Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
449
Views
0
Helpful
1
Replies

AWS Site to Site VPN not working

Oneal1975
Level 1
Level 1

‎06-09-2021 03:56 PM

I am at a loss as to what I am missing here. Help you be greatly appreciated

Here are the details (changes the private IP info for security reasons)

AWS Subnet 172.31.1.0/24

AWS Tunnel 1 Outside IP 52.53.76.26 Inside CIDR 169.254.87.0/30

AWS Tunnel 2 Outside IP 54.183.19.115

 

Internal Office Subnet 192.168.0.0/26

Office Public IP (Changed for security) 255.255.255.255

 

And here is the config that does not work:

 

crypto isakmp identity address
crypto ikev1 enable outside-comcast
crypto ikev1 policy 201
encryption aes
authentication pre-share
group 2
lifetime 28800
hash sha

tunnel-group 52.53.76.26 type ipsec-l2l
tunnel-group 52.53.76.26 ipsec-attributes
ikev1 pre-shared-key

isakmp keepalive threshold 10 retry 10

tunnel-group 54.183.19.115 type ipsec-l2l
tunnel-group 54.183.19.115 ipsec-attributes
ikev1 pre-shared-key

isakmp keepalive threshold 10 retry 10
access-list acl_out extended permit ip host 52.53.76.26 host 255.255.255.255
access-list acl_out extended permit ip host 54.183.19.115 host 255.255.255.255
access-list acl-amzn extended permit ip any4 172.31.1.0 255.255.255.0

crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto map newmap 14 match address acl-amzn
crypto map newmap 14 set pfs group2
crypto map newmap 14 set peer 52.53.76.26 54.183.19.115
crypto map newmap 14 set ikev1 transform-set transform-amzn
crypto map newmap 14 set security-association lifetime seconds 3600
crypto ipsec df-bit clear-df outside-comcast
crypto ipsec security-association replay window-size 128
crypto ipsec fragmentation before-encryption outside-comcast
sysopt connection tcpmss 1379

sla monitor 10
type echo protocol ipIcmpEcho 52.53.76.26 interface outside-comcast
frequency 5
sla monitor schedule 10 life forever start-time now
icmp permit any outside-comcast

access-list amzn-filter extended permit ip 172.31.1.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list amzn-filter extended deny ip any any

group-policy filter internal
group-policy filter attributes
vpn-filter value amzn-filter

 

I am willing to figure out a way to pay whomever can help fix this $20.00

 

Thank you in advance

tunnel-group 52.53.76.26 general-attributes
default-group-policy filter
exit
tunnel-group 54.183.19.115 general-attributes
default-group-policy filter
exit

object network obj-SrcNet
subnet 192.168.254.0 255.255.255.0
object network obj-amzn
subnet 172.31.1.0 255.255.255.0
Nat (inside,outside) 1 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn

 

Labels:
0 Helpful
1 Reply 1

balaji.bandi
Hall of Fame
Hall of Fame

‎06-10-2021 03:23 AM

have you done the Debug what is the error :

 

https://docs.aws.amazon.com/vpn/latest/s2svpn/Cisco_ASA_Troubleshooting.html

 

Make sure AWS accept only AES 128/256

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents