Issue creating IPSec VPN to Amazon VPC

jason.williams · ‎10-25-2012

I'm trying to set up a VPN with a vendor that is using the Amazon VPC. The configuration looks fine on my side, but I'm getting the following error:

IPSEC: Received an ESP packet (SPI= 0xBBCF6A53, sequence number= 0xF447F) from 1.1.1.1 (user= 1.1.1.1) to 2.2.2.2. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 2.2.2.3, its source as 1.1.3.3, and its protocol as icmp. The SA specifies its local proxy as 2.2.2.10/255.255.255.255/ip/0 and its remote_proxy as 1.1.3.0/255.255.255.0/ip/0.

Obviously I changed the IP addreses.

From what I can find in a Google search is that Amazon may be using a Route Based VPN while I'm using a Policy Based VPN on the ASA, and they apparently don't play nice.

Has anyone tried setting up a VPN with Amazon VPC before? Any suggestions would be appreciated.

Thanks.

Jason

Jennifer Halim · ‎10-26-2012

Base on the error log, it seems like they are using protocol specific for the crypto ACL, however, with ASA, the crypto ACL needs to exactly mirror image the remote peer.

So if they are configuring ICMP as the protocol, you would also need to configure the same on the ASA.

Typically crypto ACL is "permit ip ", is there anyway you can ask Amazon VPC to configure policy with IP between subnet to subnet (mirror image from ASA crypto ACL)?