Updated on 2024-03-06 GMT+08:00

Data Protection Technologies

  • IPsec VPN is a tunneling technology that provides IP-layer security using the IKE/IPsec protocol suite. It ensures confidentiality and integrity of IP data packets and prevents them from being intercepted, disclosed, or tampered with on insecure networks (such as the Internet).
  • When creating an IPsec VPN connection, you can configure data encryption and authentication algorithms in an IPsec policy.

    Common commercial cryptographic algorithms are supported. The recommended algorithms are listed as follows in descending order of security:

    • Encryption algorithms:
      • AES-256-GCM-16
      • AES-128-GCM-16
      • AES-256
      • AES-192
      • AES-128
    • Authentication algorithms:
      • SHA2-512
      • SHA2-384
      • SHA2-256

PFS

Perfect Forward Secrecy (PFS) ensures that the compromise of the keys of an IPsec tunnel does not affect the security of other tunnels by leveraging that the keys of these tunnels are irrelevant to each other. By default, PFS is enabled for the VPN service.

Each IPsec VPN connection consists of at least one IPsec tunnel, each of which uses an independent set of keys to protect user traffic.

Common PFS algorithms are supported. The recommended algorithms are as follows:

  • DH group 15
  • DH group 16
  • DH group 19
  • DH group 20
  • DH group 21
Figure 1 PFS

Anti-replay

Anti-replay uses sequence numbers to protect IPsec encrypted packets against replay attacks, which are initiated by repeatedly sending intercepted data packets. By default, the anti-replay function is enabled for the VPN service.

Figure 2 Replay attack

Resource Isolation

A VPN gateway is exclusive to a tenant. As such, tenants are isolated from each, ensuring tenant data security.

Figure 3 Data isolation

As shown in the figure, a failure of customer A's VPN gateway has no impact on customer B's VPN gateway.