From 1f352f57d3479cca1d6a18695623827ec8d142cf Mon Sep 17 00:00:00 2001
From: Nathan Cazell <nathan.cazell@imageapi.com>
Date: Tue, 30 Oct 2018 15:49:41 -0400
Subject: [PATCH] write isakmp and ipsec policy based on configuration to
 support stronger encryptions (like those of GovCloud VGWs)

---
 ...-vpc-primary-account-existing-vpc.template | 92 +++++++++++--------
 .../transit-vpc-primary-account.template      | 92 +++++++++++--------
 .../lambda_function.py                        |  7 +-
 3 files changed, 110 insertions(+), 81 deletions(-)

diff --git a/deployment/transit-vpc-primary-account-existing-vpc.template b/deployment/transit-vpc-primary-account-existing-vpc.template
index 36bd7e2..3eaa51a 100644
--- a/deployment/transit-vpc-primary-account-existing-vpc.template
+++ b/deployment/transit-vpc-primary-account-existing-vpc.template
@@ -316,26 +316,32 @@
 	  "ios-config-6=\"group 2\"\n",
     "ios-config-7=\"lifetime 28800\"\n",
     "ios-config-8=\"hash sha\"\n",
-	  "ios-config-9=\"crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes 128 esp-sha-hmac\"\n",
-	  "ios-config-10=\"mode tunnel\"\n",
-	  "ios-config-11=\"crypto ipsec df-bit clear\"\n",
-    "ios-config-12=\"crypto isakmp keepalive 10 10 periodic\"\n",
-	  "ios-config-13=\"crypto ipsec security-association replay window-size 1024\"\n",
-	  "ios-config-14=\"crypto ipsec fragmentation before-encryption\"\n",
-    "ios-config-15=\"no crypto ipsec nat-transparency udp-encapsulation\"\n",
-    "ios-config-16=\"crypto ipsec profile ipsec-vpn-aws\"\n",
-	  "ios-config-17=\"set pfs group2\"\n",
-	  "ios-config-18=\"set security-association lifetime seconds 3600\"\n",
-	  "ios-config-19=\"set transform-set ipsec-prop-vpn-aws\"\n",
-	  "ios-config-20=\"router bgp ", { "Ref" : "BgpAsn" },"\"\n",
-	  "ios-config-21=\"bgp log-neighbor-changes\"\n",
-	  "ios-config-22=\"ip vrf vpn0\"\n",
-	  "ios-config-23=\"rd ", { "Ref" : "BgpAsn" }, ":0\"\n",
-	  "ios-config-24=\"ip ssh pubkey-chain\"\n",
-	  "ios-config-25=\"username ", { "Fn::FindInMap" : [ "Function", "Csr", "UserName"]}, "\"\n",
-	  "ios-config-26=\"key-hash ssh-rsa ", { "Fn::GetAtt" : [ "CreateRsaKey", "Fingerprint" ] },"\"\n",
-	  "ios-config-27=\"ip ssh server algorithm authentication publickey\"\n",
-	  "ios-config-28=\"ip ssh maxstartups 1\"\n"
+	  "ios-config-9=\"crypto isakmp policy 214\"\n",
+    "ios-config-10=\"encryption aes 128\"\n",
+    "ios-config-11=\"authentication pre-share\"\n",
+	  "ios-config-12=\"group 14\"\n",
+    "ios-config-13=\"lifetime 28800\"\n",
+    "ios-config-14=\"hash\"\n",
+	  "ios-config-15=\"crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes 128 esp-sha-hmac\"\n",
+	  "ios-config-16=\"mode tunnel\"\n",
+	  "ios-config-17=\"crypto ipsec df-bit clear\"\n",
+	  "ios-config-18=\"crypto isakmp keepalive 10 10 periodic\"\n",
+	  "ios-config-19=\"crypto ipsec security-association replay window-size 1024\"\n",
+	  "ios-config-20=\"crypto ipsec fragmentation before-encryption\"\n",
+    "ios-config-21=\"no crypto ipsec nat-transparency udp-encapsulation\"\n",
+    "ios-config-22=\"crypto ipsec profile ipsec-vpn-aws\"\n",
+	  "ios-config-23=\"set pfs group2\"\n",
+	  "ios-config-24=\"set security-association lifetime seconds 3600\"\n",
+	  "ios-config-25=\"set transform-set ipsec-prop-vpn-aws\"\n",
+	  "ios-config-26=\"router bgp ", { "Ref" : "BgpAsn" },"\"\n",
+	  "ios-config-27=\"bgp log-neighbor-changes\"\n",
+	  "ios-config-28=\"ip vrf vpn0\"\n",
+	  "ios-config-29=\"rd ", { "Ref" : "BgpAsn" }, ":0\"\n",
+	  "ios-config-30=\"ip ssh pubkey-chain\"\n",
+	  "ios-config-31=\"username ", { "Fn::FindInMap" : [ "Function", "Csr", "UserName"]}, "\"\n",
+	  "ios-config-32=\"key-hash ssh-rsa ", { "Fn::GetAtt" : [ "CreateRsaKey", "Fingerprint" ] },"\"\n",
+	  "ios-config-33=\"ip ssh server algorithm authentication publickey\"\n",
+	  "ios-config-34=\"ip ssh maxstartups 1\"\n"
         ]]}}
       }
     },
@@ -366,26 +372,32 @@
 	  "ios-config-6=\"group 2\"\n",
     "ios-config-7=\"lifetime 28800\"\n",
     "ios-config-8=\"hash sha\"\n",
-	  "ios-config-9=\"crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes 128 esp-sha-hmac\"\n",
-	  "ios-config-10=\"mode tunnel\"\n",
-	  "ios-config-11=\"crypto ipsec df-bit clear\"\n",
-    "ios-config-12=\"crypto isakmp keepalive 10 10 periodic\"\n",
-	  "ios-config-13=\"crypto ipsec security-association replay window-size 1024\"\n",
-	  "ios-config-14=\"crypto ipsec fragmentation before-encryption\"\n",
-    "ios-config-15=\"no crypto ipsec nat-transparency udp-encapsulation\"\n",
-    "ios-config-16=\"crypto ipsec profile ipsec-vpn-aws\"\n",
-	  "ios-config-17=\"set pfs group2\"\n",
-	  "ios-config-18=\"set security-association lifetime seconds 3600\"\n",
-	  "ios-config-19=\"set transform-set ipsec-prop-vpn-aws\"\n",
-	  "ios-config-20=\"router bgp ", { "Ref" : "BgpAsn" },"\"\n",
-	  "ios-config-21=\"bgp log-neighbor-changes\"\n",
-	  "ios-config-22=\"ip vrf vpn0\"\n",
-	  "ios-config-23=\"rd ", { "Ref" : "BgpAsn" }, ":0\"\n",
-	  "ios-config-24=\"ip ssh pubkey-chain\"\n",
-	  "ios-config-25=\"username ", { "Fn::FindInMap" : [ "Function", "Csr", "UserName"]}, "\"\n",
-	  "ios-config-26=\"key-hash ssh-rsa ", { "Fn::GetAtt" : [ "CreateRsaKey", "Fingerprint" ] },"\"\n",
-	  "ios-config-27=\"ip ssh server algorithm authentication publickey\"\n",
-	  "ios-config-28=\"ip ssh maxstartups 1\"\n"
+	  "ios-config-9=\"crypto isakmp policy 214\"\n",
+    "ios-config-10=\"encryption aes 128\"\n",
+    "ios-config-11=\"authentication pre-share\"\n",
+	  "ios-config-12=\"group 14\"\n",
+    "ios-config-13=\"lifetime 28800\"\n",
+    "ios-config-14=\"hash\"\n",
+	  "ios-config-15=\"crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes 128 esp-sha-hmac\"\n",
+	  "ios-config-16=\"mode tunnel\"\n",
+	  "ios-config-17=\"crypto ipsec df-bit clear\"\n",
+	  "ios-config-18=\"crypto isakmp keepalive 10 10 periodic\"\n",
+	  "ios-config-19=\"crypto ipsec security-association replay window-size 1024\"\n",
+	  "ios-config-20=\"crypto ipsec fragmentation before-encryption\"\n",
+    "ios-config-21=\"no crypto ipsec nat-transparency udp-encapsulation\"\n",
