Troubleshooting IPsec VPN Connection with IKEv2
This article describes how to troubleshoot IPsec VPN connection with IKEv2 on Aviatrix gateway.
Check External Connection (S2C) Connection Status
In CoPilot, go to Networking > Connectivity > External Connections (S2C). Check if there is a green or red dot next to the name of the external connection.
You can also check external connection status from Diagnostics > Cloud Routes > External Connections (look at the Status and Tunnel Status columns).
If the Tunnel Status is down, you can perform the following procedure.
Perform the Analysis Diagnostics Action
-
Go to Diagnostics > Diagnostic Tools > Connectivity Diagnostics.
-
Select the Gateway Instance and the related Connection.
-
Select Analysis in the Tools list and click Run. The screen will display analysis results.
Troubleshoot the keyword in the Diagnostics Action "Show logs"
-
Go to Diagnostics > Diagnostic Tools > Connectivity Diagnostics.
-
Select the Gateway Instance and the related Connection.
-
Select Logs in the Tools list.
-
(optional) Enable or disable verbose logging.
-
Click Run. The screen displays the related logs. You can copy the results to the clipboard.
Examples of IKEvs Negotiation Failure
Here are some examples of negotiation failure related troubleshooting hints:
| Keyword | Probable Causes | Suggestions |
|---|---|---|
Error: Failed to deliver message to gateway |
Aviatrix Controller cannot reach gateway |
|
Establishing IKE_SA failed, peer not responding |
Peer IP address is mismatched, or peer IP address is not reachable UDP port 500/4500 is not accessible |
Troubleshoot connectivity between the Aviatrix Gateway and the peer VPN router. |
NO_PROPOSAL_CHOSEN |
Peer IP address is mismatched, or peer IP address is not reachable IKE version is mismatched (one VPN gateway uses IKEv1 and another uses IKEv2) IKEv2 algorithm is mismatched IPsec algorithm is mismatched |
Troubleshoot connectivity between Aviatrix gateway and peer VPN router Verify that both VPN settings use the same IKEv2 version Verify that all IKEv2/IPsec algorithm parameters (i.e., Authentication/DH Groups/Encryption) match on both VPN configuration |
AUTHENTICATION_FAILED |
IKE version is mismatched (one VPN gateway uses IKEv1 and another uses IKEv2) Pre-shared key is mismatched Identifier configuration is mismatched |
Verify that both VPN settings use the same IKEv2 version Verify that pre-shared key match on both VPN configuration Verify that Identifiers match; by default, Aviatrix utilizes the gateway’s public IP as the Local Identifier. |
no shared key found |
IKE version is mismatched (one VPN gateway uses IKEv1 and another uses IKEv2) Identifier configuration is mismatched |
Verify that both VPN settings use the same IKEv2 version Verify that identifiers match; by default, Aviatrix utilizes the gateway’s public IP as the Local Identifier. |
failed to establish CHILD_SA, keeping IKE_SA |
IPsec algorithm is mismatched |
Verify that all IPsec algorithm parameters (i.e., Authentication/DH Groups/Encryption) match on both VPN configurations. |