06-28-2023 04:00 AM - edited 06-28-2023 04:03 AM
I am trying to set up a site-to-site VPN connection between AWS and Cisco ASA, but the tunnel status is shown as "Down," and under the details section, the message is "IPSEC IS DOWN." Please find below the tunnel logs:
AWS tunnel is the IKE_SA initiator AWS tunnel is sending request (id=0) for IKE_SA_INIT exchange sending packet: from < tunnel ip> [UDP 500] to <CGW> [UDP 500] (304 bytes) received packet: from <CGW> [UDP 500] to <tunnel ip> [UDP 500] (499 bytes) AWS tunnel processed response (id=0) for IKE_SA_INIT exchange AWS tunnel has selected proposals for Phase 1 SA AWS tunnel detected NAT-T as enabled on local host and is sending keep-alive(s) AWS tunnel detected NAT-T behind CGW / remote host AWS tunnel is establishing Phase 2 CHILD_SA for CGW AWS tunnel is sending request (id=1) for IKE_AUTH exchange sending packet: from < tunnel ip> [UDP 4500] to <CGW> [UDP 4500] (256 bytes) received packet: from <CGW> [UDP 4500] to < tunnel ip> [UDP 4500] (160 bytes) AWS tunnel processed response (id=1) for IKE_AUTH exchange AWS tunnel has successfully authenticated pre-shared key ending packet: from < tunnel ip> [UDP 4500] to <CGW> [UDP 4500] (80 byte
and the same logs keep coming.
The AWS support team has informed us that Identity checks are failing, but we are unsure how to verify this. The client has suggested enabling "ipsecovernatt." How can we proceed with this? Additionally, we would like to know what change should we do at the AWS side so that the "nat_t_detected" value comes as true in the tunnel logs
This is the Logs from the Cisco ASA side show vpn-sessiondb l2l
Index : 16777 IP Addr : **** Protocol : IKEv2 Encryption : IKEv2: (1)AES256 Hashing : IKEv2: (1)SHA256 Bytes Tx : 0 Bytes Rx : 0 Login Time : 14:25:01 Tue Jun 27 2023 Duration : 0h:00m:19s
The client is saying that IPsecOverNatT is not enabled at the AWS end that is why the IPSec tunnels are not coming up
06-28-2023 04:11 AM - edited 06-28-2023 04:11 AM
Hi
If you use ASDM:
- Configuration>Site-to-Site VPN>Advanced
- NAT transparency. (Check (or uncheck)) Enable IPsec over NAT-T)
06-28-2023 05:09 AM
Hi Flavio,
Thanks for the answer, I know that clients are using Cisco ASA 5525, version 9.12(4) apart from that I don't have much information.
I am configuring the AWS side of the tunnel, and currently, aws tunnels are acting as the initiator and Cisco ASA are acting as a responder.
06-28-2023 04:16 AM
I need to see ikev2 config
06-28-2023 05:11 AM
Hi MHM Cisco, i have requested to share the config, will share here once i receive it.
06-28-2023 05:13 AM
and ASA by default use NAT-T, so the ID issue not from the NAT-T I think is from misconfig IKEv2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide