AWS VPNs should have more than one tunnel is always active as a failover strategy in case of an outage or planned maintenance.
1. Sign in to the AWS Management Console.
2. Navigate to AWS VPC dashboard.
3. In the left navigation panel, under VPN Connections section, click VPN Connections.
4. Select the VPN connection that you need to update.
5. Click Download Configuration button from the dashboard top menu.
6. In the Download Configuration dialog box, select your customer gateway vendor type (e.g. Cisco Systems), its platform (e.g. ISR Series Routers) and the software version currently used.
7. Click Yes, Download to download the configuration file for the selected VPN. The file contains the configuration settings and the secret keys that you need to apply to your customer gateway.
8. Log in to your customer gateway dashboard and select VPN.
9. Under IPSec Tunnels section, click Add to add a new tunnel.
10. In the Name field, enter a name for the tunnel.
11. Under Phase 1, enter the necessary values as specified in the configuration file downloaded earlier from AWS:
12. Under Phase 2, enter the necessary values as specified in the configuration file downloaded from AWS:
13. Select Active for Local End.
14. Select Static for Local Address.
15. In the Local Networks field, enter your local subnet CIDR.
16. In the Remote Gateway field, enter the IP address for your AWS VPN Virtual Private Gateway.
17. In the Remote Networks field, enter the remote AWS VPC subnet CIDR.
18. Select Pre Shared Key next to Authentication method.
19. In the Passphrase field, enter the Pre-Shared Key specified in the configuration file and check No to disable Aggressive Mode.
20. Click Save to create the tunnel. Your customer gateway device should connect now automatically to the AWS VPN Virtual Private Gateway, otherwise, make sure the device firewall allows traffic from your local network to the AWS VPC subnet selected.
21. Now go back to your AWS VPC dashboard and select the VPN connection previously configured.
22. Select Tunnel Details tab from the bottom panel and verify if both VPN tunnels are active by checking the values in the Status column (UP for active, DOWN for inactive) at this point both tunnels must be active.“