VPN tunnel OR when you modify the VPN tunnel, for instance, if the tunnel goes down for some reason, then AWS VPN endpoint would not try to bring the tunnel UP, it would be the CGW responsibility to initiate the IKE negotiation.
Now IKE initiation and policy-based configuration are two different things, but Yes IKE initiation is supported with policy-based configuration or routed-based configuration as long as you use IKEv2.
Make sure you configure a single encryption domain (proxy id) on your CGW (Firewall) when using policy-based, because AWS is route-based VPN and only supports a single Security Association (SA), and each CIDR you put in the proxy id field on the firewall would great a security associations, so if you put three CIDRs (for instance, 10.10.1.0/24, 10.10.2.0/24, and 10.10.3.0/24) then that would great three SAs, and here you may experience intermittent connectivity where only a single CIDR out of three would work at a time.
Policy based VPN works but has SA limitations, see this re:Post article:
https://repost.aws/knowledge-center/vpn-connection-instability
As for IKE initiation, IKE initiation (startup action) from the AWS side of the VPN connection is supported for IKEv2 only.
It is documented here:
https://docs.aws.amazon.com/vpn/latest/s2svpn/initiate-vpn-tunnels.html
Relevant content
- asked a year ago
- asked 2 months ago
- Accepted Answerasked 2 years ago
- asked 5 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 5 months ago
Does setting the DPD timeout action to Restart help with a VPN tunnel going down and force IKE initiation from the AWS side?
Yes, it does. It will restart the IKE session by having AWS try to initiate the IKE negotiation.