Why is IKE (phase 1 of my VPN tunnel) failing in Amazon VPC?
Last updated: 2022-11-03
When creating a virtual private network (VPN) in Amazon Virtual Private Cloud (Amazon VPC), the Internet Key Exchange (IKE) phase of my configuration fails. Why is phase 1 of my VPN tunnel failing in Amazon VPC?
Check the AWS Virtual Private Network (AWS VPN) configuration to confirm the following:
- Meets all customer gateway requirements.
- Uses the appropriate IKE version for your use case (AWS supports both IKEv1 and IKEv2).
- Uses the appropriate lifetime in seconds for IKE (phase1) for your IKE version. To configure tunnel options based on your requirements, see Tunnel options for your Site-to-Site VPN connection.
- Has a customer gateway device that's configured with the correct pre-shared key (PSK) or valid certificates.
- Can successfully ping AWS Virtual Private Network (AWS VPN) endpoints from your customer gateway.
If acceleration is turned on for an AWS Site-to-Site VPN connection, then be sure that NAT-Traversal is turned on for the customer gateway device.
If the customer gateway device is behind a network address translation (NAT) device, then make sure of the following:
- UDP packets on port 500 (and port 4500, if NAT-traversal is used) are allowed to pass between your network and the AWS VPN endpoints.
- The intermediate internet service providers (ISPs) aren't blocking UDP port 500 (or port 4500, if NAT-Traversal is used).
Note: It's a best practice to turn off NAT-traversal if your customer gateway isn't behind a port address translation (PAT) device.