I established a VPN connection between my customer gateway and a virtual private gateway, but traffic isn't passing through it. How do I troubleshoot this issue?
To troubleshoot this issue, confirm that your Amazon VPC, virtual private gateway, and customer gateway are configured correctly.
Review the configuration of your Amazon VPC and virtual private gateway
- Verify that the virtual private gateway associated with the VPN connection is attached to your Amazon VPC.
- Confirm that the on-premises and VPC private networks are not overlapping, because overlapping subnets can cause routing issues over the VPN tunnel.
- For static route-based VPN connections, verify that you have configured routes for your on-premises private networks by checking the Static Routes tab of your VPN Connection.
- For BGP-based VPN connections, verify that the BGP session is established and that the virtual private gateway is receiving BGP routes from your customer gateway by checking the Tunnel Details tab of your VPN Connection.
- Configure your VPC route table to include the routes to your on-premises private networks and direct them to your virtual private gateway, so that instances in your Amazon VPC can reach your on-premises networks. You can manually add these routes to the VPC route table, or you can use route propagation to automatically propagate these routes.
- Confirm that the VPC security groups and access control lists (ACLs) are configured to allow necessary traffic (ICMP, RDP, SSH, etc.) to and from your on-premises subnets for both inbound and outbound traffic.
- Perform packet captures on multiple Amazon Elastic Compute Cloud (Amazon EC2) instances in different Availability Zones to confirm that traffic from the on-premises host is reaching your Amazon VPC.
Review your customer gateway
- Confirm that the IPsec configuration on your VPN device satisfies the requirements for your customer gateway.
- Verify that the packets from your customer gateway are being encrypted and sent over the VPN tunnel.
- If you are using policy-based routing, verify that you have correctly defined the source and destination networks in your encryption domain. If your VPN tunnels are route-based, confirm that you have correctly configured routes to your VPC CIDR.
Note: AWS supports only one pair of Phase 2 Security Associations (SAs) per VPN tunnel.
- Confirm that the traffic sent across the tunnel is not being translated to the customer gateway IP address of the VPN connection. If you have a specific requirement to NAT your VPN traffic, configure it using a different IP address than the customer gateway IP address.
- If your customer gateway is not behind a PAT device, we recommend disabling NAT-Traversal.
- Confirm that there are no firewall policies or ACLs interfering with inbound or outbound IPsec traffic.
- Perform a packet capture for ESP traffic on the WAN interface of your customer gateway device to confirm it is sending and receiving encrypted packets.