Help Center/ Virtual Private Network/ User Guide/ S2C Enterprise Edition VPN/ Enterprise Edition VPN Connection Management/ Creating VPN Connections
Updated on 2025-08-18 GMT+08:00
View PDF

Creating VPN Connections

Scenario

To connect your on-premises data center or private network to your ECSs in a VPC, you need to create VPN connections after creating a VPN gateway and a customer gateway.

Notes and Constraints

  • When creating a VPN connection in static routing mode, ensure that the customer gateway supports ICMP and is correctly configured with the customer interface IP address of the VPN connection before enabling NQA. Otherwise, traffic will fail to be forwarded.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Click in the upper left corner, and choose Networking > Virtual Private Network.
  4. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Connections.
  5. On the VPN Connection page, click Create VPN Connection.

    A VPN gateway can establish two VPN connections with a customer gateway using EIPs, improving reliability.

  6. Set parameters as prompted and click Buy Now.
    Table 1 lists the VPN connection parameters.
    Table 1 Description of VPN connection parameters

    Parameter

    Description

    Example Value

    Name

    VPN connection name. The value can contain only letters, digits, underscores (_), hyphens (-), and periods (.).

    vpn-001

    VPN Gateway

    Name of the VPN gateway for which VPN connections are created.

    You can also click Create VPN Gateway to create a VPN gateway. For details about related parameters, see Table 2.

    vpngw-001

    VPN Gateway IP of Connection 1
    • When Network Type is set to Public network, the value is the active EIP of the VPN gateway.
    • When Network Type is set to Private network, the value is the active IP address of the VPN gateway.

    The same address of a VPN gateway cannot be repeatedly selected when you create VPN connections between the VPN gateway and the same customer gateway.

    11.xx.xx.11

    Customer Gateway of Connection 1

    Select the customer gateway of connection 1.

    You can also click Create Customer Gateway to create a customer gateway. For details about related parameters, see Table 1.

    NOTE:

    If a customer gateway connects to multiple VPN gateways, the BGP ASNs and VPN types of the VPN gateways must be the same.

    cgw-001

    VPN Gateway IP of Connection 2
    • When Network Type is set to Public network and HA Mode is set to Active-active, the value is active EIP 2 of the VPN gateway.
    • When Network Type is set to Private network and HA Mode is set to Active-active, the value is active IP address 2 of the VPN gateway.
    • When Network Type is set to Public network and HA Mode is set to Active/Standby, the value is the standby EIP of the VPN gateway.
    • When Network Type is set to Private network and HA Mode is set to Active/Standby, the value is the standby IP address of the VPN gateway.

    The VPN gateway IP address must be unique for each connection with a customer gateway.

    11.xx.xx.12

    Customer Gateway of Connection 2

    Select the customer gateway of connection 2.

    You can also click Create Customer Gateway to create a customer gateway. For details about related parameters, see Table 1.

    NOTE:

    If a customer gateway connects to multiple VPN gateways, the BGP ASNs and VPN types of the VPN gateways must be the same.

    cgw-001

    VPN Type

    IPsec connection mode, which can be route-based or policy-based.

    • Static routing

      Determines the data that enters the IPsec VPN tunnel based on the route configuration (local subnet and customer subnet).

      Application scenario: Communication between customer gateways

    • BGP routing

      Determines the traffic that can enter the IPsec VPN tunnel based on BGP routes.

      Application scenario: Communication between customer gateways, many or frequently changing interconnection subnets, or backup between VPN and Direct Connect

    • Policy-based

      Determines the data that enters the IPsec VPN tunnel based on the policy (between the customer network and VPC). Policy rules can be defined based on the source and destination CIDR blocks.

      Application scenario: Isolation between customer gateways

    NOTE:

    By default, the VPN type, customer subnet, branch interconnection setting (BGP routing mode), and policy rules (policy-based mode) of the two connections are the same.

    Static routing

    Customer Subnet

    Customer-side subnet that needs to access the VPC on the cloud through VPN connections.

    If there are multiple customer subnets, separate them with commas (,).

    NOTE:
    • The customer subnet can overlap with the local subnet but cannot be the same as the local subnet.
    • A customer subnet cannot be included in the existing subnets of the VPC associated with the VPN gateway. It also cannot be the destination address in the route table of the VPC associated with the VPN gateway.
    • Customer subnets cannot be the reserved CIDR blocks of VPCs, for example, 100.64.0.0/10 or 214.0.0.0/8.
    • If the interconnection subnet is associated with an ACL rule, ensure that the ACL rule permits the TCP port for traffic between all local and customer subnets.
    • Address groups cannot be used to configure the source and destination subnets in a policy on customer gateway devices.

    172.16.1.0/24,172.16.2.0/24

    Branch Interconnection

    This parameter is available only when VPN Type is set to BGP routing.

