Site to Site VPN Phase 2 Down
Site to site VPN, when trying to establish connection with customer gateway - IKE Phase 1 is established, but IKE phase 2 is down. In the logs - { "event_timestamp": 1690951183, "details": "received packet: from XXXXXX [UDP 4500] to XXXXXXXX [UDP 4500] (92 bytes)", "dpd_enabled": true, "nat_t_detected": true, "ike_phase1_state": "established", "ike_phase2_state": "down" }
Customer Gateway Configuration
Aws Tunnel Configuration
Why is the phase 2 connection not getting established.
- 最新
- 投票最多
- 评论最多
According to the screenshot of the configuration on Customer Gateway that you provided, the Perfect Forward Secrecy (PFS) is disabled. You must enable it on the Customer Gateway. It is one of the requirements to establish IKE Phase 2.
The following documents are common troubleshooting methods.
Common cases are that the DH Group numbers do not match and the connection fails, etc.
By the way, is it possible to check the VPN logs and other information on the Customer Gateway?
Perhaps there is some error message that can be helpful in the investigation.
https://repost.aws/knowledge-center/vpn-tunnel-phase-2-ipsec
Check the DPD (Dead Peer Detection) settings on your customer gateway. https://repost.aws/knowledge-center/vpn-tunnel-instability-inactivity
相关内容
AWS 官方已更新 1 年前- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
Thanks. We don't have access to customer gateway logs as it is an external vendor. I have checked all settings from the above answer still not able to troubleshoot the issue.