VpnTunnelOptionsSpecification#

VPN connection tunnel options.

Contents#

  • IKEVersions — The allowed IKE versions for the VPN tunnel. Currently, there is no support for both IKE versions at the same time.

  • Phase1DHGroupNumbers — The allowed Diffie-Hellman group numbers for a VPN tunnel in the first IKE phase.

    • Type: List of Phase1DHGroupNumbersRequestListValue objects

    • Valid values: 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21

    • Constraints: Six values maximum

    • Default: Groups 5, 14, 15, 16, 17, 18

    • Required: No

  • Phase1EncryptionAlgorithms — The allowed encryption algorithms for the VPN tunnel in the first IKE phase.

    • Type: List of Phase1EncryptionAlgorithmsRequestListValue objects

    • Valid values: aes128 | aes256 | aes_ctr128 | aes_ctr256 | aes_gcm128 | aes_gcm256 | camellia128 | camellia256 | chacha20poly1305

    • Constraints: aes_ccm128, aes_ccm256, aes_gcm128, aes_gcm256 and chacha20poly1305 are not supported in ikev1. All algorithms support 192-bit keys, provided that both 128-bit and 256-bit versions are specified at the same time. The 192-bit version is not supported separately.

    • Default: All supported algorithms, depending on the IKE version

    • Required: No

  • Phase1IntegrityAlgorithms — The allowed integrity algorithms for the VPN tunnel in the first IKE phase.

  • Phase1LifetimeSeconds — The lifetime for phase 1 of the IKE (in seconds).

    • Type: Integer

    • Constraints: An integer value between 900 and 28800.

    • Default: 28800

    • Required: No

  • Phase2DHGroupNumbers — The allowed Diffie-Hellman group numbers for a VPN tunnel in the second IKE phase.

    • Тип: List of Phase2DHGroupNumbersRequestListValue objects

    • Valid values: 0 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21

    • Constraints: This option supports at most one value. In ikev1, 19, 20 and 21 group numbers are not supported. The 0 value is applicable for Phase2 only and means that the PFS (Perfect Forward Secrecy) mode is disabled. In order to prevent the session encryption key from being compromised, do not disable PFS.

    • Default: 14

    • Required: No

  • Phase2EncryptionAlgorithms — The allowed encryption algorithms for the VPN tunnel in the second IKE phase.

    • Тип: List of Phase2EncryptionAlgorithmsRequestListValue objects

    • Valid values: aes128 | aes256 | aes_ccm128 | aes_ccm256 | aes_ctr128 | aes_ctr256 | aes_gcm128 | aes_gcm256 | camellia128 | camellia256 | chacha20poly1305

    • Constraints: chacha20poly1305 is not supported in ikev1. All algorithms support 192-bit keys, provided that both 128-bit and 256-bit versions are specified at the same time. The 192-bit version is not supported separately.

    • Default: All supported algorithms, depending on the IKE version

    • Required: No

  • Phase2IntegrityAlgorithms — The allowed integrity algorithms for the VPN tunnel for the second IKE phase.

  • Phase2LifetimeSeconds — The lifetime for phase 2 of the IKE (in seconds).

    • Type: Integer

    • Constraints: An integer value between 900 and 3600 must not exceed the value for Phase1LifetimeSeconds.

    • Default: 3600

    • Required: No

  • PreSharedKey — a key (PSK) used for initial authentication between VPN gateways and user gateways.

    • Type: String

    • Required: No

    • Constraints: A key should contain 8 to 64 characters, including letters, digits, periods (.), underscores (_), and should not start with zero (0).

  • ReplayWindowSize — the number of packets in the IKE replay window.

    • Type: Integer

    • Constraints: An integer value between 32 and 2048.

    • Default: 1024

    • Required: No

  • TunnelInsideCidr — A /30 block of the 169.254.252.0/22 subnet to be used inside the IPsec tunnel of a VPN connection. This block should be unique for any connection that uses the current VPN gateway (VGW ID) and the public IP address of a customer gateway to which the connection is being established. By default, inside tunnel addresses are assigned as follows: the first address used is assigned to the VPC and the second address is assigned to the customer gateway. If necessary, the user can specify the desired address for the VPC, such as 169.254.252.2/30. In this case, the VPN connection on the VPC side will be assigned the address 169.254.252.2 and the customer gateway will be assigned the address 169.254.252.1.

    • Type: String

    • Required: No

  • Algorithm compatibility for different IKE versions:

Encryption
algorithm

IKEv1

IKEv2

Default

Phase1

Phase2

Phase1

Phase2

AES128

Yes

Yes

Yes

Yes

Yes

AES256

Yes

Yes

Yes

Yes

Yes

AES128-CTR

Yes

Yes

Yes

Yes

Yes

AES256-CTRa

Yes

Yes

Yes

Yes

Yes

CAMELLIA128

Yes

Yes

Yes

Yes

Yes

CAMELLIA256

Yes

Yes

Yes

Yes

Yes

AES128-GCM-16

No

Yes

Yes

Yes

Yes

AES256-GCM-16

No

Yes

Yes

Yes

Yes

AES128-CCM-16

No

Yes

No

Yes

Yes

AES256-CCM-16

No

Yes

No

Yes

Yes

CHACHA20-POLY1305

No

No

Yes

Yes

Yes

Integrity
algorithm

IKEv1

IKEv2

Default

Phase1

Phase2

Phase1

Phase2

SHA1

Yes

Yes

Yes

Yes

Yes

SHA2-256

Yes

Yes

Yes

Yes

Yes

SHA2-384

Yes

Yes

Yes

Yes

Yes

SHA2-512

Yes

Yes

Yes

Yes

Yes

Diffie-Hellman
groups

IKEv1

IKEv2

Default

Phase1

Phase2

Phase1

Phase2

0

No

Yes

No

Yes

No

2

Yes

Yes

Yes

Yes

No

5

Yes

Yes

Yes

Yes

Only P1

14

Yes

Yes

Yes

Yes

Yes

15

Yes

Yes

Yes

Yes

Only P1

16

Yes

Yes

Yes

Yes

Only P1

17

Yes

Yes

Yes

Yes

Only P1

18

Yes

Yes

Yes

Yes

Only P1

19

Yes

No

Yes

Yes

Only P1

20

Yes

No

Yes

Yes

No

21

Yes

No

Yes

Yes

No