Documentation

The tunnel options for a single VPN tunnel.

See: newVpnTunnelOptionsSpecification smart constructor.

Create a value of VpnTunnelOptionsSpecification with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:dPDTimeoutAction:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_dPDTimeoutAction - The action to take after DPD timeout occurs. Specify restart to restart the IKE initiation. Specify clear to end the IKE session.

Valid Values: clear | none | restart

Default: clear

$sel:dPDTimeoutSeconds:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_dPDTimeoutSeconds - The number of seconds after which a DPD timeout occurs.

Constraints: A value greater than or equal to 30.

Default: 30

$sel:iKEVersions:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_iKEVersions - The IKE versions that are permitted for the VPN tunnel.

Valid values: ikev1 | ikev2

$sel:logOptions:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_logOptions - Options for logging VPN tunnel activity.

$sel:phase1DHGroupNumbers:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_phase1DHGroupNumbers - One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 1 IKE negotiations.

Valid values: 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24

$sel:phase1EncryptionAlgorithms:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_phase1EncryptionAlgorithms - One or more encryption algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations.

Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16

$sel:phase1IntegrityAlgorithms:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_phase1IntegrityAlgorithms - One or more integrity algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations.

Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512

$sel:phase1LifetimeSeconds:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_phase1LifetimeSeconds - The lifetime for phase 1 of the IKE negotiation, in seconds.

Constraints: A value between 900 and 28,800.

Default: 28800

$sel:phase2DHGroupNumbers:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_phase2DHGroupNumbers - One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 2 IKE negotiations.

Valid values: 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24

$sel:phase2EncryptionAlgorithms:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_phase2EncryptionAlgorithms - One or more encryption algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations.

Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16

$sel:phase2IntegrityAlgorithms:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_phase2IntegrityAlgorithms - One or more integrity algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations.

Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512

$sel:phase2LifetimeSeconds:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_phase2LifetimeSeconds - The lifetime for phase 2 of the IKE negotiation, in seconds.

Constraints: A value between 900 and 3,600. The value must be less than the value for Phase1LifetimeSeconds.

Default: 3600

$sel:preSharedKey:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_preSharedKey - The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway.

Constraints: Allowed characters are alphanumeric characters, periods (.), and underscores (_). Must be between 8 and 64 characters in length and cannot start with zero (0).

$sel:rekeyFuzzPercentage:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_rekeyFuzzPercentage - The percentage of the rekey window (determined by RekeyMarginTimeSeconds) during which the rekey time is randomly selected.

Constraints: A value between 0 and 100.

Default: 100

$sel:rekeyMarginTimeSeconds:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_rekeyMarginTimeSeconds - The margin time, in seconds, before the phase 2 lifetime expires, during which the Amazon Web Services side of the VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for RekeyFuzzPercentage.

Constraints: A value between 60 and half of Phase2LifetimeSeconds.

Default: 540

$sel:replayWindowSize:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_replayWindowSize - The number of packets in an IKE replay window.

Constraints: A value between 64 and 2048.

Default: 1024

$sel:startupAction:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_startupAction - The action to take when the establishing the tunnel for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for Amazon Web Services to initiate the IKE negotiation.

Valid Values: add | start

Default: add

$sel:tunnelInsideCidr:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_tunnelInsideCidr - The range of inside IPv4 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway.

Constraints: A size /30 CIDR block from the 169.254.0.0/16 range. The following CIDR blocks are reserved and cannot be used:

• 169.254.0.0/30

• 169.254.1.0/30

• 169.254.2.0/30

• 169.254.3.0/30

• 169.254.4.0/30

• 169.254.5.0/30

• 169.254.169.252/30

$sel:tunnelInsideIpv6Cidr:VpnTunnelOptionsSpecification', vpnTunnelOptionsSpecification_tunnelInsideIpv6Cidr - The range of inside IPv6 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same transit gateway.

Constraints: A size /126 CIDR block from the local fd00::/8 range.

The action to take after DPD timeout occurs. Specify restart to restart the IKE initiation. Specify clear to end the IKE session.

Valid Values: clear | none | restart

Default: clear

The number of seconds after which a DPD timeout occurs.

Constraints: A value greater than or equal to 30.

Default: 30

The IKE versions that are permitted for the VPN tunnel.

Valid values: ikev1 | ikev2

Options for logging VPN tunnel activity.

One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 1 IKE negotiations.

Valid values: 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24

One or more encryption algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations.

Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16

One or more integrity algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations.

Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512

The lifetime for phase 1 of the IKE negotiation, in seconds.

Constraints: A value between 900 and 28,800.

Default: 28800

One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 2 IKE negotiations.

Valid values: 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24

One or more encryption algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations.

Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16

One or more integrity algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations.

Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512

The lifetime for phase 2 of the IKE negotiation, in seconds.

Constraints: A value between 900 and 3,600. The value must be less than the value for Phase1LifetimeSeconds.

Default: 3600

The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway.

Constraints: Allowed characters are alphanumeric characters, periods (.), and underscores (_). Must be between 8 and 64 characters in length and cannot start with zero (0).

The percentage of the rekey window (determined by RekeyMarginTimeSeconds) during which the rekey time is randomly selected.

Constraints: A value between 0 and 100.

Default: 100

The margin time, in seconds, before the phase 2 lifetime expires, during which the Amazon Web Services side of the VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for RekeyFuzzPercentage.

Constraints: A value between 60 and half of Phase2LifetimeSeconds.

Default: 540

The number of packets in an IKE replay window.

Constraints: A value between 64 and 2048.

Default: 1024

The action to take when the establishing the tunnel for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for Amazon Web Services to initiate the IKE negotiation.

Valid Values: add | start

Default: add

The range of inside IPv4 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway.

Constraints: A size /30 CIDR block from the 169.254.0.0/16 range. The following CIDR blocks are reserved and cannot be used:

• 169.254.0.0/30

• 169.254.1.0/30

• 169.254.2.0/30

• 169.254.3.0/30

• 169.254.4.0/30

• 169.254.5.0/30

• 169.254.169.252/30

The range of inside IPv6 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same transit gateway.

Constraints: A size /126 CIDR block from the local fd00::/8 range.