We help IT Professionals succeed at work.

Configuring Site-To-Site VPN Tunnel to Amazon AWS (VPC)

I'm using a SonicWall to create a Site-to-Site VPN tunnel to Amazon AWS.

LOCAL SIDE: 192.168.99.0/24
REMOTE (AMAZON) SIDE: 192.168.200/24

I created the VPC and everything on Amazon, but when I plug the information in (supplied by Amazon). I'm constantly getting  the following in the logs and the VPN Tunnel isn't built.

By looking at the logs, would you be able to tell what I have configured wrong in the VPN Section on the SonicWall?

1 04/03/2015 09:45:14.816 Error VPN IKE Payload processing failed AMAZON_IP, 500 MY_IP, 500 Payload Type: SA    
2 04/03/2015 09:45:14.816 Warning VPN IKE IKE Responder: IKE proposal does not match (Phase 1) AMAZON_IP, 500 MY_IP, 500 VPN Policy:      
3 04/03/2015 09:45:14.816 Warning VPN IKE IKE Responder: Proposed IKE ID mismatch AMAZON_IP, 500 MY_IP, 500 VPN policy does not exist for peer I
P address: 54.239.50.133    
4 04/03/2015 09:45:14.816 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) AMAZON_IP, 500 MY_IP, 500      
5 04/03/2015 09:35:32.864 Error VPN IKE Payload processing failed AMAZON_IP, 500 MY_IP, 500 Payload Type: SA


2015-04-03-9-53-01.jpg
2015-04-03-9-57-15.jpg
Comment
Watch Question

Aaron TomoskyDirector, SD-WAN Solutions

Commented:
First of all the IPSec promary gateway is the remote Amazon IP address.

Fix that and see what happens

Author

Commented:
DUH! Oh I can't believe I didn't see that :)

Here are the logs after I made that change:

1 04/04/2015 09:42:05.848 Warning VPN IKE Received notify. NO_PROPOSAL_CHOSEN AMAZON_IP, 500 MY_IP, 500      
2 04/04/2015 09:42:05.048 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). MY_IP, 500 AMAZON_IP, 500 VPN Policy: AmazonAWS    
3 04/04/2015 09:41:32.864 Warning VPN IKE Received notify. NO_PROPOSAL_CHOSEN AMAZON_IP, 500 MY_IP, 500      
4 04/04/2015 09:41:32.048 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). MY_IP, 500 AMAZON_IP, 500 VPN Policy: AmazonAWS    
5 04/04/2015 09:41:15.192 Warning VPN IKE Received notify. NO_PROPOSAL_CHOSEN AMAZON_IP, 500 MY_IP, 500      
6 04/04/2015 09:41:14.384 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). MY_IP, 500 AMAZON_IP, 500 VPN Policy: AmazonAWS    
7 04/04/2015 09:41:14.384 Info VPN IKE IKE Initiator: Main Mode complete (Phase 1) MY_IP, 500 AMAZON_IP, 500 VPN Policy: AmazonAWS;AES-128; SHA1;
DH Group 2; lifetime=28800 secs    
8 04/04/2015 09:41:11.832 Info VPN IKE IKE Initiator: Start Main Mode negotiation (Phase 1) MY_IP, 500 AMAZON_IP, 500 VPN Policy: AmazonAWS

Author

Commented:
I think it has to do with a descepency on whats configured and whats on Amazon's side...see attachment

2015-04-04-9-52-10.jpg
2015-04-04-9-51-42.jpg
Director, SD-WAN Solutions
Commented:
The Amazon info says to check the PFS box and select group 2

Author

Commented:
Aaron - since you've been so helpful on the above question, can I ask you another one? With every tunnel there is a primary and secondary. When I create the first one (mentioned above), I don't see a way of entering the secondary tunnel (we'll I do see a secondary gateway on the sonicwall). Amazon provides a shared key for the 1st tunnel as well as the 2nd tunnel. Where in the sonicwall do I enter the secondary gateway as well as enter the shared key? If I create a second VPN Policy utilizing the same network group pointing to Amazon LAN it states that the two IP's overlap. Any thoughts? Ideas?
Aaron TomoskyDirector, SD-WAN Solutions

Commented:
I dont bother with secondary gateways usually as if the remote router goes down I have bigger problems ;)

I don't see a way to enter a different shared secret for the secondary gateway so you would have to make a fully separate tunnel as a tunnel interface so no networks. It's called a " policy based Vpn" as opposed to a route based Vpn. I don't think it's worth the trouble in your situation,