    • Enabled
    • Disabled
    This function is disabled by default.
    NOTE:

    When this function is disabled, only local subnet routes are advertised.

    Disabled

    Policy

    This parameter is available only when VPN Type is set to Policy-based.

    Defines the data flow that enters the encrypted VPN connections between the local and customer subnets. You need to configure the source and destination CIDR blocks in each policy rule. By default, a maximum of five policy rules can be configured.

    • Source CIDR Block

      The source CIDR block must contain some CIDR blocks of the local subnets. 0.0.0.0/0 indicates any IP address. A maximum of five source CIDR blocks can be configured for a VPN connection.

    • Destination CIDR Block

      The destination CIDR block must contain all the CIDR blocks of the customer subnets. A policy rule supports a maximum of 50 destination CIDR blocks, which are separated by commas (,).
    • Source CIDR block 1: 192.168.1.0/24
    • Destination CIDR block 1: 172.16.1.0/24,172.16.2.0/24
    • Source CIDR block 2: 192.168.2.0/24
    • Destination CIDR block 2: 172.16.1.0/24,172.16.2.0/24

    Connection 1's Configuration

    Configure the IP address assignment mode of tunnel interfaces, local tunnel interface address, customer tunnel interface address, link detection, PSK, confirm PSK, policies, and advanced settings for connection 1.

    Set parameters based on the site requirements.

    Interface IP Address Assignment

    This parameter is available only when VPN Type is set to Static routing or BGP routing.

    NOTE:
    • Set interface IP addresses to the tunnel interface IP addresses used by the VPN gateway and customer gateway to communicate with each other.
    • If the tunnel interface address of the customer gateway is fixed, select Manually specify, and set the tunnel interface address of the VPN gateway based on the tunnel interface address of the customer gateway.
    • Manually specify
      • Set Local Tunnel Interface Address to the tunnel interface address of the VPN gateway, which can reside only on the CIDR block 169.254.x.x/30 (except 169.254.195.x/30). Then, the system automatically sets Customer Tunnel Interface Address based on the value of Local Tunnel Interface Address.

        For example, when you set Local Tunnel Interface Address to 169.254.1.6/30, the system automatically sets Customer Tunnel Interface Address to 169.254.1.5/30.

      • When you set VPN Type to BGP routing and configure tunnel interface addresses in Manually specify mode, ensure that the local and remote tunnel interface addresses configured on the customer gateway device (the other end of the VPN connection) are the same as the values of Customer Tunnel Interface Address and Local Tunnel Interface Address, respectively.
    • Automatically assign
      • By default, an IP address on the CIDR block 169.254.x.x/30 is assigned to the tunnel interface of the VPN gateway.
      • To view the automatically assigned local and customer interface IP addresses, click Modify VPN Connection on the VPN Connection page.
      • When you set VPN Type to BGP routing and select Automatically assign, check the automatically assigned local and customer tunnel interface addresses after the VPN connection is created. Ensure that the local and remote tunnel interface addresses configured on the customer gateway device (the other end of the VPN connection) are the reverse of the settings on the cloud side.

    Automatically assign

    Local Tunnel Interface Address

    This parameter is available only when Interface IP Address Assignment is set to Manually specify.

    Tunnel interface IP address of the VPN gateway.

    N/A

    Customer Tunnel Interface Address

    This parameter is available only when Interface IP Address Assignment is set to Manually specify.

    Tunnel interface IP address of the customer gateway device.

    N/A

    Link Detection

    This parameter is available only when VPN Type is set to Static routing.

    NOTE:

    When enabling this function, ensure that the customer gateway supports ICMP and is correctly configured with the customer interface IP address of the VPN connection. Otherwise, traffic will fail to be forwarded.

    After this function is enabled, the VPN gateway automatically performs Network Quality Analysis (NQA) on the customer interface IP address of the customer gateway.

    Selected

    PSK

    The PSKs configured for the VPN gateway and customer gateway must be the same.

    The PSK:

    • Contains 8 to 128 characters.
    • Can contain only three or more types of the following characters:
      • Digits
      • Uppercase letters
      • Lowercase letters
      • Special characters: ~ ! @ # $ % ^ ( ) - _ + = { } , . / : ;

    Test@123

    Confirm PSK

    Enter the PSK again.

    Test@123

    Policy Settings
    • Default: Use default IKE and IPsec policies.
    • Custom: Use custom IKE and IPsec policies. For details about the policies, see Table 2 and Table 3.
      NOTE:

      When Local ID and Customer ID are set to IP Address, you can specify specific IP addresses as the local and customer IDs, which must be different.

    Custom

    Tag
    • Tag of a VPN resource. The value consists of a key and a value. A maximum of 20 tags can be added.
    • You can select predefined tags or customize tags.
    • To view predefined tags, click View predefined tags.

    -

    Connection 2's Configuration

    Determine whether to enable Same as that of connection 1.

