Establishing VPN Connections with Enhanced Crypto Parameters
Question
A start-up firm is looking to deploy a backup web server in AWS Cloud Infrastructure with primary servers at on-prem Data Centre.
Web server will be deployed on EC2 instance in non-default VPC.
You have been asked to establish a VPN connectivity between on-prem Cisco Routers & VGW.
After initial VPN connection establishment, Security Team has concerns on Crypto parameters used for this connection & asked you to use enhance Crypto parameters.
Which of the following can be done to establish VPN connections with new Crypto parameters &meet mandatory security guidelines with the least effort?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.To establish a VPN connectivity between on-prem Cisco Routers and VGW, the initial steps are to create a Virtual Private Gateway (VGW) on the AWS side and a Customer Gateway on the on-prem side. Once this is done, a VPN connection can be established between the two gateways.
After the initial VPN connection establishment, the Security Team has raised concerns about the Crypto parameters used for the connection, and has asked to use enhanced Crypto parameters that meet mandatory security guidelines with the least effort.
There are different options to establish a VPN connection with new Crypto parameters, and the best approach depends on the current configuration and the desired outcome. Let's discuss each of the answers provided:
A. Create a second VGW with a VPC & create a new VPN connection with Customer Gateway using new Crypto parameters.
This approach involves creating a new VGW and a new VPN connection with the desired Crypto parameters. This would require creating a new VPC and possibly migrating the web server to the new VPC. This option may not be the most efficient and requires a significant amount of effort.
B. Delete existing VPN connection & create a separate VPN tunnel with new Crypto parameters.
This option involves deleting the existing VPN connection and creating a new VPN tunnel with the desired Crypto parameters. This option would cause a disruption to the existing service and may not be the most efficient.
C. Change Crypto Configuration on Customer Gateway & open an AWS support ticket to share new Crypto configuration with them to be added at VGW end.
This option involves changing the Crypto Configuration on the Customer Gateway to meet the desired Crypto parameters. After this is done, an AWS support ticket can be opened to share the new Crypto configuration with them, and the VGW end can be updated accordingly. This approach is less disruptive than the other options, and it allows for the existing VPN connection to remain in place while the Crypto parameters are updated.
D. Change Crypto Configuration on Customer Gateway, VPN Configuration with VGW is negotiated when Tunnel is established.
This option involves changing the Crypto Configuration on the Customer Gateway to meet the desired Crypto parameters. The VPN Configuration with the VGW is negotiated when the Tunnel is established. This approach is less disruptive than option B, but it requires more configuration changes compared to option C.
In summary, the best approach to establish a VPN connection with new Crypto parameters and meet mandatory security guidelines with the least effort would be to change the Crypto Configuration on the Customer Gateway and open an AWS support ticket to share the new Crypto configuration with them to be added at the VGW end (Option C). This approach is the least disruptive and allows for the existing VPN connection to remain in place while the Crypto parameters are updated.
