By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Why can't my AWS Site-to-Site VPN establish connectivity?

5 minute read
0

My AWS Site-to-Site VPN in an Amazon Virtual Private Cloud (Amazon VPC) can't establish either an Internet Key Exchange (IKE)/Phase 1 or Internet Protocol Security (IPsec)/Phase 2 connection. I want to troubleshoot these connection errors.

Resolution

If the VPN can't establish connectivity, then either IKE/Phase 1 or IPsec/Phase 2 is down.

Turn on Site-to-Site VPN logs. Use the logs to check the status of each phase. You can also check their statuses on the customer gateway device.

Then, troubleshoot the failed connection based on the phase that doesn't connect. 

Note: The VPN's status is UP only when both Phase 1 and Phase 2 statuses are UP. On a dynamic VPN, the border gateway protocol (BGP) status must also be UP. If the IKE/Phase 1 connection is established but the IPsec/Phase 2 connection's status is DOWN, then the VPN's status is also DOWN.

IKE/Phase 1 failures

Check the customer gateway device

On the customer gateway device, verify the following configurations:

Check the Startup action

If the tunnel's Startup action is Start, then take the following actions:

  • If the VPN endpoint is the VPN tunnel IKE initiator, then verify that the tunnel options on the customer gateway device and AWS match.
  • For pre-shared key authentication, verify that the customer gateway device's local ID and the public IP address on AWS match. For certificate authentication, verify that the customer gateway device's local ID is the subject of the certificate.

Confirm that traffic moves through required ports

If the customer gateway is behind a NAT device, then use mytraceroute (MTR) to confirm that traffic moves through the required ports:

  • Verify that Unified Data Provider (UDP) packets can pass between the network and the VPN endpoints on port 500. If NAT-traversal is active, then also check port 4500.
  • Verify that the intermediate internet service provider (ISP) allows traffic on port 500. If you use NAT-traversal, then verify that the ISP allows traffic on port 4500.

For more information, see How do I troubleshoot packet loss on my AWS VPN connection?

Note: If your customer gateway isn't behind a port address translation (PAT) device, then it's a best practice to turn off NAT-traversal. If acceleration is turned on for a Site-to-Site VPN connection, then verify that NAT-traversal is active on the customer gateway device.

Troubleshoot IPsec/Phase 2 failures when IKE/Phase 1 is UP

Check the following configurations:

  • Compare the customer gateway device settings with the Site-to-Site VPN configuration file to verify that the Phase 2 parameters are configured correctly. For a customer gateway device with non-default options, use the AWS Management Console to verify the Phase 2 parameters.
  • On the customer gateway device, confirm that the supported Phase 2 parameters for IKEv1 and IKEv2 are configured correctly.
  • Verify that Diffie-Hellman Perfect Forward Secrecy (PFS) is active and uses Diffie-Hellman groups for key generation.
  • Confirm that the security associations and traffic selectors on AWS and the customer gateway device match.
  • Verify that the VPN connection options for the remote and local IP addresses match the security associations on the customer gateway device. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

Troubleshoot other common VPN connectivity failures

If the issue persists, then take the following actions:

Related information

How do I check the current status of my VPN tunnel?

Modify AWS Site-to-Site VPN tunnel options

Downloadable static routing configuration files for an AWS Site-to-Site VPN customer gateway device

Downloadable dynamic routing configuration files for AWS Site-to-Site VPN customer gateway device

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago