Both VPN Tunnels for an AWS Site-to-Site VPN Connection Should Be Up

Overview

This check verifies that both IPsec tunnels in your AWS Site-to-Site VPN connection are active. Each VPN connection includes two tunnels for redundancy -- if one tunnel fails, traffic can automatically switch to the other. Having both tunnels up ensures your hybrid connectivity remains available even during maintenance or outages.

Risk

When one or both VPN tunnels are down:

• Loss of redundancy: If only one tunnel is active and it fails, your entire VPN connection goes offline
• Connectivity disruption: Critical workloads that depend on the VPN connection may become unreachable
• No automatic failover: Without both tunnels operational, AWS cannot automatically reroute traffic during issues
• Potential data exposure: Connection interruptions may force users to find alternative (potentially less secure) routes

Remediation Steps

Prerequisites

You need:

• Access to the AWS Console with permissions to view and modify VPN connections
• Access to your customer gateway device (on-premises VPN router/firewall)
• Configuration credentials for your customer gateway device

Required IAM permissions

Your IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVpnConnections",
        "ec2:ModifyVpnTunnelOptions",
        "ec2:GetVpnConnectionDeviceTypes",
        "ec2:GetVpnConnectionDeviceSampleConfiguration"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Sign in to the AWS Console and go to VPC
2. In the left navigation, click Site-to-Site VPN connections
3. Select the VPN connection with tunnel issues
4. Check the Tunnel details tab to see the status of each tunnel:
   • UP means the tunnel is working
   • DOWN means the tunnel needs attention
5. For any tunnel showing DOWN:
   • Click Download configuration and select your customer gateway device type
   • Use the downloaded configuration to set up or correct the tunnel on your on-premises device
6. On your customer gateway device, verify:
   • The pre-shared key matches for each tunnel
   • The tunnel IP addresses are correctly configured
   • IPsec and IKE settings match the AWS configuration
7. Wait a few minutes, then refresh the console to confirm both tunnels show UP

Common Causes of Down Tunnels

Symptom	Likely Cause	Solution
Tunnel never comes up	Incorrect pre-shared key	Re-download config and verify key on customer gateway
Tunnel drops intermittently	Dead Peer Detection (DPD) timeout	Increase DPD timeout or enable keepalives
Phase 1 fails	IKE version or encryption mismatch	Verify IKE settings match between AWS and customer gateway
Phase 2 fails	IPsec encryption/integrity mismatch	Verify IPsec settings match on both sides

AWS CLI (optional)

Check VPN tunnel status:

aws ec2 describe-vpn-connections \
  --region us-east-1 \
  --vpn-connection-ids vpn-1234567890abcdef0 \
  --query 'VpnConnections[*].{ID:VpnConnectionId,Tunnels:VgwTelemetry[*].{OutsideIP:OutsideIpAddress,Status:Status,StatusMessage:StatusMessage}}' \
  --output table

List all VPN connections with tunnel status:

aws ec2 describe-vpn-connections \
  --region us-east-1 \
  --query 'VpnConnections[*].{VpnId:VpnConnectionId,State:State,Tunnel1:VgwTelemetry[0].Status,Tunnel2:VgwTelemetry[1].Status}' \
  --output table

Download sample configuration for your device:

First, list available device types:

aws ec2 get-vpn-connection-device-types \
  --region us-east-1 \
  --query 'VpnConnectionDeviceTypes[*].{Vendor:Vendor,Platform:Platform,Software:Software,DeviceTypeId:VpnConnectionDeviceTypeId}' \
  --output table

Then download the configuration:

aws ec2 get-vpn-connection-device-sample-configuration \
  --region us-east-1 \
  --vpn-connection-id vpn-1234567890abcdef0 \
  --vpn-connection-device-type-id <device-type-id> \
  --output text > vpn-config.txt

