Why is my AWS Site-to-Site VPN down?

3 分的閱讀內容
0

My AWS Site-to-Site Virtual Private Network (VPN) failed to establish a successful connection with my on-premises gateway. I want to troubleshoot my VPN that's down.

Resolution

To troubleshoot an AWS Site-to-Site VPN that's down, complete the following steps:

  1. Make sure that the remote peer IP address on the customer gateway device corresponds to the outside public IP address of the VPN endpoints. For more information, see Modify Site-to-Site VPN tunnel options.
  2. If you use a network address translation (NAT) device, note the public IP address on AWS. Then, verify that the public IP address that you noted that corresponds with either the public IP address of the customer gateway device or its Wide Area Network (WAN) interface. For more information, see Customer gateway options for your Site-to-Site VPN connection.
  3. If there's connectivity between the VPN endpoint and the customer gateway device, then ping the endpoint outside public IP address/WAN interface from the customer gateway device.
  4. Verify that the firewall policy allows outbound and inbound traffic on User Data Protocol (UDP) port 500 to and from AWS VPN endpoints. For more information, see Firewall rules for your customer gateway device.
    Note: If the customer gateway is behind a NAT device, then this policy applies to outbound and inbound traffic on UDP 4500.
  5. If you use NAT traversal (NAT-T), then verify that the intermediate internet service providers (ISPs) allow traffic on UDP port 500 or port 4500.
  6. Verify that the configured Internet Key Exchange (IKE) versions are the same on both the AWS end and the customer gateway device.
  7. Make sure that the phase 1 and phase 2 parameters on the customer gateway and AWS match. For more information, see Tunnel options for your Site-to-Site VPN connections.
  8. In the AWS Management Console, choose VPC.
  9. Choose VPN. Then, choose Site-to-Site VPN connections.
  10. Choose Download configuration, and then note the preshared key in the configuration file. If the connection uses a preshared key, then use the configuration file to verify that the key is the same on AWS and the customer gateway device. For more information, see Example configuration files for your customer gateway device.
  11. Review the AWS Site-to-Site VPN logs for errors that prevent a connection.
  12. If the VPN connection is certificate-based, then verify that the customer gateway has valid and correct certificates.
    Note: The certificates must include the private certificate, root certificate authority (CA) certificate, and subordinate CA certificate.
  13. Verify that the startup action is set to Start and that it has a certificate-based VPN. Then, make sure that the customer gateway has the public IP address defined on the customer gateway construct on the AWS end.
    Note: In this setup, AWS doesn't initiate IKE negotiations or rekeys. Instead, the customer gateway does. For more information, see Rules and restrictions.
  14. If you use an accelerated VPN with certificate-based authentication, then make sure that your customer gateway supports IKE fragmentation.
  15. If you use a dynamic VPN, verify that the inside IP addresses are configured correctly on the customer gateway device. Then, on the customer gateway device, verify that the statuses of both the IPsec and the Border Gateway Protocol (BGP) are UP.
  16. Test the Site-to-Site VPN connection.
AWS 官方
AWS 官方已更新 2 個月前