Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
809
Views
0
Helpful
4
Replies

IPSec tunnel through AWS NLB and NAT ( baed on ec2)

Go to solution
sudsark
Level 1
Level 1

‎09-19-2025 02:33 PM

Hi There, 

I am setting up scalable IPSec solution where customer would have cisco routers on left side and tunnel will established as follows .."customer Cisco router --> AWS NLB--> NAT ( ec2 instance) --> CIsco ASAv " . I am able to setup this flow and tunnel is working as expected. I am using the primary IP of the NAT instance for translation. 

Now the problem i see when i introduce second tunnel with same path just having secondary IP of the NAT as translated ip. I have configured natting rule ( with iptables) accordingly, and here the tunnel is failing with phase 2 negotiation. My understanding is the Ec2 instance routing between primary IP and secondary ip is point of failure.

Any one has any experience of setting this type of architecture ? Any help on this is greatly appreciated 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sudsark
Level 1
Level 1
In response to sudsark

‎10-01-2025 06:26 AM

I am able to establish connection after made required change sin NAT instance, hence closing this topic now. 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
MHM Cisco World
VIP
VIP

‎09-20-2025 12:47 PM

primary and secondary IP ? can I see NAT config 
also can I see ikev2 profile for both tunnel

MHM

0 Helpful

Go to solution
sudsark
Level 1
Level 1
In response to MHM Cisco World

‎09-20-2025 07:00 PM

I have attached the NAT instance configuration and few commands ran from ASAv. ASAv does not support The ASAv doesn't use IKEv2 profiles like IOS routers. 

Both the files attached. Just to confirm you that in the NAT source : 107.84.31.62 is working fine , source 3.236.184.19 is not working, and if I switch/swap NAT rules and change configuration in ASAv then the 3.236.184.19 works and 107.84.31.62 fails. I am pretty sure that the NAT secondary IP "172.31.54.55" is the problem ( not correctly setup ) .  Please let me know if any further questions you may have and thanks for all your help.

Preview file
8 KB
Preview file
12 KB
0 Helpful

Go to solution
sudsark
Level 1
Level 1
In response to sudsark

‎09-22-2025 08:31 PM

Hi There, 

I made some progress, after tuning the NAT rules I could see the tunnel is trying to establish , where phase 1 is completed successfully but phase 2 is failing.  I am getting "Error code: There was no IPSEC policy found for received TS" . But I have checked several times the traffic selectors look fine on both sides. Any help on this please ?

0 Helpful

Go to solution
sudsark
Level 1
Level 1
In response to sudsark

‎10-01-2025 06:26 AM

I am able to establish connection after made required change sin NAT instance, hence closing this topic now. 

0 Helpful
Customers Also Viewed These Support Documents