Solved: Cisco ASA IKev2 VPN to AWS Site to Site VPN - 2nd tunnel just doesn't

RG78874 · ‎02-06-2023

Hi,

I'm reaching out to anyone that may have configured a VPN on the ASA using ikev2 to AWS Site to Site VPN.

AWS has two VPN Tunnels, and I believe the configuration file that you would pull down from AWS using the instructions helps the Engineer configre an Active / Passive tunnel.

I would like both tunnels to be Active, rather than Active/ Passive. Tunnel 1 is configured and always up. Tunnel 2 is configured and always down. Even if I remove the Tunnel 1 config to try test Active/ Passive failover for the VPN tunnel, Tunnel 2 just stays down.

Now I have followed the guidance, and I am not sure why Tunnel 2 just doesn't connect.

Does anyone know how I can get both Tunnel's to be Active/ Active using ikev2?

And lastly this is the error from the logs "ipsec sa create failed" I am not having much joy with it now.

I feel I have exhausted all options. Unfortunately I cannot get the config out of that Environment. But more so wanting guidance on the 2nd Tunnel setup, if anyone knows how to get both tunnels running as Active/ Active.

Or does someone know the config for getting both Tunnel's up, or as to why

MHM Cisco World · ‎02-06-2023

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200982-ASA-IPsec-VTI-connection-Amazon-Web-Serv.html

View solution in original post

MHM Cisco World · ‎02-06-2023

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200982-ASA-IPsec-VTI-connection-Amazon-Web-Serv.html

RG78874 · ‎02-07-2023

Thanks this is a really helpful article.

I will replace ikev1 with ikev2.

Where is the part where I can make the Tunnels Active/ Active?