Don't enable replay protection unless required as it impacts VPN throughput performance.

IKEv2 DH 14 or 19.

AWS-GCM-128 with SHA-256 for best throughput (if we ignore SHA-1). (See this page.)

When configuring VPN tunnels between two PAN firewalls in AWS, the tunnels need to use Local ID as they are both behind NAT. PAN to AWS VPN GW doesn't need this however.