Why is IKEv2 VPN tunnel negotiation failing with AWS VPN?

Last updated: 2019-09-11

When configuring AWS Site-to-Site VPN, the IKEv2 tunnel negotiation fails. Why is the IKE exchange of my VPN tunnel failing?

Resolution

If the IKE exchange of your VPN tunnel is failing, check the following settings.

Note: The VPN category must be set to AWS VPN. IKEv2 isn't supported on AWS Classic VPN connections. Make any necessary changes to be sure that your configuration meets the requirements.

Customer gateway settings

  • Establish an IKE security association using pre-shared keys or digital certificates.
  • Establish IPsec security associations in Tunnel mode.
  • Enable IKEv2 dead peer detection.
  • Bind the tunnel to a logical interface (only for route-based VPNs—not applicable for policy-based VPNs).
  • Fragment IP packets before encryption.
  • Establish Border Gateway Protocol (BGP) peering (optional).
  • Allow ISAKMP (UDP port 500) and Encapsulating Security Payload (IP protocol 50) traffic to route between your network and VPN endpoints. If you're using Network Address Translation Traversal (NAT-T), also be sure to allow UDP port 4500.
  • Ping your AWS VPN endpoints.
  • Use the correct pre-shared key or digital certificate.

IKE profile settings

  • Set the lifetime to a value configured on the AWS side between 900 and 28,800 (default) seconds.
  • Set the encryption algorithm to either AES-128 or AES-256.
  • Set the hashing algorithm to either SHA-1 or SHA-2(256).
  • Set the Pseudo Random Function (PRF) to the same algorithm as the hashing algorithm.
  • Enable one of the following Diffie-Hellman groups: 2, 14-18, 22, 23, or 24.

IPsec profile settings

  • Set the lifetime to a value configured on the AWS side between 900 and 3,600 (default) seconds, with less than phase 1 lifetime.
  • Set the encryption algorithm to either AES-128 or AES-256.
  • Set the hashing algorithm to either SHA-1 or SHA-2(256).
  • Enable perfect forward secrecy (PFS) using one of the following Diffie-Hellman groups: 2, 5, 14-18, 22, 23, or 24.

For more information, see the Amazon Virtual Private Cloud Network Administrator Guide.


Did this article help you?

Anything we could improve?


Need more help?