- Newest
- Most votes
- Most comments
The discrepancy you're seeing between the AWS console and the downloaded configuration file is expected behavior. The configuration file provided by AWS is a generic example that specifies only the minimum requirements for a Site-to-Site VPN connection. These minimum requirements typically include AES128, SHA1, and Diffie-Hellman group 2 in most AWS Regions (or AES128, SHA2, and Diffie-Hellman group 14 in AWS GovCloud Regions).
This configuration file is provided on a best-effort basis and is meant to be a starting point, not a complete representation of your specific tunnel settings. It's designed to work with a wide range of customer gateway devices but might not match your intended Site-to-Site VPN connection settings entirely.
If you've customized your tunnel options in the AWS console (such as specifying different encryption algorithms, integrity algorithms, or Diffie-Hellman groups), you'll need to manually modify the downloaded configuration file to incorporate these custom settings. The file needs to be updated to take advantage of any additional security algorithms, different Diffie-Hellman groups, private certificates, or IPv6 traffic configurations you've set up in the console.
This manual modification requirement is by design, as AWS provides these configuration files as a helpful starting point, but they require customization to match your specific VPN connection settings.
Sources
Static and dynamic configuration files for an AWS Site-to-Site VPN customer gateway device - AWS Site-to-Site VPN
Tunnel options for your AWS Site-to-Site VPN connection - AWS Site-to-Site VPN
Relevant content
- asked 3 years ago
- asked 18 days ago
- AWS OFFICIALUpdated 2 years ago
