Why is IPsec/Phase 2 for AWS Site-to-Site VPN failing to establish a connection?
When I try to set up an AWS Site-to-Site VPN connection in Amazon Virtual Private Cloud (Amazon VPC), the IPsec/Phase 2 of my configuration fails to establish a connection.
Resolution
If your Site-to-Site VPN Internet Protocol security (IPsec/Phase 2) fails to establish a connection, then try the following steps to resolve the problem:
-
Verify that the Site-to-Site VPN Phase 2 parameters are configured correctly on your customer gateway device. To do so, compare your settings against the VPN configuration file that you downloaded from the Site-to-Site VPN console.
-
Verify that the supported Phase 2 parameters for IKEv1 and IKEv2 are configured correctly: Example IKEv1 and IKEv2 parameters:
IKEv1 Encryption: AES-128, AES-256, AES128-GCM-16, AES256-GCM-16
IKEv1 Data Integrity: SHA-1, SHA2-256, SHA2-384, SHA2-512
IKEv1 DH groups: 2, 5, and 14-24
Lifetime: 3600 seconds
Diffie-Hellman Perfect Forward Secrecy: Enabled
Note: The example IKEv1 and IKEv2 Phase 2 and IKEv2 Child_SA parameters specify the minimum requirements for a Site-to-Site VPN connection of:
- AWS Phase 2 parameters: AES128, SHA1, Diffie-Hellman group 2.
- AWS GovCloud (US) Phase 2 parameters: AES128, SHA2, Diffie-Hellman group 14.
-
Verify that Diffie-Hellman Perfect Forward Secrecy (PFS) is active and is using Diffie-Hellman groups for key generation. For more information, see the Use Diffie-Hellman Perfect Forward Secrecy section.
-
Verify that there is no security association or traffic selector mismatch between AWS and the customer gateway device.
-
Verify whether the configured Site-to-Site VPN connection options, including remote and local IP addresses, match the security association specified on the customer gateway device. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
-
Verify if traffic is initiated inbound towards AWS. Site-to-Site VPN works in responder mode by default, allowing configuration changes to IKE negotiations, peer timeout settings, and other configuration settings. For more information, see Site-to-Site VPN tunnel initiation options.
If your issue still persists, try the following:
Turn on Site-to-Site VPN logs.
Examine the IPsec debug logs to learn the cause of the failure and troubleshooting steps.
相關內容
- 已提問 10 個月前lg...
- 已提問 1 年前lg...
- AWS 官方已更新 10 個月前
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 9 個月前