Scenarios

To connect your ECSs in a VPC to your local data center or a private network, you also have to create a VPN connection after a VPN gateway is obtained.

Procedure

1. Log in to the management console.
2. Click in the upper left corner and select the desired region and project.
3. Click Service List in the upper left corner. Under Networking, select Virtual Private Network.
4. In the navigation pane on the left, choose Virtual Private Network > VPN Connections.
5. On the VPN Connections page, click Buy VPN Connection.
6. Configure the parameters as prompted and click Next. For details about the VPN connection parameters, see Table 1.

   Table 1 VPN connection parameter description

   Parameter	Description	Example Value
   Region	Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the nearest region.	CN North-Beijing1
   Name	The VPN connection name	vpn-001
   VPN Gateway	The name of the VPN gateway used by the VPN connection	vpcgw-001
   Local Subnet	The VPC subnets that will access your on-premises network through a VPN. You can set the local subnet using either of the following methods: Select subnet: Select the subnets that will access your on-premises network through a VPN. Specify CIDR block: Enter the CIDR blocks that will access your on-premises network through a VPN. NOTE: CIDR blocks of local subnets cannot overlap.	192.168.1.0/24, 192.168.2.0/24
   Remote Gateway	The public IP address of the gateway in your data center or on the private network. This IP address is used for communicating with your VPC.	N/A
   Remote Subnet	The subnets of your on-premises network that will access a VPC through a VPN. The remote and local subnets cannot overlap with each other. The remote subnet cannot overlap with CIDR blocks involved in existing VPC peering, Direct Connect, or Cloud Connect connections created for the local VPC. NOTE: CIDR blocks of remote subnets cannot overlap.	192.168.3.0/24, 192.168.4.0/24
   PSK	The pre-shared key, a private key shared by two ends of a VPN connection for negotiation PSKs configured at both ends of the VPN connection must be the same. The PSK Must contain 6 to 128 characters. Can contain only: Digits Letters Special characters: ~`!@#$%^()-_+=[]{}|\,./:;	Test@123
   Confirm PSK	Enter the pre-shared key again.	Test@123
   Advanced Settings	Default: Use default IKE and IPsec policies. Existing: Use existing IKE and IPsec policies. Custom: including IKE Policy and IPsec Policy, which specifies the encryption and authentication algorithms of a VPN tunnel. For details about the policies, see Table 2 and Table 3.	Custom

   Table 2 IKE policy

   Parameter	Description	Example Value
   Authentication Algorithm	The hash algorithm used for authentication, which can be SHA1, SHA2-256, SHA2-384, SHA2-512, or MD5 The default algorithm is SHA2-256.	SHA2-256
   Encryption Algorithm	The encryption algorithm, which can be AES-128, AES-192, AES-256, or 3DES 3DES is not recommended because it is not strong enough to protect data. The default algorithm is AES-128.	AES-128
   DH Algorithm	The Diffie-Hellman key exchange algorithm, which can be Group 1, Group 2, Group 5, Group 14, Group 15, Group 16, Group 19, Group 20, or Group 21 The default algorithm is Group 14.	Group 14
   Version	The version of the IKE protocol, which can be v1 or v2 The default version is v2.	v2
   Lifecycle (s)	The lifetime of the SA, in seconds The SA will be renegotiated if its lifetime expires. The default lifecycle is 86400 seconds.	86400

   Table 3 IPsec policy

   Parameter	Description	Example Value
   Authentication Algorithm	The hash algorithm used for authentication, which can be SHA1, SHA2-256, SHA2-384, SHA2-512, or MD5 The default algorithm is SHA2-256.	SHA2-256
   Encryption Algorithm	The encryption algorithm, which can be AES-128, AES-192, AES-256, or 3DES 3DES is not recommended because it is not strong enough to protect data. The default algorithm is AES-128.	AES-128
   PFS	The perfect forward secrecy (PFS), which is used to configure the IPsec tunnel negotiation. The PFS algorithm can be DH group 1, DH group 2, DH group 5, DH group 14, DH group 15, DH group 16, DH group 19, DH group 20, or DH group 21. The default algorithm is DH group 14.	DH group 14
   Transfer Protocol	The security protocol used for IPsec to transmit and encapsulate user data, which can be AH, ESP, or AH-ESP The default protocol is ESP.	ESP
   Lifecycle (s)	The lifetime of the SA, in seconds The SA will be renegotiated if its lifetime expires. The default lifecycle is 3600 seconds.	3600

   

   The IKE policy specifies the encryption and authentication algorithms to be used in the negotiation phase of an IPsec tunnel.

   The IPsec policy specifies the protocol, encryption algorithm, and authentication algorithm to be used in the data transmission phase of an IPsec tunnel.

   The IKE and IPsec policies in your VPC and your on-premises data center must be the same. If they are different, the VPN connection cannot be set up.

   For security reasons, the following algorithms are not recommended.

   • Authentication Algorithm: SHA1 and MD5
   • Encryption Algorithm: 3DES
   • DH algorithm: Group 1, Group 2, and Group 5.
7. Click Submit.
8. Due to the symmetry of the tunnel, you also need to configure the IPsec VPN on your router or firewall in the data center.
   • For a list of protocols supported by VPN connections, see Reference Standards and Protocols.
   • For a list of supported VPN devices, see What Devices Can Be Connected to HUAWEI CLOUD Through a VPN?