How can I establish connection to my Private Space VPN?

Issue

I created a VPN gateway on my Private Space following the instruction on the Dev Center article Private Space VPN Connections but I am still having a difficulty in establishing connections to the VPN gateway from my end.

Resolution

Private Space VPN Connections make use of AWS's VPC Customer Gateways. Please refer to the documentation by AWS at https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html for the details about supported protocols and cipher suites. Below is an excerpt.

Please refer to the Dev Center article Private Space VPN Connections for other constraints.

Packet traffic maybe unbalanced between the two established tunnels because of the preference by the VPN gateways to a tunnel over the other.

A Private Space VPN Connection sets up encryption keys through Internet Key Exchange (IKE) protocol in Phase 1 and establishes the IPSec VPN tunnel or Encapsulating Security Payload (ESP) in Phase 2. Here are supported parameters for each phases. It needs the VPN gateway accept UDP packets on ports 500 and 4500.

Phase 1

  • IKE protocol: IKEv1
  • Exchange mode: main (as opposed to aggressive which is not supported)
  • Authentication Type: Pre-shared key
  • Encryption Algorithm: AES 256-bit and AES 128-bit
  • Hashing Algorithm: SHA-256 and SHA-1
  • Diffie-Hellman Perfect Forward Secrecy groups: 2, 14, 15, 16, 17, 18, 22, 23, and 24

Phase 2

  • Encryption Algorithm: AES 256-bit and AES 128-bit
  • Hashing Algorithm: SHA-256 and SHA-1
  • Diffie-Hellman Perfect Forward Secrecy groups: 2, 5, 14, 15, 16, 17, 18, 22, 23, and 24
  • Dead Peer Detection: Enabled to keep tunnels open

NAT traversal connection

Some VPN gateways may need to be explicitly configured to let ESP through NAT on your local network.

For Yamaha routers, following configuration lines maybe needed for each of the tunnels.

RTX1200

ipsec ike nat-traversal 1 on
ipsec ike nat-traversal 2 on

RTX810

ipsec ike nat-traversal 1 on type=2
ipsec ike nat-traversal 2 on type=2

Troubleshooting

It maybe worth while going through the troubleshooting guide by AWS at https://aws.amazon.com/premiumsupport/knowledge-center/vpn-tunnel-troubleshooting/ as well as Amazon VPC Network Administrator Guide applicable to your device linked from https://docs.aws.amazon.com/vpc/latest/adminguide/Welcome.html .

If you still have a difficulty, please let us know the following information:

  • What is the name of the Private Space?
  • What is the brand of the device?
  • What is the model of the device?
  • What it the firmware version, if available?
  • Might it be possible for you to share with us the current configure script? Please make sure to redact secrets like pre-shared keys.
  • Are there any logs during the attempt to establish connection?

We maybe able to provide you with a sample configuration script as well as more detailed information specific to the device.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support
Terms of Service Privacy Cookies © 2019 Salesforce.com