This configuration also allows networks that aren't defined in the policy to access the VPC.įor more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN? Related information This configuration uses a single security association, which improves tunnel stability. Configure your customer gateway device to allow any network behind the customer gateway (0.0.0.0/0) with a destination of your VPC Classless Inter-Domain Routing (CIDR) to pass through the VPN tunnel.To check if multiple security associations exist for your customer gateway, see Troubleshooting your customer gateway device. If you have more than one encryption domain behind your VPN's customer gateway, then configure them to use a single security association. Limit the number of encryption domains (networks) that have access to your VPC.You might also experience intermittent connectivity issues because you're using multiple encryption domains or proxy-IDs. Intermittent connectivity issues might be caused by the policy based configuration on your customer gateway device. Troubleshoot intermittent connectivity issues So, if you set a lower lifetime value, then the peer always initiates the rekey.įor more information, see Tunnel options for your Site-to-Site VPN connection and Your customer gateway device. Note: The IKEv2 lifetime value field is independent of peers. Make sure that inbound traffic to UDP ports 500, 4500, and IP 50 on the customer gateway allow rekeys for the AWS endpoint.PFS is activated on the peer on the AWS side, by default. Make sure that perfect forward secrecy (PFS) is activated on the customer gateway device.It's a best practice to uncheck parameters in the VPN tunnel options that aren't needed with the customer gateway for the VPN connection. Make sure that these fields match the AWS parameters. Review the phase 1 or phase 2 lifetime fields on the customer gateway.If you're experiencing rekey issues that are caused by phase 1 or phase 2 mismatch on a VPN tunnel, then check the following: Troubleshoot rekey issues for phase 1 or phase 2 Check your vendor documentation for your specific device. If there's no traffic through a VPN tunnel for the duration of your vendor-specific VPN idle time, then the IPsec session ends.
0 Comments
Leave a Reply. |