How can I configure a NAT IP in AWS so that outgoing traffic from my subnet uses that IP in the context of a site-to-site VPN connection with the following Phase 1 and Phase 2 parameters?
Phase 1:
- IKEv2
- AES256
- SHA256
- Group 14
Phase 2:
- AES256
- SHA256
- PFS Group 14
- TUNNEL mode
I have successfully achieved Phase 1, but in Phase 2, the connection gets stuck at this point:
[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
My current configuration is as follows:
conn cbp-ipsec-ikev2-vpn
keyexchange=ikev2
type=tunnel
ike=aes256-sha256-modp2048
esp=aes256-sha256-modp2048
ikelifetime=86400s
lifetime=3600s
dpdaction=clear
dpddelay=300s
rekey=no
left=[private-local-ip]
leftid=[public-local-ip]
leftsubnet=172.31.32.0/20 [private-local-subnet]
right=[public-remote-ip]
rightdns=8.8.8.8
rightsubnet=[private-remote-ip]
rightid=[public-remote-ip]
auto=start
authby=secret
compress=no
dpdaction=restart
However, when I try to assign the provided [NAT IP], I am unable to establish Phase 1. Any suggestions on how to resolve this issue?