Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account
AwsEc2VpnConnectionOptionsTunnelOptionsDetails - AWS Security Hub
ContentsSee Also

AwsEc2VpnConnectionOptionsTunnelOptionsDetails

PDF

The VPN tunnel options.

Contents

DpdTimeoutSeconds

The number of seconds after which a Dead Peer Detection (DPD) timeout occurs.

Type: Integer

Required: No

IkeVersions

The Internet Key Exchange (IKE) versions that are permitted for the VPN tunnel.

Type: Array of strings

Pattern: .*\S.*

Required: No

OutsideIpAddress

The external IP address of the VPN tunnel.

Type: String

Pattern: .*\S.*

Required: No

Phase1DhGroupNumbers

The permitted Diffie-Hellman group numbers for the VPN tunnel for phase 1 IKE negotiations.

Type: Array of integers

Required: No

Phase1EncryptionAlgorithms

The permitted encryption algorithms for the VPN tunnel for phase 1 IKE negotiations.

Type: Array of strings

Pattern: .*\S.*

Required: No

Phase1IntegrityAlgorithms

The permitted integrity algorithms for the VPN tunnel for phase 1 IKE negotiations.

Type: Array of strings

Pattern: .*\S.*

Required: No

Phase1LifetimeSeconds

The lifetime for phase 1 of the IKE negotiation, in seconds.

Type: Integer

Required: No

Phase2DhGroupNumbers

The permitted Diffie-Hellman group numbers for the VPN tunnel for phase 2 IKE negotiations.

Type: Array of integers

Required: No

Phase2EncryptionAlgorithms

The permitted encryption algorithms for the VPN tunnel for phase 2 IKE negotiations.

Type: Array of strings

Pattern: .*\S.*

Required: No

Phase2IntegrityAlgorithms

The permitted integrity algorithms for the VPN tunnel for phase 2 IKE negotiations.

Type: Array of strings

Pattern: .*\S.*

Required: No

Phase2LifetimeSeconds

The lifetime for phase 2 of the IKE negotiation, in seconds.

Type: Integer

Required: No

PreSharedKey

The preshared key to establish initial authentication between the virtual private gateway and the customer gateway.

Type: String

Pattern: .*\S.*

Required: No

RekeyFuzzPercentage

The percentage of the rekey window, which is determined by RekeyMarginTimeSeconds during which the rekey time is randomly selected.

Type: Integer

Required: No

RekeyMarginTimeSeconds

The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the VPN connection performs an IKE rekey.

Type: Integer

Required: No

ReplayWindowSize

The number of packets in an IKE replay window.

Type: Integer

Required: No

TunnelInsideCidr

The range of inside IPv4 addresses for the tunnel.

Type: String

Pattern: .*\S.*

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

Need help?

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.