- Newest
- Most votes
- Most comments
Hello.
Can you confirm where the VPN is failing in phase 1 and phase 2?
If Phase 1 is failing, check the following documents for troubleshooting.
https://repost.aws/knowledge-center/vpn-tunnel-phase-1-ike
For Phase 2, please review the following documents for troubleshooting.
https://repost.aws/knowledge-center/vpn-tunnel-phase-2-ipsec
I believe you can check the logs related to the VPN at the customer gateway to see if any errors are being output to help troubleshoot.
Please check the following document once as it describes troubleshooting AWS Site to Site VPN.
https://docs.aws.amazon.com/vpn/latest/s2svpn/Troubleshooting.html
Hello,
I would like to add a little more here, once you verify the configuration from Phase 1 and Phase 2 provided documents
Please refer to the below document that specifies all the IKEv1 and IKEv2 errors you could potentially see while working with AWS VPN.
The logs that you have provided show that AWS is sending packets to your customer gateway device. This message is potentially for {"dpd_enabled": true;} please note that this is not the error but just a message exchange. To look for an error, you can look for the contents from the public document and search it in the log stream with "error message". [1]
{
"event_timestamp": 1692913269,
"details": "sending packet: from 54.254.96.253 [UDP 500] to cgw-0eed1cc62f34b2a06 [UDP 500] (56 bytes)",
"dpd_enabled": true,
"nat_t_detected": false,
"ike_phase1_state": "down",
"ike_phase2_state": "down"
}
VPN tunnel comes up after mutual negotiation of parameters.
References: [1] Contents of Site-to-Site VPN logs: https://docs.aws.amazon.com/vpn/latest/s2svpn/log-contents.html
Ok, it appears I mistakenly assumed that the config file I downloaded would have the values I entered into the AWS but sadly it did not so I need to adjust the file myself.
Why is AWS estimated to be worth $400 billion but they can't put the values I configured on their platform into the file themselves? Amazing stuff.
New update. The IPs were correct, but not the encryption / authentication algorithms. :)
Ok, it appears I mistakenly assumed that the config file I downloaded would have the values I entered into the AWS but sadly it did not so I need to adjust the file myself.
Why is AWS estimated to be worth $400 billion but they can't put the values I configured on their platform into the file themselves? Amazing stuff.
The IPs were correct (besides failing to put in the VPC's subnet and subnet mask), but not the encryption / authentication algorithms. :)
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
as a shot in the dark, does this mean anything to you?
From the content, it seems to have failed from phase 1. So, you should first check the following documents for troubleshooting. Please check all items in the following documents to make sure everything is OK. https://repost.aws/knowledge-center/vpn-tunnel-phase-1-ike
Ok, just for context, does the tunnel being up depend on my customer's server being available / configured correctly?
Basically, the tunnel status is up when the settings on the Customer Gateway and Virtual Private Gateway sides match. So, if the settings are incorrect on the Customer Gateway side, the status will be down.
As for whether routing is actually possible, it is necessary to check that the route table in the VPC is configured correctly and that routing on the on-premises side is configured correctly.