Issue
I created a VPN gateway on my Private Space following the instruction on the Dev Center article Private Space VPN Connections but I am still having a difficulty in establishing connections to the VPN gateway from my end.
Resolution
Private Space VPN Connections make use of AWS's VPC Customer Gateways. Please refer to the documentation by AWS at https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html for the details about supported protocols and cipher suites. Below is an excerpt.
Please refer to the Dev Center article Private Space VPN Connections for other constraints.
Packet traffic maybe unbalanced between the two established tunnels because of the preference by the VPN gateways to a tunnel over the other.
A Private Space VPN Connection sets up encryption keys through Internet Key Exchange (IKE) protocol in Phase 1 and establishes the IPSec VPN tunnel or Encapsulating Security Payload (ESP) in Phase 2. Here are supported parameters for each phases. It needs the VPN gateway accept UDP packets on ports 500 and 4500.
Phase 1
- IKE protocol: IKEv1 and IKEv2
- Exchange mode: main (as opposed to aggressive which is not supported)
- Authentication Type: Pre-shared key
- Encryption Algorithm: AES 256-bit and AES 128-bit
- Hashing Algorithm: SHA-256/SHA-2 and SHA-1
- Diffie-Hellman Perfect Forward Secrecy groups: 2, 14, 15, 16, 17, 18, 22, 23, and 24
- Lifetime: up to 28,800 sec
Phase 2
- Encryption Algorithm: AES 256-bit and AES 128-bit
- Hashing Algorithm: SHA-256/SHA-2 and SHA-1
- Diffie-Hellman Perfect Forward Secrecy groups: 2, 5, 14, 15, 16, 17, 18, 22, 23, and 24
- SA Lifetime: 900 - 3,600 sec
- Dead Peer Detection: Enabled to keep tunnels open
- Perfect Forward Secrecy: Enabled
NAT traversal connection
Some VPN gateways may need to be explicitly configured to let ESP through NAT on your local network.
For Yamaha routers, following configuration lines maybe needed for each of the tunnels.
RTX1200
ipsec ike nat-traversal 1 on
ipsec ike nat-traversal 2 on
RTX810
ipsec ike nat-traversal 1 on type=2
ipsec ike nat-traversal 2 on type=2
Troubleshooting
If network connections through the peering are not established as expected please make sure
- your VPC and your servers are configured to accept connections from the Private Space, with attaching appropriate Security Groups, and
- your VPC routes packets back to the Private Space, with routing tables.
If network connections are established only within certain CIDRs, please make sure
- IPsec Security Association (SA) traffic selectors include all CIDRs on the network.
0.0.0.0/0
should be good.
It may also be worth while going through the troubleshooting guide by AWS at https://aws.amazon.com/premiumsupport/knowledge-center/vpn-tunnel-troubleshooting/ as well as Amazon VPC Network Administrator Guide applicable to your device linked from https://docs.aws.amazon.com/vpc/latest/adminguide/Welcome.html .
If you still have a difficulty, please let us know the following information:
- What is the name of the Private Space?
- What is the brand of the device?
- What is the model of the device?
- What it the firmware version, if available?
- Might it be possible for you to share with us the current configure script? Please make sure to redact secrets like pre-shared keys.
- Are there any logs during the attempt to establish connection? Timestamps with UTC offset are appreciated.
We maybe able to provide you with a sample configuration script as well as more detailed information specific to the device.