With AWS phasing out VPN Classic, I have to migrate VPN connections to their "new" VPN. The issue is that in their GovCloud region their new VPN enforces IKEv1 with DH14 (Diffie-Hellman group 14), but my customer gateway (CGW) is a Cisco ASA and Cisco ASAs currently do NOT support IKEv1 with DH14 (see this enhancement request). Cisco ASAs currently only support DH14 with IKEv2, but AWS currently does not support IKEv2.
My options seem to be:
- On my on-premise network, use a Cisco router as my CGW. Cisco routers can support IKEv1 with DH14.
- On the AWS side, spin up a Cisco CSR as an EC2 instance (or other virtual router or firewall) and use that as my VPN gateway
Do any of you have this issue?
What are you doing to overcome this?
No comments:
Post a Comment