Bhavin walks you through
troubleshooting phase 1 IKE issues


When I try to set up a virtual private network (VPN) in Amazon Virtual Private Cloud (Amazon VPC), the Internet Key Exchange (IKE) phase of my configuration fails.

Check the following settings for your VPN:

  • Verify that you’re meeting the customer gateway requirements.
  • Verify that you’re using IKEv1, not IKEv2. AWS supports only IKEv1.
  • Verify that the IKE (phase 1) lifetime is set to 28800 seconds (480 minutes or 8 hours).
  • Verify that the customer gateway device is configured with the correct pre-shared key (PSK). You downloaded the PSK from the VPC console during device creation.
  • Verify that you can ping your AWS VPN endpoints from your customer gateway.

If the customer gateway device endpoint is behind a network address translation (NAT) device, check the following settings:

  • Be sure that IKE traffic leaving your on-premises network is sourced from your configured customer gateway IP address on UPD port 500. To test this setting, disable NAT traversal on your customer gateway device.
  • Be sure that UDP packets on port 500 (and port 4500, if you’re using NAT traversal) are allowed to pass between your network and your AWS VPN endpoints.
  • Be sure that your internet service provider (ISP) isn’t blocking UDP ports 500 and 4500.

Note: Some AWS VPN features, including NAT traversal, aren’t available for AWS Classic VPNs. To check your VPN type and migrate an AWS Classic VPN to an AWS managed VPN, see AWS Managed VPN Categories. During a VPN migration, you might need to recreate your VPC’s virtual private gateway. If your customer gateway isn’t behind a port address translation (PAT) device, it’s a best practice to disable NAT transversal.

Troubleshooting (device-specific instructions for customer gateways)

AWS Managed VPN Connections

Your Customer Gateway

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2014-12-31

Updated: 2018-11-16