My AWS Site-to-Site VPN in an Amazon Virtual Private Cloud (Amazon VPC) can't establish either an Internet Key Exchange (IKE)/Phase 1 or Internet Protocol Security (IPsec)/Phase 2 connection. I want to troubleshoot these connection errors.
Resolution
If the VPN can't establish connectivity, then either IKE/Phase 1 or IPsec/Phase 2 is down.
Turn on Site-to-Site VPN logs. Use the logs to check the status of each phase. You can also check their statuses on the customer gateway device.
Then, troubleshoot the failed connection based on the phase that doesn't connect.
Note: The VPN's status is UP only when both Phase 1 and Phase 2 statuses are UP. On a dynamic VPN, the border gateway protocol (BGP) status must also be UP. If the IKE/Phase 1 connection is established but the IPsec/Phase 2 connection's status is DOWN, then the VPN's status is also DOWN.
IKE/Phase 1 failures
Check the customer gateway device
On the customer gateway device, verify the following configurations:
Check the Startup action
If the tunnel's Startup action is Start, then take the following actions:
- If the VPN endpoint is the VPN tunnel IKE initiator, then verify that the tunnel options on the customer gateway device and AWS match.
- For pre-shared key authentication, verify that the customer gateway device's local ID and the public IP address on AWS match. For certificate authentication, verify that the customer gateway device's local ID is the subject of the certificate.
Confirm that traffic moves through required ports
If the customer gateway is behind a NAT device, then use mytraceroute (MTR) to confirm that traffic moves through the required ports:
- Verify that Unified Data Provider (UDP) packets can pass between the network and the VPN endpoints on port 500. If NAT-traversal is active, then also check port 4500.
- Verify that the intermediate internet service provider (ISP) allows traffic on port 500. If you use NAT-traversal, then verify that the ISP allows traffic on port 4500.
For more information, see How do I troubleshoot packet loss on my AWS VPN connection?
Note: If your customer gateway isn't behind a port address translation (PAT) device, then it's a best practice to turn off NAT-traversal. If acceleration is turned on for a Site-to-Site VPN connection, then verify that NAT-traversal is active on the customer gateway device.
Troubleshoot IPsec/Phase 2 failures when IKE/Phase 1 is UP
Check the following configurations:
- Compare the customer gateway device settings with the Site-to-Site VPN configuration file to verify that the Phase 2 parameters are configured correctly. For a customer gateway device with non-default options, use the AWS Management Console to verify the Phase 2 parameters.
- On the customer gateway device, confirm that the supported Phase 2 parameters for IKEv1 and IKEv2 are configured correctly.
- Verify that Diffie-Hellman Perfect Forward Secrecy (PFS) is active and uses Diffie-Hellman groups for key generation.
- Confirm that the security associations and traffic selectors on AWS and the customer gateway device match.
- Verify that the VPN connection options for the remote and local IP addresses match the security associations on the customer gateway device. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
Troubleshoot other common VPN connectivity failures
If the issue persists, then take the following actions:
Related information
How do I check the current status of my VPN tunnel?
Modify AWS Site-to-Site VPN tunnel options
Downloadable static routing configuration files for an AWS Site-to-Site VPN customer gateway device
Downloadable dynamic routing configuration files for AWS Site-to-Site VPN customer gateway device