Attempts to establish a virtual private network (VPN) connection with an Amazon Virtual Private Cloud (Amazon VPC) fail with the error "Rejecting IPSec tunnel: no matching crypto map entry for remote proxy local proxy"

This error message can occur after a VPN connection to an Amazon VPC has been successfully established. If a VPN tunnel is established to the VPC, this error message may be logged when the VPC attempts to establish a secondary tunnel, in which case the error message can be safely ignored.

On a customer gateway device (CGW), this error indicates that the local/remote proxy ID on the CGW does not match the proxy ID on the VPN gateway. This error can occur when initiating a VPN tunnel from a VPN gateway, which advertises a proxy ID of 0 for both local and remote connections.

This specific error message pertains to Cisco ASA devices; however, this issue applies to any CGW that uses a policy-based VPN or a route-based VPN with a non-default proxy ID.

In order to successfully establish a tunnel with a VPN gateway, ensure that network traffic is initiated from the local network on the CGW to the VPC. Alternatively, configure route-based VPN connections with default proxy IDs if your device supports it.

Amazon Virtual Private Cloud, VPC, virtual private network, VPN, customer gateway, CGW, Cisco ASA, policy-based VPN, rejecting IPSec tunnel

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.