+    "ios-config-22=\"crypto ipsec profile ipsec-vpn-aws\"\n",
+	  "ios-config-23=\"set pfs group2\"\n",
+	  "ios-config-24=\"set security-association lifetime seconds 3600\"\n",
+	  "ios-config-25=\"set transform-set ipsec-prop-vpn-aws\"\n",
+	  "ios-config-26=\"router bgp ", { "Ref" : "BgpAsn" },"\"\n",
+	  "ios-config-27=\"bgp log-neighbor-changes\"\n",
+	  "ios-config-28=\"ip vrf vpn0\"\n",
+	  "ios-config-29=\"rd ", { "Ref" : "BgpAsn" }, ":0\"\n",
+	  "ios-config-30=\"ip ssh pubkey-chain\"\n",
+	  "ios-config-31=\"username ", { "Fn::FindInMap" : [ "Function", "Csr", "UserName"]}, "\"\n",
+	  "ios-config-32=\"key-hash ssh-rsa ", { "Fn::GetAtt" : [ "CreateRsaKey", "Fingerprint" ] },"\"\n",
+	  "ios-config-33=\"ip ssh server algorithm authentication publickey\"\n",
+	  "ios-config-34=\"ip ssh maxstartups 1\"\n"
         ]]}}
       }
     },
diff --git a/deployment/transit-vpc-primary-account.template b/deployment/transit-vpc-primary-account.template
index ac270c7..bcb48a3 100644
--- a/deployment/transit-vpc-primary-account.template
+++ b/deployment/transit-vpc-primary-account.template
@@ -402,26 +402,32 @@
 	  "ios-config-6=\"group 2\"\n",
     "ios-config-7=\"lifetime 28800\"\n",
     "ios-config-8=\"hash sha\"\n",
-	  "ios-config-9=\"crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes 128 esp-sha-hmac\"\n",
-	  "ios-config-10=\"mode tunnel\"\n",
-	  "ios-config-11=\"crypto ipsec df-bit clear\"\n",
-	  "ios-config-12=\"crypto isakmp keepalive 10 10 periodic\"\n",
-	  "ios-config-13=\"crypto ipsec security-association replay window-size 1024\"\n",
-	  "ios-config-14=\"crypto ipsec fragmentation before-encryption\"\n",
-    "ios-config-15=\"no crypto ipsec nat-transparency udp-encapsulation\"\n",
-    "ios-config-16=\"crypto ipsec profile ipsec-vpn-aws\"\n",
-	  "ios-config-17=\"set pfs group2\"\n",
-	  "ios-config-18=\"set security-association lifetime seconds 3600\"\n",
-	  "ios-config-19=\"set transform-set ipsec-prop-vpn-aws\"\n",
-	  "ios-config-20=\"router bgp ", { "Ref" : "BgpAsn" },"\"\n",
-	  "ios-config-21=\"bgp log-neighbor-changes\"\n",
-	  "ios-config-22=\"ip vrf vpn0\"\n",
-	  "ios-config-23=\"rd ", { "Ref" : "BgpAsn" }, ":0\"\n",
-	  "ios-config-24=\"ip ssh pubkey-chain\"\n",
-	  "ios-config-25=\"username ", { "Fn::FindInMap" : [ "Function", "Csr", "UserName"]}, "\"\n",
-	  "ios-config-26=\"key-hash ssh-rsa ", { "Fn::GetAtt" : [ "CreateRsaKey", "Fingerprint" ] },"\"\n",
-	  "ios-config-27=\"ip ssh server algorithm authentication publickey\"\n",
-	  "ios-config-28=\"ip ssh maxstartups 1\"\n"
+	  "ios-config-9=\"crypto isakmp policy 214\"\n",
+    "ios-config-10=\"encryption aes 128\"\n",
+    "ios-config-11=\"authentication pre-share\"\n",
+	  "ios-config-12=\"group 14\"\n",
+    "ios-config-13=\"lifetime 28800\"\n",
+    "ios-config-14=\"hash\"\n",
+	  "ios-config-15=\"crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes 128 esp-sha-hmac\"\n",
+	  "ios-config-16=\"mode tunnel\"\n",
+	  "ios-config-17=\"crypto ipsec df-bit clear\"\n",
+	  "ios-config-18=\"crypto isakmp keepalive 10 10 periodic\"\n",
