Why is my AWS Site-to-Site VPN failing to establish connectivity?

4 minute read

My AWS Site-to-Site VPN in an Amazon Virtual Private Cloud (Amazon VPC) fails either IKE/Phase 1 or IPSec/Phase 2 of connectivity establishment.


IKE/Phase 1 failures

If the IKE phase of your configuration fails, then check the Site-to-Site VPN configuration to confirm that it meets the following requirements:

If acceleration is turned on for a Site-to-Site VPN connection, then be sure that NAT-Traversal is turned on for the customer gateway device.

If the customer gateway device is behind a network address translation (NAT) device, then confirm the following:

  • UDP packets on port 500 (and port 4500, if NAT-traversal is used) are allowed to pass between your network and the Site-to-Site VPN endpoints.
  • The intermediate internet service providers (ISPs) aren't blocking UDP port 500 (or port 4500, if NAT-Traversal is used).

Note: If your customer gateway isn't behind a port address translation (PAT) device, then it's a best practice to turn off NAT-traversal.

IPsec/Phase 2 failures when IKE/Phase 1 is UP

After IKE/Phase 1 of the Site-to-Site VPN connection is established, then the customer gateway tries to establish IPsec/Phase 2. Note that the Site-to-Site VPN status is UP only when both Phase 1 and Phase 2 statuses are UP. For dynamic Site-to-Site VPN, BGP must also be in UP status. If the IKE/Phase 1 connection establishes, but your IPsec/Phase 2 connection is in the DOWN status, then the Site-to-Site VPN status is DOWN also.

If your Site-to-Site VPN IPsec/Phase 2 fails to establish a connection, then try the following steps to resolve the problem:

  • Compare your settings against the Site-to-Site VPN configuration file to verify that the Site-to-Site VPN Phase 2 parameters are configured correctly on your customer gateway device. You can download this file from the Site-to-Site VPN console.
  • Verify that the supported Phase 2 parameters for IKEv1 and IKEv2 are configured correctly. See the following example IKEv1 and IKEv2 parameters:
    IKEv1 Encryption: AES-128, AES-256, AES128-GCM-16, AES256-GCM-16
    IKEv1 Data Integrity: SHA-1, SHA2-256, SHA2-384, SHA2-512
    IKEv1 DH groups: 2, 5, and 14-24
    Lifetime: 3600 seconds
    Diffie-Hellman Perfect Forward Secrecy: Turned on
    Note: The example IKEv1 and IKEv2 Phase 2 and IKEv2 Child_SA parameters specify the minimum requirements for a Site-to-Site VPN connection of:
    AWS Phase 2 parameters: AES128, SHA1, Diffie-Hellman group 2
    AWS GovCloud (US) Phase 2 parameters: AES128, SHA2, Diffie-Hellman group 14
  • Verify that Diffie-Hellman Perfect Forward Secrecy (PFS) is active and is using Diffie-Hellman groups for key generation. See Requirements for your customer gateway device, and review the information for Use Diffie-Hellman Perfect Forward Secrecy in the table that's provided.
  • Check that there's no security association or traffic selector mismatch between AWS and the customer gateway device.
  • Check whether the configured Site-to-Site VPN connection options, including remote and local IP addresses, match the security association that's specified on the customer gateway device. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
  • Check if traffic is initiated inbound towards AWS. Site-to-Site VPN works in responder mode by default, and allows configuration changes to IKE negotiations, peer timeout settings, and other configuration settings. For more information, see Site-to-Site VPN tunnel initiation options.

If the issue still persists, try the following:

Related Information

What is AWS Site-to-Site VPN?

Troubleshooting your customer gateway device

Modify Site-to-Site VPN tunnel options

Example customer gateway device configurations for static routing

Example customer gateway device configurations for dynamic routing (BGP)

AWS OFFICIALUpdated a year ago