Configuring Site-To-Site VPN Tunnel to Amazon AWS (VPC)

I'm using a SonicWall to create a Site-to-Site VPN tunnel to Amazon AWS.

LOCAL SIDE: 192.168.99.0/24
REMOTE (AMAZON) SIDE: 192.168.200/24

I created the VPC and everything on Amazon, but when I plug the information in (supplied by Amazon). I'm constantly getting  the following in the logs and the VPN Tunnel isn't built.

By looking at the logs, would you be able to tell what I have configured wrong in the VPN Section on the SonicWall?

1 04/03/2015 09:45:14.816 Error VPN IKE Payload processing failed AMAZON_IP, 500 MY_IP, 500 Payload Type: SA    
2 04/03/2015 09:45:14.816 Warning VPN IKE IKE Responder: IKE proposal does not match (Phase 1) AMAZON_IP, 500 MY_IP, 500 VPN Policy:      
3 04/03/2015 09:45:14.816 Warning VPN IKE IKE Responder: Proposed IKE ID mismatch AMAZON_IP, 500 MY_IP, 500 VPN policy does not exist for peer I
P address: 54.239.50.133    
4 04/03/2015 09:45:14.816 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) AMAZON_IP, 500 MY_IP, 500      
5 04/03/2015 09:35:32.864 Error VPN IKE Payload processing failed AMAZON_IP, 500 MY_IP, 500 Payload Type: SA


2015-04-03-9-53-01.jpg
2015-04-03-9-57-15.jpg
Joshua DumasAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Aaron TomoskySD-WAN SimplifiedCommented:
First of all the IPSec promary gateway is the remote Amazon IP address.

Fix that and see what happens
0
Joshua DumasAuthor Commented:
DUH! Oh I can't believe I didn't see that :)

Here are the logs after I made that change:

1 04/04/2015 09:42:05.848 Warning VPN IKE Received notify. NO_PROPOSAL_CHOSEN AMAZON_IP, 500 MY_IP, 500      
2 04/04/2015 09:42:05.048 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). MY_IP, 500 AMAZON_IP, 500 VPN Policy: AmazonAWS    
3 04/04/2015 09:41:32.864 Warning VPN IKE Received notify. NO_PROPOSAL_CHOSEN AMAZON_IP, 500 MY_IP, 500      
4 04/04/2015 09:41:32.048 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). MY_IP, 500 AMAZON_IP, 500 VPN Policy: AmazonAWS    
5 04/04/2015 09:41:15.192 Warning VPN IKE Received notify. NO_PROPOSAL_CHOSEN AMAZON_IP, 500 MY_IP, 500      
6 04/04/2015 09:41:14.384 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). MY_IP, 500 AMAZON_IP, 500 VPN Policy: AmazonAWS    
7 04/04/2015 09:41:14.384 Info VPN IKE IKE Initiator: Main Mode complete (Phase 1) MY_IP, 500 AMAZON_IP, 500 VPN Policy: AmazonAWS;AES-128; SHA1;
DH Group 2; lifetime=28800 secs    
8 04/04/2015 09:41:11.832 Info VPN IKE IKE Initiator: Start Main Mode negotiation (Phase 1) MY_IP, 500 AMAZON_IP, 500 VPN Policy: AmazonAWS
0
Joshua DumasAuthor Commented:
I think it has to do with a descepency on whats configured and whats on Amazon's side...see attachment

2015-04-04-9-52-10.jpg
2015-04-04-9-51-42.jpg
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Aaron TomoskySD-WAN SimplifiedCommented:
The Amazon info says to check the PFS box and select group 2
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Joshua DumasAuthor Commented:
Aaron - since you've been so helpful on the above question, can I ask you another one? With every tunnel there is a primary and secondary. When I create the first one (mentioned above), I don't see a way of entering the secondary tunnel (we'll I do see a secondary gateway on the sonicwall). Amazon provides a shared key for the 1st tunnel as well as the 2nd tunnel. Where in the sonicwall do I enter the secondary gateway as well as enter the shared key? If I create a second VPN Policy utilizing the same network group pointing to Amazon LAN it states that the two IP's overlap. Any thoughts? Ideas?
0
Aaron TomoskySD-WAN SimplifiedCommented:
I dont bother with secondary gateways usually as if the remote router goes down I have bigger problems ;)

I don't see a way to enter a different shared secret for the secondary gateway so you would have to make a fully separate tunnel as a tunnel interface so no networks. It's called a " policy based Vpn" as opposed to a route based Vpn. I don't think it's worth the trouble in your situation,
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.