How do I troubleshoot IKEv2 tunnel stability issues during a rekey?

Resolution

To troubleshoot IKEv2 tunnel stability issues during a rekey:

• Confirm that "Perfect Forward Secrecy (PFS)" is activated on the customer gateway for the Phase 2 configuration.
• If your customer gateway is configured as a policy-based VPN, then determine if you must reconfigure your VPN connection to use specific traffic selectors. By default, AWS VPN endpoints are configured as route-based VPNs. AWS initiates a child security association (SA) rekey using 0.0.0.0/0, 0.0.0.0/0 for the traffic selectors. Some customer gateway devices don't accept the Phase 2 rekey initiated by AWS. This is because the traffic selectors on AWS VPN endpoints don't match the traffic selectors that are configured on the customer gateway device. In this case, you can configure your AWS VPN connection to use specific traffic selectors that match with customer gateway.

To configure a new VPN connection to use specific traffic selectors:

1.    For Local IPv4 Network CIDR, specify the on-premises (customer side) CIDR range.

2.    For Remote IPv4 Network CIDR, specify the AWS side CIDR range.

To configure an existing VPN connection to use specific traffic selectors:

1.    Select the AWS VPN connection where you must modify the traffic selectors on the AWS side.    

2.    Choose Actions, then choose Modify VPN Connection Options from the dropdown list.

3.    For Local IPv4 Network CIDR, specify the on-premises (customer side) CIDR range.

4.    For Remote IPv4 Network CIDR, specify the AWS side CIDR range.

5.    Choose Save.

Note: The VPN connection is temporarily unavailable for a brief period while the VPN connection is updated.

Important: When you modify the VPN connection options, neither of the following change:

• VPN endpoint IP addresses on the AWS side
• Tunnel options