Why is IKE (phase 1 of my VPN tunnel) failing in Amazon VPC?

Last updated: 2020-12-21

When creating a virtual private network (VPN) in Amazon Virtual Private Cloud (Amazon VPC), the Internet Key Exchange (IKE) phase of my configuration fails. Why is phase 1 of my VPN tunnel failing in Amazon VPC?

Resolution

Check the AWS Virtual Private Network (AWS VPN) configuration to confirm that it:

If acceleration is enabled for an AWS Site-to-Site VPN connection, then be sure that NAT-Traversal is enabled on the customer gateway device.

If the customer gateway device is behind a network address translation (NAT) device, be sure that:

  • UDP packets on port 500 (and port 4500, if NAT-traversal is used) are allowed to pass between your network and the AWS VPN endpoints.
  • The intermediate internet service providers (ISPs) aren't blocking UDP port 500 (or port 4500, if NAT-Traversal is used).

If your customer gateway isn't behind a port address translation (PAT) device, then it's a best practice to disable NAT-traversal.


Did this article help?


Do you need billing or technical support?