How do I troubleshoot IKEv2 tunnel stability issues during a rekey?

Last updated: 2021-01-26

I created an AWS Virtual Private Network (AWS VPN) connection using IKEv2. The VPN tunnels were up and working, but they went down during a rekey and aren't coming back up. How do I troubleshoot this?

Resolution

To troubleshoot IKEv2 tunnel stability issues during a rekey:

  • Confirm that "Perfect Forward Secrecy (PFS)" is enabled on the customer gateway for the Phase 2 configuration.
  • Confirm that you're using the same Diffie-Hellman (DH) group for Phase 1 and Phase 2.
    Note: If the customer gateway device doesn't initiate a rekey before the lifetime expiration, then AWS initiates a rekey. In IKEv2, the VPN endpoint on the AWS side proposes the Key Exchange (KE) payload with the DH group from the previous Phase 1 negotiation. As a result, the rekey might be rejected by the customer gateway device. If necessary, set the Modify VPN Tunnel Options to restrict tunnel options to your specific VPN parameters.
  • If your customer gateway is configured as a policy-based VPN, determine if you must reconfigure your VPN connection to use specific traffic selectors. By default, AWS VPN endpoints are configured as route-based VPNs. AWS initiates a child security association (SA) rekey using 0.0.0.0/0, 0.0.0.0/0 for the traffic selectors. Some customer gateway devices don't accept the Phase 2 rekey initiated by AWS. This is because the traffic selectors on AWS VPN endpoints don't match the traffic selectors configured on the customer gateway device. In this case, you can configure your AWS VPN connection to use specific traffic selectors that match with customer gateway.

           To configure a new VPN connection to use specific traffic selectors:
              1.    For Local IPv4 Network CIDR, specify the on-premises (customer side) CIDR range.
              2.    For Remote IPv4 Network CIDR, specify the AWS side CIDR range.

           To configure an existing VPN connection to use specific traffic selectors:
              1.    Select the AWS VPN connection where you must modify the traffic selectors on the AWS side.                    
              2.    Choose Actions, then choose Modify VPN Connection Options from the dropdown.
              3.    For Local IPv4 Network CIDR, specify the on-premises (customer side) CIDR range.
              4.    For Remote IPv4 Network CIDR, specify the AWS side CIDR range.
              5.    Choose Save. 
            Note:
The VPN connection is temporarily unavailable for a brief period while the VPN connection is updated.

            Important: When you modify the VPN connection options, neither of the following change:

    • VPN endpoint IP addresses on the AWS side
    • Tunnel options

Did this article help?


Do you need billing or technical support?