|
|
@@ -12,4 +12,22 @@ resource "aws_vpn_connection" "vpn" {
|
|
|
transit_gateway_id = var.transit_gateway_id
|
|
|
type = aws_customer_gateway.attachment[count.index].type
|
|
|
tags = merge(var.standard_tags, var.tags)
|
|
|
+
|
|
|
+ # The following settings (and more) originally could not be configured. We may want to revisit to see
|
|
|
+ # if these things should be hardened, but they look strong to me already.
|
|
|
+ tunnel1_ike_versions = [ "ikev2", ]
|
|
|
+ tunnel1_phase1_dh_group_numbers = [ 15, 16, 17, ]
|
|
|
+ tunnel1_phase1_encryption_algorithms = [ "AES256", ]
|
|
|
+ tunnel1_phase1_integrity_algorithms = [ "SHA2-256", ]
|
|
|
+ tunnel1_phase2_dh_group_numbers = [ 15, 16, 17, ]
|
|
|
+ tunnel1_phase2_encryption_algorithms = [ "AES256", ]
|
|
|
+ tunnel1_phase2_integrity_algorithms = [ "SHA2-256", ]
|
|
|
+
|
|
|
+ tunnel2_ike_versions = [ "ikev2", ]
|
|
|
+ tunnel2_phase1_dh_group_numbers = [ 15, 16, 17, ]
|
|
|
+ tunnel2_phase1_encryption_algorithms = [ "AES256", ]
|
|
|
+ tunnel2_phase1_integrity_algorithms = [ "SHA2-256", ]
|
|
|
+ tunnel2_phase2_dh_group_numbers = [ 15, 16, 17, ]
|
|
|
+ tunnel2_phase2_encryption_algorithms = [ "AES256", ]
|
|
|
+ tunnel2_phase2_integrity_algorithms = [ "SHA2-256", ]
|
|
|
}
|
Frederick Damstra