+	  "ios-config-19=\"crypto ipsec security-association replay window-size 1024\"\n",
+	  "ios-config-20=\"crypto ipsec fragmentation before-encryption\"\n",
+    "ios-config-21=\"no crypto ipsec nat-transparency udp-encapsulation\"\n",
+    "ios-config-22=\"crypto ipsec profile ipsec-vpn-aws\"\n",
+	  "ios-config-23=\"set pfs group2\"\n",
+	  "ios-config-24=\"set security-association lifetime seconds 3600\"\n",
+	  "ios-config-25=\"set transform-set ipsec-prop-vpn-aws\"\n",
+	  "ios-config-26=\"router bgp ", { "Ref" : "BgpAsn" },"\"\n",
+	  "ios-config-27=\"bgp log-neighbor-changes\"\n",
+	  "ios-config-28=\"ip vrf vpn0\"\n",
+	  "ios-config-29=\"rd ", { "Ref" : "BgpAsn" }, ":0\"\n",
+	  "ios-config-30=\"ip ssh pubkey-chain\"\n",
+	  "ios-config-31=\"username ", { "Fn::FindInMap" : [ "Function", "Csr", "UserName"]}, "\"\n",
+	  "ios-config-32=\"key-hash ssh-rsa ", { "Fn::GetAtt" : [ "CreateRsaKey", "Fingerprint" ] },"\"\n",
+	  "ios-config-33=\"ip ssh server algorithm authentication publickey\"\n",
+	  "ios-config-34=\"ip ssh maxstartups 1\"\n"
         ]]}}
       }
     },
@@ -452,26 +458,32 @@
 	  "ios-config-6=\"group 2\"\n",
     "ios-config-7=\"lifetime 28800\"\n",
     "ios-config-8=\"hash sha\"\n",
-	  "ios-config-9=\"crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes 128 esp-sha-hmac\"\n",
-	  "ios-config-10=\"mode tunnel\"\n",
-	  "ios-config-11=\"crypto ipsec df-bit clear\"\n",
-	  "ios-config-12=\"crypto isakmp keepalive 10 10 periodic\"\n",
-	  "ios-config-13=\"crypto ipsec security-association replay window-size 1024\"\n",
-	  "ios-config-14=\"crypto ipsec fragmentation before-encryption\"\n",
-    "ios-config-15=\"no crypto ipsec nat-transparency udp-encapsulation\"\n",
-    "ios-config-16=\"crypto ipsec profile ipsec-vpn-aws\"\n",
-	  "ios-config-17=\"set pfs group2\"\n",
-	  "ios-config-18=\"set security-association lifetime seconds 3600\"\n",
-	  "ios-config-19=\"set transform-set ipsec-prop-vpn-aws\"\n",
-	  "ios-config-20=\"router bgp ", { "Ref" : "BgpAsn" },"\"\n",
-	  "ios-config-21=\"bgp log-neighbor-changes\"\n",
-	  "ios-config-22=\"ip vrf vpn0\"\n",
-	  "ios-config-23=\"rd ", { "Ref" : "BgpAsn" }, ":0\"\n",
-	  "ios-config-24=\"ip ssh pubkey-chain\"\n",
-	  "ios-config-25=\"username ", { "Fn::FindInMap" : [ "Function", "Csr", "UserName"]}, "\"\n",
-	  "ios-config-26=\"key-hash ssh-rsa ", { "Fn::GetAtt" : [ "CreateRsaKey", "Fingerprint" ] },"\"\n",
-	  "ios-config-27=\"ip ssh server algorithm authentication publickey\"\n",
-	  "ios-config-28=\"ip ssh maxstartups 1\"\n"
+	  "ios-config-9=\"crypto isakmp policy 214\"\n",
+    "ios-config-10=\"encryption aes 128\"\n",
+    "ios-config-11=\"authentication pre-share\"\n",
+	  "ios-config-12=\"group 14\"\n",
+    "ios-config-13=\"lifetime 28800\"\n",
+    "ios-config-14=\"hash\"\n",
+	  "ios-config-15=\"crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes 128 esp-sha-hmac\"\n",
+	  "ios-config-16=\"mode tunnel\"\n",
+	  "ios-config-17=\"crypto ipsec df-bit clear\"\n",
+	  "ios-config-18=\"crypto isakmp keepalive 10 10 periodic\"\n",
