AWS Site-to-Site VPN Adds Configurability of Security Algorithms and Timer Settings for VPN Tunnels

[brandonstevens]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

While creating VPN connections, you can now specify the security algorithms allowed for your tunnels and the timer settings proposed during negotiation by tunnel endpoints on the AWS side.

New or Affected Resource(s)

• aws_vpn_connection

Potential Terraform Configuration

resource "aws_vpn_connection" "main" {
  vpn_gateway_id      = "${aws_vpn_gateway.vpn_gateway.id}"
  customer_gateway_id = "${aws_customer_gateway.customer_gateway.id}"
  type                = "ipsec.1"
  static_routes_only  = true

  tunnel1_dpd_timeout_seconds = 30
  tunnel1_ike_versions        = ["ikev1"]

  tunnel1_phase_1_dh_group_numbers      = [14]
  tunnel1_phase_1_encryption_algorithms = ["AES256"]
  tunnel1_phase_1_integrity_algorithms  = ["SHA2-256"]
  tunnel1_phase_1_lifetime_seconds      = 28000

  tunnel1_phase_2_dh_group_numbers      = [14]
  tunnel1_phase_2_encryption_algorithms = ["AES256"]
  tunnel1_phase_2_integrity_algorithms  = ["SHA2-256"]
  tunnel1_phase_2_lifetime_seconds      = 28000
}

References

• https://aws.amazon.com/about-aws/whats-new/2019/08/aws-site-to-site-vpn-adds-configurability-security-algorithms-timer-settings-used-for-vpn-tunnels/
• https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpnTunnelOptionsSpecification.html

Requires:

• chore(deps): update module aws/aws-sdk-go to v1.24.4 #10011

[MMarulla]

Especially need the option to specify IKEv2.

[dflorea01]

Any updates on this ? IKEv2 will be very helpful.

[sidhurana]

Eagerly waiting for ikev2, any approx timeline for this ?

[sidhurana]

Just found that by default AWS VPN tunnel covers both IKEv1/IKEv2. We don't need to mention it explicitly. Though in AWS downloaded config it might show only ikev1 but it's enabled for ikev2 as well.

But it can be security issue to enable IKEv1 and AES-128, so it would be better to have above config so we can precisely mention the requirements.

[jcchak]

This would be definitely a great addition.

@brandonstevens, if possible could you also add support for these timer settings, please?

• RekeyMarginTimeSeconds
• RekeyFuzzPercentage
• ReplayWindowSize

Thanks in advance!

[dthvt]

See also #11584, which has a pending PR.

[dthvt]

@brandonstevens I believe this is fixed in the latest provider version, if you want to review and close.

[breathingdust]

This looks to have been closed in #11584 🚀

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.