Why is IKE (phase 1 of my VPN tunnel) failing in Amazon VPC?

Last updated: 2019-06-18

When creating a virtual private network (VPN) in Amazon Virtual Private Cloud (Amazon VPC), the Internet Key Exchange (IKE) phase of my configuration fails. Why is phase 1 of my VPN tunnel failing in Amazon VPC?


Check the following VPN settings and verify that you:

If the customer gateway device endpoint is behind a network address translation (NAT) device, be sure that:

  • IKE traffic leaving your on-premises network is sourced from your configured customer gateway IP address on UDP port 500. To test this setting, disable NAT traversal on your customer gateway device.
  • UDP packets on port 500 (and port 4500, if you're using NAT traversal) are allowed to pass between your network and AWS VPN endpoints.
  • Your internet service provider (ISP) isn't blocking UDP ports 500 and 4500.

Note: Some AWS VPN features, including NAT traversal, aren't available for AWS Classic VPNs. Check your VPN type and migrate an AWS Classic VPN to an AWS managed VPN, if applicable. During a VPN migration, you might need to recreate your VPC's virtual private gateway. If your customer gateway isn't behind a port address translation (PAT) device, it's a best practice to disable NAT traversal.

Troubleshooting (device-specific instructions for customer gateways)

AWS Managed VPN Connections

Your Customer Gateway

Did this article help you?

Anything we could improve?

Need more help?