+	  "ios-config-19=\"crypto ipsec security-association replay window-size 1024\"\n",
+	  "ios-config-20=\"crypto ipsec fragmentation before-encryption\"\n",
+    "ios-config-21=\"no crypto ipsec nat-transparency udp-encapsulation\"\n",
+    "ios-config-22=\"crypto ipsec profile ipsec-vpn-aws\"\n",
+	  "ios-config-23=\"set pfs group2\"\n",
+	  "ios-config-24=\"set security-association lifetime seconds 3600\"\n",
+	  "ios-config-25=\"set transform-set ipsec-prop-vpn-aws\"\n",
+	  "ios-config-26=\"router bgp ", { "Ref" : "BgpAsn" },"\"\n",
+	  "ios-config-27=\"bgp log-neighbor-changes\"\n",
+	  "ios-config-28=\"ip vrf vpn0\"\n",
+	  "ios-config-29=\"rd ", { "Ref" : "BgpAsn" }, ":0\"\n",
+	  "ios-config-30=\"ip ssh pubkey-chain\"\n",
+	  "ios-config-31=\"username ", { "Fn::FindInMap" : [ "Function", "Csr", "UserName"]}, "\"\n",
+	  "ios-config-32=\"key-hash ssh-rsa ", { "Fn::GetAtt" : [ "CreateRsaKey", "Fingerprint" ] },"\"\n",
+	  "ios-config-33=\"ip ssh server algorithm authentication publickey\"\n",
+	  "ios-config-34=\"ip ssh maxstartups 1\"\n"
         ]]}}
       }
     },
diff --git a/source/transit-vpc-push-cisco-config/lambda_function.py b/source/transit-vpc-push-cisco-config/lambda_function.py
index 1a36b5a..61c8457 100644
--- a/source/transit-vpc-push-cisco-config/lambda_function.py
+++ b/source/transit-vpc-push-cisco-config/lambda_function.py
@@ -280,6 +280,11 @@ def create_cisco_config(bucket_name, bucket_key, s3_url, bgp_asn, ssh):
         config_text.append('  match identity address {}'.format(vpn_gateway_tunnel_outside_address))
         config_text.append('  keyring keyring-{}-{}'.format(vpn_connection_id,tunnelId))
         config_text.append('exit')
+        config_text.append('crypto ipsec profile ipsec-{}-{}'.format(vpn_connection_id,tunnelId))
+        config_text.append('  set pfs {}').format(ipsec_perfect_forward_secrecy))
+        config_text.append('  set security-association lifetime seconds 3600'.format(vpn_gateway_tunnel_outside_address))
+        config_text.append('  set transform-set ipsec-prop-vpn-aws)
+        config_text.append('exit')
         config_text.append('interface Tunnel{}'.format(tunnelId))
 	config_text.append('  description {} from {} to {} for account {}'.format(vpn_connection_id, vpn_gateway_id, customer_gateway_id, account_id))
         config_text.append('  ip vrf forwarding {}'.format(vpn_connection_id))
@@ -288,7 +293,7 @@ def create_cisco_config(bucket_name, bucket_key, s3_url, bgp_asn, ssh):
         config_text.append('  tunnel source GigabitEthernet1')
         config_text.append('  tunnel destination {} '.format(vpn_gateway_tunnel_outside_address))
         config_text.append('  tunnel mode ipsec ipv4')
-        config_text.append('  tunnel protection ipsec profile ipsec-vpn-aws')
+        config_text.append('  tunnel protection ipsec profile ipsec-{}-{}'.format(vpn_connection_id,tunnelId))
         config_text.append('  ip tcp adjust-mss 1387')
         config_text.append('  no shutdown')
         config_text.append('exit')