AWS provides a neat function in its VPC that exposes a VPN service. I've configured this, and confirmed that it functions.
Our customer is using a Cisco 5500 Series ASA appliance to connect to the AWS VPN service. The FAQ provided my AWS describes that the following Diffie-Hellman Groups are supported for Phase 1 and Phase 2:
Q. Which Diffie-Hellman Groups do you support?
We support the following Diffie-Hellman (DH) groups in Phase1 and Phase2.
Phase1 DH groups 2, 14-18, 22, 23, 24
Phase2 DH groups 1, 2, 5, 14-18, 22, 23, 24
Taken from http://aws.amazon.com/vpc/faqs/
AWS provide an example configuration for the Cisco 5500 ASA appliance (http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA.html). I can confirm that this does establish a tunnel(s).
However, the provided example config appears to be making use of DH Group 2 for both the Phase 1 and Phase 2 of the tunnel establishment, and is also using IKEv1, not IKEv2.
Cisco release notes for the 9.1.x firmware for the 5500 ASA appliance recommend that Group 1 and Group 2 be avoided, and in fact other sources suggest that group 5 should be avoided too (AWS VPC doesn't support Group 5 in Phase 1, so that's rather moot).
When configuring for IKEv2, for security reasons you should use groups 21, 20, 19, 24, 14, and 5. We do not recommend Diffie Hellman Group1 or Group2. For example, use
crypto ikev2 policy 10
group 21 20 19 24 14 5
taken from Cisco ASA release notes for iOS version 9.1x
AWS don't offer a Best Practice configuration, rather their example is a "starter for ten". I propose the following update to the AWS example configuration, but would like to have some confidence that this is going to achieve what I think it achieves before providing it to our customer.
Ln 48 - 54 changed to:
crypto ikev2 policy 10
encryption aes256
authentication pre-share
group 24
lifetime 28800
hash sha256
exit
And Ln 117 changed to:
crypto map <amzn_vpn_map> 1 set pfs group24
There really seems to be a drought of validation of this configuration anywhere on the inter-space, so hopefully this message in a bottle drifts on to the shoreline of someone who's in the know!
