Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1063
Views
1
Helpful
5
Replies

site to site(IpSec) between AWS and Cisco is not working

ajittrivedi
Level 1
Level 1

ā€Ž06-28-2023 04:00 AM - edited ā€Ž06-28-2023 04:03 AM

I am trying to set up a site-to-site VPN connection between AWS and Cisco ASA, but the tunnel status is shown as "Down," and under the details section, the message is "IPSEC IS DOWN." Please find below the tunnel logs:

AWS tunnel is the IKE_SA initiator
AWS tunnel is sending request (id=0) for IKE_SA_INIT exchange
sending packet: from < tunnel ip> [UDP 500] to <CGW> [UDP 500] (304 bytes)
received packet: from <CGW> [UDP 500] to <tunnel ip> [UDP 500] (499 bytes)
AWS tunnel processed response (id=0) for IKE_SA_INIT exchange
AWS tunnel has selected proposals for Phase 1 SA
AWS tunnel detected NAT-T as enabled on local host and is sending keep-alive(s)
AWS tunnel detected NAT-T behind CGW / remote host
AWS tunnel is establishing Phase 2 CHILD_SA for CGW
AWS tunnel is sending request (id=1) for IKE_AUTH exchange
sending packet: from < tunnel ip> [UDP 4500] to <CGW> [UDP 4500] (256 bytes)
received packet: from <CGW> [UDP 4500] to < tunnel ip> [UDP 4500] (160 bytes)
AWS tunnel processed response (id=1) for IKE_AUTH exchange
AWS tunnel has successfully authenticated pre-shared key
ending packet: from < tunnel ip> [UDP 4500] to <CGW> [UDP 4500] (80 byte

and the same logs keep coming.

The AWS support team has informed us that Identity checks are failing, but we are unsure how to verify this. The client has suggested enabling "ipsecovernatt." How can we proceed with this? Additionally, we would like to know what change should we do at the AWS side so that the "nat_t_detected" value comes as true in the tunnel logs

This is the Logs from the Cisco ASA side show vpn-sessiondb l2l

Index        : 16777                  IP Addr      : ****
Protocol     : IKEv2
Encryption   : IKEv2: (1)AES256       Hashing      : IKEv2: (1)SHA256
Bytes Tx     : 0                      Bytes Rx     : 0
Login Time   : 14:25:01  Tue Jun 27 2023
Duration     : 0h:00m:19s

 The client is saying that IPsecOverNatT is not enabled at the AWS end that is why the IPSec tunnels are not coming up

Labels:
5 Replies 5

Flavio Miranda
VIP
VIP

ā€Ž06-28-2023 04:11 AM - edited ā€Ž06-28-2023 04:11 AM

Hi

If you use ASDM:

- Configuration>Site-to-Site VPN>Advanced

- NAT transparency. (Check (or uncheck)) Enable IPsec over NAT-T)

0 Helpful

ajittrivedi
Level 1
Level 1
In response to Flavio Miranda

ā€Ž06-28-2023 05:09 AM

Hi Flavio,
Thanks for the answer, I know that clients are using Cisco ASA 5525, version 9.12(4) apart from that I don't have much information. 
I am configuring the AWS side of the tunnel, and currently, aws tunnels are acting as the initiator and Cisco ASA are acting as a responder. 

0 Helpful

MHM Cisco World
VIP
VIP

ā€Ž06-28-2023 04:16 AM

I need to see ikev2 config 

0 Helpful

ajittrivedi
Level 1
Level 1
In response to MHM Cisco World

ā€Ž06-28-2023 05:11 AM

Hi MHM Cisco, i have requested to share the config, will share here once i receive it.

0 Helpful

MHM Cisco World
VIP
VIP
In response to ajittrivedi

ā€Ž06-28-2023 05:13 AM

and ASA by default use NAT-T, so the ID issue not from the NAT-T I think is from misconfig IKEv2

0 Helpful
Customers Also Viewed These Support Documents