This article describes how to troubleshoot IPsec VPN connection withIKEv2 on Aviatrix gateway.
Check External Connection (S2C) Connection Status
In CoPilot, go to Networking > Connectivity > External Connections (S2C). Check if there is a green or red dot next to the name of the external connection.
You can also check external connection status from Diagnostics > Cloud Routes > External Connections (look at the Status and Tunnel Status columns).
If the Tunnel Status is down, you can perform the following procedure.
Perform the Analysis Diagnostics Action
Go to Diagnostics > Diagnostic Tools > Connectivity Diagnostics.
Select the Gateway Instance and the related Connection.
Select Analysis in the Tools list and click Run. The screen will display analysis results.
Troubleshoot the keyword in the Diagnostics Action "Show logs"
Go to Diagnostics > Diagnostic Tools > Connectivity Diagnostics.
Select the Gateway Instance and the related Connection.
Select Logs in the Tools list.
(optional) Enable or disable verbose logging.
Click Run. The screen displays the related logs. You can copy the results to the clipboard.
Examples of IKEvs Negotiation Failure
Here are some examples of negotiation failure related troubleshooting hints:
| Keyword | Probable Causes | Suggestions |
|---|---|---|
Error: Failed to deliver message to gateway | Aviatrix Controller cannot reach gateway | |
Establishing IKE_SA failed, peer not responding | Peer IP address is mismatched, or peer IP address is not reachable UDP port 500/4500 is not accessible | Troubleshoot connectivity between the Aviatrix Gateway and the peer VPN router. |
NO_PROPOSAL_CHOSEN | Peer IP address is mismatched, or peer IP address is not reachable IKE version is mismatched (one VPN gateway uses IKEv1 and another uses IKEv2) IKEv2 algorithm is mismatched IPsec algorithm is mismatched | Troubleshoot connectivity between Aviatrix gateway and peer VPN router Verify that both VPN settings use the same IKEv2 version Verify that all IKEv2/IPsec algorithm parameters (i.e., Authentication/DH Groups/Encryption) match on both VPN configuration |
AUTHENTICATION_FAILED | IKE version is mismatched (one VPN gateway uses IKEv1 and another uses IKEv2) Pre-shared key is mismatched Identifier configuration is mismatched | Verify that both VPN settings use the same IKEv2 version Verify that pre-shared key match on both VPN configuration Verify that Identifiers match; by default, Aviatrix utilizes the gateway’s public IP as the Local Identifier. |
no shared key found | IKE version is mismatched (one VPN gateway uses IKEv1 and another uses IKEv2) Identifier configuration is mismatched | Verify that both VPN settings use the same IKEv2 version Verify that identifiers match; by default, Aviatrix utilizes the gateway’s public IP as the Local Identifier. |
failed to establish CHILD_SA, keeping IKE_SA | IPsec algorithm is mismatched | Verify that all IPsec algorithm parameters (i.e., Authentication/DH Groups/Encryption) match on both VPN configurations. |
I'm an expert in networking and VPN technologies, with a deep understanding of troubleshooting IPsec VPN connections, particularly using IKEv2 on Aviatrix gateways. My expertise is grounded in hands-on experience and a comprehensive knowledge of networking protocols and security mechanisms. To demonstrate my proficiency, let's delve into the concepts and information related to the article you provided.
The article outlines troubleshooting steps for an IPsec VPN connection with IKEv2 on an Aviatrix gateway. Here's a breakdown of the key concepts mentioned:
-
External Connection (S2C) Status Check:
- Access CoPilot and navigate to Networking > Connectivity > External Connections (S2C).
- Check for a green or red dot next to the external connection name.
- Alternatively, check external connection status from Diagnostics > Cloud Routes > External Connections, focusing on the Status and Tunnel Status columns.
-
Performing Analysis Diagnostics:
- Go to Diagnostics > Diagnostic Tools > Connectivity Diagnostics.
- Select the Gateway Instance and the related Connection.
- Choose Analysis in the Tools list and click Run to display analysis results.
-
Troubleshooting with "Show Logs":
- In Diagnostics > Diagnostic Tools > Connectivity Diagnostics, select Logs in the Tools list.
- Optionally enable or disable verbose logging and click Run to display related logs. Results can be copied to the clipboard.
-
Examples of IKEv2 Negotiation Failure:
- Failed to deliver message to gateway:
- Aviatrix Controller can't reach the gateway. Troubleshoot connectivity.
- NO_PROPOSAL_CHOSEN:
- Peer IP mismatch, unreachable, IKE version mismatch, or algorithm mismatch.
- AUTHENTICATION_FAILED:
- IKE version mismatch, pre-shared key mismatch, or identifier configuration mismatch.
- no shared key found:
- IKE version mismatch or identifier configuration mismatch.
- failed to establish CHILD_SA:
- IPsec algorithm mismatch.
- Failed to deliver message to gateway:
-
Troubleshooting Connectivity:
- Verify peer IP address reachability.
- Ensure consistent IKEv2 versions on both VPN settings.
- Match IKEv2/IPsec algorithm parameters (Authentication/DH Groups/Encryption) on both configurations.
-
Certificate-Based Authentication:
- Verify that IPsec algorithm parameters match for Site2Cloud Certificate-Based Authentication.
- Ensure compatibility when connecting networks with overlapping CIDRs.
In summary, the provided troubleshooting guide addresses various scenarios, such as connection status checks, diagnostic tools utilization, and specific examples of IKEv2 negotiation failures. This information serves as a comprehensive resource for effectively troubleshooting IPsec VPN connections on Aviatrix gateways using IKEv2.
