Why does IPsec/Phase 2 for Site-to-Site VPN fail to establish a connection?

3 minute read

When I set up an AWS Site-to-Site VPN connection, Internet Protocol security (IPsec)/Phase 2 fails.

Resolution

If an IPsec/Phase 2 connection fails, then take the following actions:

Make sure that the Site-to-Site VPN Phase 2 parameters on your customer gateway device match the VPN's tunnel settings.
Note: You can download an example configuration file for your VPN, and then compare that file to the tunnel settings for the customer gateway. However, if your VPN tunnels have customized settings, then the example configuration file might not match the Phase 2 parameters of the VPN tunnels.
Verify that the Phase 2 parameters for Internet Key Exchange (IKE) v1 and IKEv2 follow the best practices for your customer gateway device.
The following is an example of parameters that follow best practices:
IKEv1 Encryption: AES-128, AES-256, AES128-GCM-16, AES256-GCM-16
IKEv1 Data Integrity: SHA-1, SHA2-256, SHA2-384, SHA2-512
IKEv1 DH groups: 2, 5, and 14-24
Lifetime: 3600 seconds
Diffie-Hellman Perfect Forward Secrecy (PFS): Active
AWS Phase 2 parameters: AES128, SHA1, Diffie-Hellman group 2
AWS GovCloud (US) Phase 2 parameters: AES128, SHA2, Diffie-Hellman group 14
Make sure that Diffie-Hellman PFS is active and uses Diffie-Hellman groups for key generation. For more information, see Tunnel options for your Site-to-Site VPN connection.
Verify that the security associations and traffic selectors match on the customer gateway and AWS. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
If the connection uses IKEv2 IDi Identification with both Initiator and IDr Identification, then make sure that you correctly configure the responder parameter. For more information, see Internet Key Exchange Protocol Version 2 (IKEv2) on the Internet Engineering Task Force (IETF) website.
Verify that the configured Site-to-Site VPN connection options for both remote and local IP addresses match the security associations on the customer gateway. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
Make sure that your customer gateway initiates inbound traffic. For more information, see Site-to-Site VPN tunnel initiation options.
Note: By default, Site-to-Site VPN works in responder mode.
Activate Site-to-Site VPN logs, and then review the logs for errors that correspond with your connection failure. After you review, troubleshoot your connection errors.

Related information

Downloadable dynamic routing configuration files for Site-to-Site VPN customer gateway device

Downloadable static routing configuration files for an Site-to-Site VPN customer gateway device

Modify Site-to-Site VPN tunnel options

Topics: Networking & Content Delivery
Tags: AWS Virtual Private Network (VPN)
Language: English

AWS OFFICIALUpdated 4 months ago

No comments

Relevant content

AWS SitetoSite VPN update using Cloud formation
Sravan Kumar Jalluri
asked a year ago
Why does the ping connection fail
rePost-User-8326762
asked 3 years ago
Unable to establish a connection on VPN Tunnel 2
DB
asked 3 years ago
AWS Client VPN shows "Re-establishing connection" message intermitently
hugotest2
asked a year ago
AWS Client VPN, frequent disconnect troubleshooting.
PSM9902
asked 4 months ago
Why can't my Site-to-Site VPN establish connectivity?
AWS OFFICIALUpdated 4 months ago
How do I troubleshoot BGP connection failure over AWS VPN or Direct Connect?
AWS OFFICIALUpdated 3 years ago
How do I troubleshoot a failed BGP connection between Site-to-Site VPN and Direct Connect?
AWS OFFICIALUpdated a year ago
Why is my AWS Site-to-Site VPN down?
AWS OFFICIALUpdated a year ago
Why is IPsec/Phase 2 for AWS Site-to-Site VPN failing to establish a connection?
EXPERT
Narinder Singh Kharbanda
published 2 years ago