How do I configure Site-to-Site VPN tunnel options?

Resolution

Use Amazon VPC to configure VPN tunnel options either when you create a new VPN connection, or when you modify a connection that you already created.

Prerequisite: Review the tunnel options that your customer gateway device supports.

Configure tunnel options when you create a Site-to-Site VPN connection

Complete the following steps:

1. Open the Amazon VPC console.
2. In the navigation pane, choose Site-to-Site VPN connections.
3. Choose Create VPN connection.
4. Under Tunnel options, in the Advanced options for tunnel section, choose Default options to configure default tunnel options, and then proceed to step 19.
   -or-
   Choose Edit tunnel 1 options to configure specific tunnel options.
5. Under Inside IPv4 CIDR for tunnel, enter a size /30 Classless CIDR block from the 169.254.0.0/16 range. Make sure that the block is unique from all other all Site-to-Site VPN connections on the same gateway.
6. Under Inside IPv6 CIDR for tunnel, enter a size /126 CIDR block from the local fd00::/8 range. Make sure that the block is unique from all other all Site-to-Site VPN connections on the same customer gateway device.
   Note: The Inside IPv6 CIDR for tunnel option is available only for connections that specify a transit gateway as the target gateway.
7. Under Pre-shared key for tunnel, enter a customer pre-shared key (PSK) value. If you don't enter a value, then AWS generates a PSK when it creates the connection.
8. On the following menus, clear options that the customer gateway device doesn't support. If you don't know the options that the customer gateway device supports, then keep each value selected:
   Phase 1 encryption algorithms
   Phase 2 encryption algorithms
   Phase 1 integrity algorithms
   Phase 2 integrity algorithms
   Phase 1 DH group numbers
   Phase 2 DH group numbers
   Note: It's a best practice to hard code the parameters to specific algorithms, and then match the configuration on the VPN endpoint and the customer gateway device.
9. On the IKE Version menu, clear the Internet Key Exchange (IKE) versions that the customer gateway device doesn't support. If you don't know the options that the customer gateway device supports, then keep ikev1 and ikev2 selected.
10. Under Phase 1 lifetime (seconds), enter a value between 900 and 28,800. If you don't know what value to enter, then enter the default 28,800 seconds.
11. Under Phase 2 lifetime (seconds), enter a value between 900 and 3,600. If you don't know what value to enter, then enter the default 3,600 seconds.
12. Under Rekey margin time (seconds), enter a value between 60 and 270. If you don't know what value to enter, then enter the default 270 (4.5 minutes).
13. Under Rekey fuzz (percentage), enter a percentage value between 0 and 100. If you don't know what value to enter, then enter the default 100.
14. Under Replay window size (packets), enter a value between 64 and 2048. If you don't know what value to enter, then enter the default 1024.
15. Under DPD timeout (seconds), enter a value of 30 or higher. If you don't know what value to enter, then enter the default 40.
16. Under DPD timeout action, select Clear, None, or Restart. If you don't know what to select, then select the default option Clear. For more information, see Site-to-Site VPN tunnel initiation options.
17. Under Startup action, if AWS must initiate the IKE negotiation and the customer gateway device is configured with an IP address, then select Start.
    -or-
    If AWS must initiate the IKE negotiation or you don't know what to select, then select the default option, Add.
18. (Optional) Under VPN logging, activate Tunnel activity logs. For more information, see AWS Site-to-Site VPN logs.
19. (Optional) Under Tunnel maintenance, activate Tunnel endpoint lifecycle control. For more information, see Tunnel endpoint lifecycle control.
20. Choose Create VPN connection.
    Note: It takes several minutes for AWS to create the VPN connection.

Configure tunnel options for a connection that is already created

Important: When you modify the VPN connection options, the public IP address for the VPN endpoint doesn't change.

Complete the following steps:

1. Open the Amazon VPC console.
2. In the navigation pane, choose Site-to-Site VPN connections.
3. Select the Site-to-Site VPN connection that you want to configure, and then choose Actions.
4. Choose Modify VPN tunnel options.
5. Select a VPN tunnel outside IP address.
6. Follow steps 4 through 19 in the previous section to configure the tunnel's options.
7. Choose Save changes.
   Note: When the VPN is connection is updating, the VPN connection is temporarily unavailable.