Why is IKE (phase 1 of my VPN tunnel) failing in Amazon VPC?
Last updated: 2019-06-18
When creating a virtual private network (VPN) in Amazon Virtual Private Cloud (Amazon VPC), the Internet Key Exchange (IKE) phase of my configuration fails. Why is phase 1 of my VPN tunnel failing in Amazon VPC?
Check the following VPN settings and verify that you:
- Met all customer gateway requirements.
- Used the appropriate IKE version.
- Set the IKE (phase 1) lifetime to 28800 seconds (480 minutes or 8 hours).
- Configured the customer gateway device with the correct pre-shared key (PSK).
- Can ping your AWS VPN endpoints from your customer gateway.
If the customer gateway device endpoint is behind a network address translation (NAT) device, be sure that:
- IKE traffic leaving your on-premises network is sourced from your configured customer gateway IP address on UDP port 500. To test this setting, disable NAT traversal on your customer gateway device.
- UDP packets on port 500 (and port 4500, if you're using NAT traversal) are allowed to pass between your network and AWS VPN endpoints.
- Your internet service provider (ISP) isn't blocking UDP ports 500 and 4500.
Note: Some AWS VPN features, including NAT traversal, aren't available for AWS Classic VPNs. Check your VPN type and migrate an AWS Classic VPN to an AWS managed VPN, if applicable. During a VPN migration, you might need to recreate your VPC's virtual private gateway. If your customer gateway isn't behind a port address translation (PAT) device, it's a best practice to disable NAT traversal.