Modify tunnel options (if needed):

aws ec2 modify-vpn-tunnel-options \
  --region us-east-1 \
  --vpn-connection-id vpn-1234567890abcdef0 \
  --vpn-tunnel-outside-ip-address <tunnel-outside-ip> \
  --tunnel-options "{\"DPDTimeoutSeconds\": 30, \"DPDTimeoutAction\": \"restart\"}"

Replace:

• vpn-1234567890abcdef0 with your VPN connection ID
• <device-type-id> with the ID from the device types list
• <tunnel-outside-ip> with the tunnel's outside IP address

CloudFormation (optional)

CloudFormation can create VPN connections with specific tunnel options, but it cannot force tunnels to come up -- that requires proper configuration on your customer gateway device.

Here is an example of a VPN connection with recommended tunnel options:

AWSTemplateFormatVersion: '2010-09-09'
Description: Site-to-Site VPN connection with optimized tunnel options

Parameters:
  CustomerGatewayId:
    Type: String
    Description: ID of the existing Customer Gateway
  VpnGatewayId:
    Type: String
    Description: ID of the existing VPN Gateway

Resources:
  VPNConnection:
    Type: AWS::EC2::VPNConnection
    Properties:
      Type: ipsec.1
      CustomerGatewayId: !Ref CustomerGatewayId
      VpnGatewayId: !Ref VpnGatewayId
      StaticRoutesOnly: false
      Tags:
        - Key: Name
          Value: production-vpn-connection

Outputs:
  VPNConnectionId:
    Description: VPN Connection ID
    Value: !Ref VPNConnection
  VPNConnectionConfiguration:
    Description: Instructions for downloading VPN configuration
    Value: !Sub |
      Download the VPN configuration from the AWS Console:
      1. Go to VPC > Site-to-Site VPN connections
      2. Select ${VPNConnection}
      3. Click Download configuration
      4. Configure both tunnels on your customer gateway device

Note: After deploying, you must still configure both tunnels on your customer gateway device using the downloaded configuration.

Terraform (optional)

Terraform can create VPN connections with specific tunnel options. Like CloudFormation, the tunnels will only come up once properly configured on your customer gateway device.

# VPN Connection with tunnel options
resource "aws_vpn_connection" "main" {
  customer_gateway_id = var.customer_gateway_id
  vpn_gateway_id      = var.vpn_gateway_id
  type                = "ipsec.1"
  static_routes_only  = false

  # Tunnel 1 options
  tunnel1_dpd_timeout_action = "restart"
  tunnel1_dpd_timeout_seconds = 30
  tunnel1_ike_versions        = ["ikev2"]
  tunnel1_phase1_encryption_algorithms = ["AES256"]
  tunnel1_phase1_integrity_algorithms  = ["SHA2-256"]
  tunnel1_phase2_encryption_algorithms = ["AES256"]
  tunnel1_phase2_integrity_algorithms  = ["SHA2-256"]

  # Tunnel 2 options
  tunnel2_dpd_timeout_action = "restart"
  tunnel2_dpd_timeout_seconds = 30
  tunnel2_ike_versions        = ["ikev2"]
  tunnel2_phase1_encryption_algorithms = ["AES256"]
  tunnel2_phase1_integrity_algorithms  = ["SHA2-256"]
  tunnel2_phase2_encryption_algorithms = ["AES256"]
  tunnel2_phase2_integrity_algorithms  = ["SHA2-256"]

  tags = {
    Name = "production-vpn-connection"
  }
}

# Variables
variable "customer_gateway_id" {
  description = "ID of the Customer Gateway"
  type        = string
}

variable "vpn_gateway_id" {
  description = "ID of the VPN Gateway"
  type        = string
}

