Table of Contents

AWS VPN

Cisco ASA

I have found that if the VPN isn't configured in the following way then only the Inside interface subnet or the AnyConnect client subnet can exclusively pass traffic across the site to site VPN to AWS. This is due to AWS only supporting one security association for the VPN and is a good example of what behavior to expect with only one security association.

Subnet Function
10.0.128.0/23 Site to Site VPN to AWS
10.0.128.0/24 Inside interface on ASA
10.0.129.0/24 AnyConnect client IPs

The 10.0.128.0/23 subnet is used on the AWS side to summarize or group the two /24 subnets into a single subnet, thus allowing only one security association to be used for the VPN.

Cisco ISR

AWS VPN to a Cisco ISR will not come up and the following error is seen.

*Aug  8 01:50:37.173: ISAKMP: Error: payload length of VENDOR 0 < 4
*Aug  8 01:50:37.173: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 12.13.14.15 failed its sanity check or is malformed
*Aug  8 01:50:37.173: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: PAYLOAD_MALFORMED

Disable NAT traversal.

Router(config)#no crypto ipsec nat-transparency udp-encapsulation

VeloCloud

When creating a VPN to a VeloCloud SD-WAN you will need to create the VPN on the VeloCloud Orchestrator with temporary IPs since AWS does not provide VPN end point IPs until the VPN is created. Once the VPN is created on the VeloCloud Orchestrator you can review the config, locate the VeloCloud VPN end point IPs, and then configure the AWS site of the VPN. After the VPN is configured in AWS you can then edit the VeloCloud VPN to correct the AWS VPN end point IPs and add the pre-shared key.