Link to home
Start Free TrialLog in
Avatar of Joshua Dumas
Joshua Dumas

asked on

Configuring Site-To-Site VPN Tunnel to Amazon AWS (VPC)

I'm using a SonicWall to create a Site-to-Site VPN tunnel to Amazon AWS.

LOCAL SIDE: 192.168.99.0/24
REMOTE (AMAZON) SIDE: 192.168.200/24

I created the VPC and everything on Amazon, but when I plug the information in (supplied by Amazon). I'm constantly getting  the following in the logs and the VPN Tunnel isn't built.

By looking at the logs, would you be able to tell what I have configured wrong in the VPN Section on the SonicWall?

1 04/03/2015 09:45:14.816 Error VPN IKE Payload processing failed AMAZON_IP, 500 MY_IP, 500 Payload Type: SA    
2 04/03/2015 09:45:14.816 Warning VPN IKE IKE Responder: IKE proposal does not match (Phase 1) AMAZON_IP, 500 MY_IP, 500 VPN Policy:      
3 04/03/2015 09:45:14.816 Warning VPN IKE IKE Responder: Proposed IKE ID mismatch AMAZON_IP, 500 MY_IP, 500 VPN policy does not exist for peer I
P address: 54.239.50.133    
4 04/03/2015 09:45:14.816 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) AMAZON_IP, 500 MY_IP, 500      
5 04/03/2015 09:35:32.864 Error VPN IKE Payload processing failed AMAZON_IP, 500 MY_IP, 500 Payload Type: SA


User generated image
User generated image
Avatar of Aaron Tomosky
Aaron Tomosky
Flag of United States of America image

First of all the IPSec promary gateway is the remote Amazon IP address.

Fix that and see what happens
Avatar of Joshua Dumas
Joshua Dumas

ASKER

DUH! Oh I can't believe I didn't see that :)

Here are the logs after I made that change:

1 04/04/2015 09:42:05.848 Warning VPN IKE Received notify. NO_PROPOSAL_CHOSEN AMAZON_IP, 500 MY_IP, 500      
2 04/04/2015 09:42:05.048 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). MY_IP, 500 AMAZON_IP, 500 VPN Policy: AmazonAWS    
3 04/04/2015 09:41:32.864 Warning VPN IKE Received notify. NO_PROPOSAL_CHOSEN AMAZON_IP, 500 MY_IP, 500      
4 04/04/2015 09:41:32.048 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). MY_IP, 500 AMAZON_IP, 500 VPN Policy: AmazonAWS    
5 04/04/2015 09:41:15.192 Warning VPN IKE Received notify. NO_PROPOSAL_CHOSEN AMAZON_IP, 500 MY_IP, 500      
6 04/04/2015 09:41:14.384 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). MY_IP, 500 AMAZON_IP, 500 VPN Policy: AmazonAWS    
7 04/04/2015 09:41:14.384 Info VPN IKE IKE Initiator: Main Mode complete (Phase 1) MY_IP, 500 AMAZON_IP, 500 VPN Policy: AmazonAWS;AES-128; SHA1;
DH Group 2; lifetime=28800 secs    
8 04/04/2015 09:41:11.832 Info VPN IKE IKE Initiator: Start Main Mode negotiation (Phase 1) MY_IP, 500 AMAZON_IP, 500 VPN Policy: AmazonAWS
I think it has to do with a descepency on whats configured and whats on Amazon's side...see attachment

User generated image
User generated image
ASKER CERTIFIED SOLUTION
Avatar of Aaron Tomosky
Aaron Tomosky
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Aaron - since you've been so helpful on the above question, can I ask you another one? With every tunnel there is a primary and secondary. When I create the first one (mentioned above), I don't see a way of entering the secondary tunnel (we'll I do see a secondary gateway on the sonicwall). Amazon provides a shared key for the 1st tunnel as well as the 2nd tunnel. Where in the sonicwall do I enter the secondary gateway as well as enter the shared key? If I create a second VPN Policy utilizing the same network group pointing to Amazon LAN it states that the two IP's overlap. Any thoughts? Ideas?
I dont bother with secondary gateways usually as if the remote router goes down I have bigger problems ;)

I don't see a way to enter a different shared secret for the secondary gateway so you would have to make a fully separate tunnel as a tunnel interface so no networks. It's called a " policy based Vpn" as opposed to a route based Vpn. I don't think it's worth the trouble in your situation,