IkeV2 VPN phase1 params

Alternative-Expert-7 · March 8, 2025, 3:37am

Hi,

I’m about to set up the site2site vpn using Virtual Private Gateway. It’s for a big firm to connect with us, those corporates like IPSec so much that gave a list of needed parameters for ikev2 tunnel. For phase1 encryption they want AES-CBC-256 which is not available in the AWS VPN.

I realised that when coded into Terraform and it thrown error obviously, because that algorithm is not in spec here: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_VpnTunnelOptionsSpecification.html .

Now, what is recommended from this point, should I force them to use one of those AES256 | AES128-GCM-16 | AES256-GCM-16 or another way to go?

Jisamaniac · March 8, 2025, 3:37am

There may be a business justification such as compliance of why they use that security algorithm.

You can’t force them to do anything they don’t want to. You need to have a discussion and explain what’s going on.

Alternative-Expert-7 · March 8, 2025, 3:37am

Yeah, there will be discussion for sure, but I guess they will not want to change algorithm, so I’m looking into solutions possible, sounds like custom ec2 with somewhat pfsense there…