# Outputs
output "vpn_connection_id" {
  description = "VPN Connection ID"
  value       = aws_vpn_connection.main.id
}

output "tunnel1_address" {
  description = "Tunnel 1 outside IP address"
  value       = aws_vpn_connection.main.tunnel1_address
}

output "tunnel2_address" {
  description = "Tunnel 2 outside IP address"
  value       = aws_vpn_connection.main.tunnel2_address
}

output "tunnel1_preshared_key" {
  description = "Tunnel 1 pre-shared key"
  value       = aws_vpn_connection.main.tunnel1_preshared_key
  sensitive   = true
}

output "tunnel2_preshared_key" {
  description = "Tunnel 2 pre-shared key"
  value       = aws_vpn_connection.main.tunnel2_preshared_key
  sensitive   = true
}

After applying, configure your customer gateway device using the output values. The pre-shared keys are marked sensitive and can be viewed with:

terraform output -raw tunnel1_preshared_key
terraform output -raw tunnel2_preshared_key

Troubleshooting guide

Phase 1 (IKE) Issues

If Phase 1 negotiation fails, check:

1. Pre-shared key: Must match exactly on both sides (case-sensitive)
2. IKE version: Ensure both sides use the same version (IKEv1 or IKEv2)
3. Encryption algorithm: Must match (e.g., AES-256)
4. Integrity algorithm: Must match (e.g., SHA-256)
5. DH Group: Must match (e.g., Group 14, 19, or 20)
6. Lifetime: AWS uses 28,800 seconds for Phase 1

Phase 2 (IPsec) Issues

If Phase 1 succeeds but Phase 2 fails:

1. Encryption algorithm: Must match on both sides
2. Integrity algorithm: Must match on both sides
3. PFS Group: If enabled, must match (AWS supports Groups 2, 14, 19, 20, 24)
4. Lifetime: AWS uses 3,600 seconds for Phase 2

Network Issues

1. Firewall rules: Ensure UDP 500 (IKE) and UDP 4500 (NAT-T) are allowed
2. NAT traversal: If your customer gateway is behind NAT, ensure NAT-T is enabled
3. Routing: Verify routes exist for traffic destined for AWS VPC CIDR blocks

Dead Peer Detection (DPD) Failures

If tunnels come up but drop frequently:

1. Increase DPD timeout (default is 30 seconds)
2. Enable DPD keepalives on your customer gateway
3. Set DPD action to "restart" instead of "clear"

Verification

After configuring your customer gateway device:

1. Go to VPC > Site-to-Site VPN connections in the AWS Console
2. Select your VPN connection
3. Click the Tunnel details tab
4. Confirm both tunnels show Status: UP

Verification via AWS CLI

aws ec2 describe-vpn-connections \
  --region us-east-1 \
  --vpn-connection-ids vpn-1234567890abcdef0 \
  --query 'VpnConnections[0].VgwTelemetry[*].[OutsideIpAddress,Status]' \
  --output table

Both tunnels should show UP:

-----------------------------------------
|        DescribeVpnConnections         |
+------------------+--------------------+
|  203.0.113.1     |  UP                |
|  203.0.113.2     |  UP                |
+------------------+--------------------+

Additional Resources

• AWS Site-to-Site VPN User Guide
• Site-to-Site VPN tunnel options
• Modifying Site-to-Site VPN tunnel options
• Customer gateway device troubleshooting
• VPN CloudWatch metrics

Notes

• Both tunnels required for high availability: While a VPN connection can function with one tunnel, you lose redundancy and automatic failover
• Customer gateway configuration: AWS provides the tunnel endpoints, but you must configure your on-premises device to connect to both tunnels
• Tunnel maintenance: AWS may perform maintenance on individual tunnels; having both configured ensures uninterrupted connectivity
• Monitoring recommendation: Set up CloudWatch alarms for TunnelState metric to get notified when tunnels go down
• Multiple customer gateways: For critical workloads, consider deploying redundant customer gateway devices for additional resilience

Compliance

This check supports the following compliance frameworks:

• AWS Foundational Security Best Practices
• ISO 27001
• KISA-ISMS-P
• PCI DSS