Hi
I am trying to ensure that I match the Amazon Web Services config I have been given for a VPN, but I always get the "duplicate first packet" error and it never makes the IKE SA.
In looking further into the config, when I see the
Configuration>site-to-site vpn>advanced>IKE Policies
page, I have priority 201, which is defined as
aes-128 - sha - 2 - pre-share - 28800
BUT
When I edit the item, it always has encryption as des and this item does not get chosen. I think that this may be why we are not able to build phase 1.
I have attached a picture for evidence of what I am seeing. This is non edited since opening the edit box for this policy.
Any suggestions on the phase1 not forming would be handy too.... AWS are strict in their config and have given me this...... I am thinking I have followed it.
Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : AZxyiirs0IFXGIPwLG9l3ncDVkcz4rpc
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2
#2: IPSec Configuration
Configure the IPSec SA as follows:
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2
IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
Thanks in advance
Anthony