I can’t establish my VPN tunnel: IPsec is failing

Last updated: 2016-08-24

I’m trying to set up a virtual private network (VPN) in Amazon VPC, but the Internet Protocol security (IPsec) phase (phase 2) fails.

Short description

The purpose of IPsec (phase 2) is to negotiate and establish a secure tunnel for the transmission of data between VPN peers. Without a successful phase 2 negotiation, you cannot send and receive traffic across the VPN tunnel. You can examine IPsec debug logs to understand the exact cause of the phase 2 failure, but here are some common troubleshooting steps you can take.


Check the following:

  • Encapsulating Security Payload (ESP) protocol 50 is not blocked inbound or outbound.
  • Security association lifetime is 3600 seconds (60 minutes).
  • There are no firewall ACLs interfering with IPsec traffic.
  • Phase 2 is using the SHA-1 hashing algorithm.
  • Phase 2 is using AES-128as the encryption algorithm (but see below).
  • Perfect forward secrecy (PFS) is enabled and using Diffie-Hellman Group 2 for key generation.
  • Enhanced AWS VPN endpoints support some additional advanced encryption and hashing algorithms, such as AES 256, SHA-2(256), and DH groups 5, 14–18, 22, 23, and 24 for phase 2. If your VPN connection requires any of these additional features, contact AWS to verify that you are using the enhanced VPN endpoints. Typically you must recreate the virtual private gateway (VGW) of your VPC to move to the enhanced VPN endpoints.
  • If you are using policy-based routing, verify that you have correctly defined the source and destination networks in your encryption domain.  

For more information, see the Amazon Virtual Private Cloud Network Administrator Guide. The guide includes example configuration settings for specific hardware devices, and the Troubleshooting section has additional troubleshooting steps.

Did this article help?

Do you need billing or technical support?