I am trying to set up a site-to-site VPN connection between AWS and Cisco ASA, but the tunnel status is shown as "Down," and under the details section, the message is "IPSEC IS DOWN." Please find below the tunnel logs:
AWS tunnel is the IKE_SA initiator
AWS tunnel is sending request (id=0) for IKE_SA_INIT exchange
sending packet: from < tunnel ip> [UDP 500] to <CGW> [UDP 500] (304 bytes)
received packet: from <CGW> [UDP 500] to <tunnel ip> [UDP 500] (499 bytes)
AWS tunnel processed response (id=0) for IKE_SA_INIT exchange
AWS tunnel has selected proposals for Phase 1 SA
AWS tunnel detected NAT-T as enabled on local host and is sending keep-alive(s)
AWS tunnel detected NAT-T behind CGW / remote host
AWS tunnel is establishing Phase 2 CHILD_SA for CGW
AWS tunnel is sending request (id=1) for IKE_AUTH exchange
sending packet: from < tunnel ip> [UDP 4500] to <CGW> [UDP 4500] (256 bytes)
received packet: from <CGW> [UDP 4500] to < tunnel ip> [UDP 4500] (160 bytes)
AWS tunnel processed response (id=1) for IKE_AUTH exchange
AWS tunnel has successfully authenticated pre-shared key
ending packet: from < tunnel ip> [UDP 4500] to <CGW> [UDP 4500] (80 byte
and the same logs keep coming.
The AWS support team has informed us that Identity checks are failing, but we are unsure how to verify this. The client has suggested enabling "ipsecovernatt." How can we proceed with this? Additionally, we would like to know what change should we do at the AWS side so that the "nat_t_detected" value comes as true in the tunnel logs
This is the Logs from the Cisco ASA side
show vpn-sessiondb l2l
Index : 16777 IP Addr : ****
Protocol : IKEv2
Encryption : IKEv2: (1)AES256 Hashing : IKEv2: (1)SHA256
Bytes Tx : 0 Bytes Rx : 0
Login Time : 14:25:01 Tue Jun 27 2023
Duration : 0h:00m:19s
The client is saying that IPsecOverNatT is not enabled at the AWS end that is why the IPSec tunnels are not coming up
