Troubleshooting IPsec VPN Connection with IKEv2

This article describes how to troubleshoot IPsec VPN connection with IKEv2 on Aviatrix gateway.

Check External Connection (S2C) Connection Status

In CoPilot, go to Networking > Connectivity > External Connections (S2C). Check if there is a green or red dot next to the name of the external connection.

You can also check external connection status from Diagnostics > Cloud Routes > External Connections (look at the Status and Tunnel Status columns).

If the Tunnel Status is down, you can perform the following procedure.

Perform the Analysis Diagnostics Action

  1. Go to Diagnostics > Diagnostic Tools > Connectivity Diagnostics.

  2. Select the Gateway Instance and the related Connection.

  3. Select Analysis in the Tools list and click Run. The screen will display analysis results.

Troubleshoot the keyword in the Diagnostics Action "Show logs"

  1. Go to Diagnostics > Diagnostic Tools > Connectivity Diagnostics.

  2. Select the Gateway Instance and the related Connection.

  3. Select Logs in the Tools list.

  4. (optional) Enable or disable verbose logging.

  5. Click Run. The screen displays the related logs. You can copy the results to the clipboard.

    IKEv2_show_log

Examples of IKEvs Negotiation Failure

Here are some examples of negotiation failure related troubleshooting hints:

Keyword Probable Causes Suggestions

Error: Failed to deliver message to gateway

Aviatrix Controller cannot reach gateway

Establishing IKE_SA failed, peer not responding

Peer IP address is mismatched, or peer IP address is not reachable

UDP port 500/4500 is not accessible

Troubleshoot connectivity between the Aviatrix Gateway and the peer VPN router.

NO_PROPOSAL_CHOSEN

Peer IP address is mismatched, or peer IP address is not reachable

IKE version is mismatched (one VPN gateway uses IKEv1 and another uses IKEv2)

IKEv2 algorithm is mismatched

IPsec algorithm is mismatched

Troubleshoot connectivity between Aviatrix gateway and peer VPN router

Verify that both VPN settings use the same IKEv2 version

Verify that all IKEv2/IPsec algorithm parameters (i.e., Authentication/DH Groups/Encryption) match on both VPN configuration

AUTHENTICATION_FAILED

IKE version is mismatched (one VPN gateway uses IKEv1 and another uses IKEv2)

Pre-shared key is mismatched

Identifier configuration is mismatched

Verify that both VPN settings use the same IKEv2 version

Verify that pre-shared key match on both VPN configuration

Verify that Identifiers match; by default, Aviatrix utilizes the gateway’s public IP as the Local Identifier.

no shared key found

IKE version is mismatched (one VPN gateway uses IKEv1 and another uses IKEv2)

Identifier configuration is mismatched

Verify that both VPN settings use the same IKEv2 version

Verify that identifiers match; by default, Aviatrix utilizes the gateway’s public IP as the Local Identifier.

failed to establish CHILD_SA, keeping IKE_SA

IPsec algorithm is mismatched

Verify that all IPsec algorithm parameters (i.e., Authentication/DH Groups/Encryption) match on both VPN configurations.