Bhavin walks you through
troubleshooting phase 1 IKE issues


I’m trying to set up a virtual private network (VPN) in Amazon VPC, but the Internet Key Exchange phase (phase 1) fails.

The purpose of phase 1 is to negotiate a secure channel over which to pass the phase 2 parameters. Phase 2 cannot be established without the successful establishment of phase 1. You can examine IKE debug logs to diagnose the exact cause of the phase 1 negotiation failure, but here are some common troubleshooting steps you can take.

Check the following:

  • IKEv1 is being used instead of IKEv2; AWS supports only IKEv1.
  • Diffie-Hellman Group 2 is being used.
  • Phase 1 lifetime is set to 28800 seconds (480 minutes or 8 hours).
  • Phase 1 is using the SHA-1 hashing algorithm.
  • Phase 1 is using AES-128 as the encryption algorithm (but see below).
  • The customer gateway device is configured with the correct preshared key (PSK) specified in the AWS VPN downloaded configuration for the tunnels.
  • If the customer gateway endpoint is behind a NAT device, verify that IKE traffic leaving the customer on-premises network is sourced from the configured customer gateway IP address and on UDP port 500. Also test by disabling NAT-traversal on the customer gateway device.
  • Enhanced AWS VPN endpoints support some additional advanced encryption and hashing algorithms, such as AES 256, SHA-2(256), and DH groups 14–18, 22, 23, and 24 for phase 1. They also support NAT traversal. If your VPN connection requires any of these additional features, contact AWS to verify that you are using the enhanced VPN endpoints. Typically you must recreate the virtual private gateway (VGW) of your VPC to move to the enhanced VPN endpoints. In this case, your customer gateway can reside behind a device performing port address translation (PAT). To ensure that network address translation traversal (NAT-T) can function, you must adjust your firewall rules to allow UDP port 4500. If your customer gateway is not behind a PAT device, we recommend that you disable NAT traversal.
  • UDP packets on port 500 (and port 4500 if using NAT traversal) are allowed to pass to and from your network to the AWS VPN endpoints. Ensure that there is no device in place between your customer gateway (CGW) and the virtual private gateway (VGW) that could be blocking UDP port 500; this includes checking Internet service providers (ISPs) that could be blocking UDP port 500, as well.
  • Verify that you can ping your AWS virtual private network (VPN) endpoints from your customer gateway.

For more information, see the Amazon Virtual Private Cloud Network Administrator Guide. The guide includes example configuration settings for specific hardware devices, and the Troubleshooting section has additional troubleshooting steps.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2014-12-31
Updated: 2016-08-24