02-21-2014 09:00 AM - edited 03-11-2019 08:48 PM
Hi
I am trying to ensure that I match the Amazon Web Services config I have been given for a VPN, but I always get the "duplicate first packet" error and it never makes the IKE SA.
In looking further into the config, when I see the
Configuration>site-to-site vpn>advanced>IKE Policies
page, I have priority 201, which is defined as
aes-128 - sha - 2 - pre-share - 28800
BUT
When I edit the item, it always has encryption as des and this item does not get chosen. I think that this may be why we are not able to build phase 1.
I have attached a picture for evidence of what I am seeing. This is non edited since opening the edit box for this policy.
Any suggestions on the phase1 not forming would be handy too.... AWS are strict in their config and have given me this...... I am thinking I have followed it.
Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : AZxyiirs0IFXGIPwLG9l3ncDVkcz4rpc
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2
#2: IPSec Configuration
Configure the IPSec SA as follows:
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2
IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
Thanks in advance
Anthony
02-21-2014 09:12 AM
Hi Anthony,
The messages you are getting could be caused by UDP500 or UPD4500 ports being blocked in the middle or not being sent by the remote site.
The best way to determine the root cause is to run captures on the outside interfaces of both devices, to verify if they are sending and receiving traffic on these ports.
regards,
Itzcoatl
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide