Why is IKE (phase 1 of my VPN tunnel) failing in Amazon VPC?

Last updated: 2022-11-03

When creating a virtual private network (VPN) in Amazon Virtual Private Cloud (Amazon VPC), the Internet Key Exchange (IKE) phase of my configuration fails. Why is phase 1 of my VPN tunnel failing in Amazon VPC?

Resolution

Check the AWS Virtual Private Network (AWS VPN) configuration to confirm the following:

If acceleration is turned on for an AWS Site-to-Site VPN connection, then be sure that NAT-Traversal is turned on for the customer gateway device.

If the customer gateway device is behind a network address translation (NAT) device, then make sure of the following:

  • UDP packets on port 500 (and port 4500, if NAT-traversal is used) are allowed to pass between your network and the AWS VPN endpoints.
  • The intermediate internet service providers (ISPs) aren't blocking UDP port 500 (or port 4500, if NAT-Traversal is used).

Note: It's a best practice to turn off NAT-traversal if your customer gateway isn't behind a port address translation (PAT) device.


Did this article help?


Do you need billing or technical support?