Troubleshooting IPsec VPN connection with IKEv2

This article describes how to troubleshoot IPsec VPN connection with IKEv2 on Aviatrix gateway.

Check Site2Cloud Connection Status

  • Log into the Aviatrix Controller.

  • Go to Site2Cloud > Setup.

  • Find the Site2Cloud Connection.

  • Check the tunnel status.

    • if the Status displays "Down", please follow the next step.

Perform the Diagnostics Action "Run analysis"

  • Go to Site2Cloud > Diagnostics.

  • Select the related information for VPC ID/VNet Name, Connection, and Gateway.

  • Select the option "Run analysis" under Action and click OK.

  • View the suggestion on the prompt panel to troubleshoot Site2Cloud tunnel down issue.

  • Follow the next step to view logs if needed.

Troubleshoot the keyword in the Diagnostics Action "Show logs"

  • Go to SITE2CLOUD → Diagnostics.

  • Select the related information for VPC ID/VNet Name, Connection, and Gateway.

  • Select the option "Show logs" under Action and click OK.

  • Review the logs on the prompt panel.

  • Compare your logs with the successful example logs as below.

IKEv2_show_log

Keyword: "Error: Failed to deliver message to gateway"

Probable Causes:

  • Aviatrix Controller cannot reach gateway

Keyword: "establishing IKE_SA failed, peer not responding"

Probable Causes:

  • Peer IP address is mismatched, or peer IP address is not reachable.

  • UDP Port 500/4500 is not accessible

Suggestions:

  • Troubleshoot connectivity between Aviatrix gateway and peer VPN router.

Keyword: "NO_PROPOSAL_CHOSEN"

Probable Causes:

  • Peer IP address is mismatched, or peer IP address is not reachable

  • IKE version is mismatched (one VPN gateway uses IKEv1 and another one uses IKEv2)

  • IKEv2 algorithm is mismatched

  • IPsec algorithm is mismatched

Suggestions:

  • Troubleshoot connectivity between Aviatrix gateway and peer VPN router.

  • Verify that both VPN settings use the same IKEv2 version.

  • Verify that all IKEv2/IPsec algorithm parameters (i.e., Authentication/DH Groups/Encryption) match on both VPN configuration.

Keyword: "AUTHENTICATION_FAILED"

Probable Causes:

  • IKE version is mismatched (one VPN gateway uses IKEv1 and another one uses IKEv2)

  • pre-shared key is mismatched

  • Identifier configuration is mismatched

Suggestions:

  • Verify that both VPN settings use the same IKEv2 version

  • Verify that pre-shared key match on both VPN configuration

  • Verify that Identifier match

    • By default, Aviatrix utilizes gateway’s public IP as Local Identifier.

Keyword: "no shared key found"

Probable Causes:

  • IKE version is mismatched (one VPN gateway uses IKEv1 and another one uses IKEv2)

  • Identifier configuration is mismatched

Suggestions:

  • Verify that both VPN settings use the same IKEv2 version.

  • Verify that Identifier match.

    • By default, Aviatrix utilizes gateway’s public IP as Local Identifier.

Keyword: "failed to establish CHILD_SA, keeping IKE_SA"

Probable Causes:

  • IPsec algorithm is mismatched

Suggestions:

  • Verify that all IPsec algorithm parameters (i.e., Authentication/DH Groups/Encryption) match on both VPN configuration.