Site to Site VPN Phase 2 Down
Site to site VPN, when trying to establish connection with customer gateway - IKE Phase 1 is established, but IKE phase 2 is down. In the logs - { "event_timestamp": 1690951183, "details": "received packet: from XXXXXX [UDP 4500] to XXXXXXXX [UDP 4500] (92 bytes)", "dpd_enabled": true, "nat_t_detected": true, "ike_phase1_state": "established", "ike_phase2_state": "down" }
Customer Gateway Configuration
Aws Tunnel Configuration
Why is the phase 2 connection not getting established.
- Newest
- Most votes
- Most comments
According to the screenshot of the configuration on Customer Gateway that you provided, the Perfect Forward Secrecy (PFS) is disabled. You must enable it on the Customer Gateway. It is one of the requirements to establish IKE Phase 2.
The following documents are common troubleshooting methods.
Common cases are that the DH Group numbers do not match and the connection fails, etc.
By the way, is it possible to check the VPN logs and other information on the Customer Gateway?
Perhaps there is some error message that can be helpful in the investigation.
https://repost.aws/knowledge-center/vpn-tunnel-phase-2-ipsec
Check the DPD (Dead Peer Detection) settings on your customer gateway. https://repost.aws/knowledge-center/vpn-tunnel-instability-inactivity
Relevant content
- asked 3 years ago
- asked 3 years ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Thanks. We don't have access to customer gateway logs as it is an external vendor. I have checked all settings from the above answer still not able to troubleshoot the issue.