    • Enabled
    • Disabled

    Enabled
    Table 2 IKE policy

    Parameter

    Description

    Example Value

    Version

    Version of the IKE protocol. The value can be one of the following:

    • v1 (v1 has low security. If the device supports v2, v2 is recommended.)
    • v2

    The default value is v2.

    v2

    Negotiation Mode

    This parameter is available only when Version is v1.

    • Main
    • Aggressive

    Main

    Authentication Algorithm

    Hash algorithm used for authentication. The following options are available:

    • SHA1(Insecure. Not recommended.)
    • MD5(Insecure. Not recommended.)
    • SHA2-256
    • SHA2-384
    • SHA2-512

    The default value is SHA2-256.

    SHA2-256

    Encryption Algorithm

    Encryption algorithm. The following options are available:

    • 3DES(Insecure. Not recommended.)
    • AES-128(Insecure. Not recommended.)
    • AES-192(Insecure. Not recommended.)
    • AES-256(Insecure. Not recommended.)
    • AES-128-GCM-16
    • AES-256-GCM-16

      When this encryption algorithm is used, the IKE version can only be v2.

    The default value is AES-128.

    AES-128

    DH Algorithm

    The following algorithms are supported:

    • Group 1(Insecure. Not recommended.)
    • Group 2(Insecure. Not recommended.)
    • Group 5(Insecure. Not recommended.)
    • Group 14(Insecure. Not recommended.)
    • Group 15
    • Group 16
    • Group 19
    • Group 20
    • Group 21

    The default value is Group 15.

    Group 15

    Lifetime (s)

    Lifetime of a security association (SA).

    An SA will be renegotiated when its lifetime expires.

    • Unit: second
    • The value ranges from 60 to 604800.
    • The default value is 86400.

    86400

    Local ID

    Authentication identifier of the VPN gateway used in IPsec negotiation. The peer ID configured on the customer gateway must be the same as the local ID configured here. Otherwise, IPsec negotiation fails.

    • IP Address (default value)
      • The system automatically sets this parameter to the IP address of the VPN gateway.
      • You can configure a specific IP address as the local ID, which must be different from the customer ID.

    IP Address

    Customer ID

    Authentication identifier of the customer gateway used in IPsec negotiation. The local ID configured on the customer gateway must be the same as the customer ID configured here. Otherwise, IPsec negotiation fails.

    • IP Address (default)
      • The system automatically sets this parameter to the IP address of the customer gateway.
      • You can configure a specific IP address as the customer ID, which must be different from the local ID.

    IP Address
    Table 3 IPsec policy

    Parameter

    Description

    Example Value

    Authentication Algorithm

    Hash algorithm used for authentication. The following options are available:

    • SHA1(Insecure. Not recommended.)
    • MD5(Insecure. Not recommended.)
    • SHA2-256
    • SHA2-384
    • SHA2-512

    The default value is SHA2-256.

    SHA2-256

    Encryption Algorithm

    Encryption algorithm. The following options are available:

    • 3DES(Insecure. Not recommended.)
    • AES-128(Insecure. Not recommended.)
    • AES-192(Insecure. Not recommended.)
    • AES-256(Insecure. Not recommended.)
    • AES-128-GCM-16
    • AES-256-GCM-16

    The default value is AES-128.

    AES-128

    PFS

    Algorithm used by the Perfect forward secrecy (PFS) function.

    PFS supports the following algorithms:

    • Disable(Insecure. Not recommended.)
    • DH group 1(Insecure. Not recommended.)
    • DH group 2(Insecure. Not recommended.)
    • DH group 5(Insecure. Not recommended.)
    • DH group 14(Insecure. Not recommended.)
    • DH group 15
    • DH group 16
    • DH group 19
    • DH group 20
    • DH group 21

    The default value is DH group 15.

    DH group 15

    Transfer Protocol

    Security protocol used in IPsec to transmit and encapsulate user data. The following protocol is supported:

    ESP

    The default value is ESP.

    ESP

    Lifetime (s)

    Lifetime of an SA.

    An SA will be renegotiated when its lifetime expires.

    • Unit: second
    • The value ranges from 30 to 604800.
    • The default value is 3600.

    3600

    An IKE policy specifies the encryption and authentication algorithms to use in the negotiation phase of an IPsec tunnel. An IPsec policy specifies the protocol, encryption algorithm, and authentication algorithm to use in the data transmission phase of an IPsec tunnel. The policy settings for VPN connections must be the same at the VPC and on-premises data center sides. If they are different, VPN negotiation will fail, causing the failure to establish VPN connections.

    The following algorithms are not recommended because they are not secure enough:

    • Authentication algorithms: SHA1 and MD5
    • Encryption algorithms: 3DES, AES-128, AES-192, and AES-256

      Because some customer devices do not support secure encryption algorithms, the default encryption algorithm of VPN connections is still AES-128. You are advised to use a more secure encryption algorithm if customer devices support secure encryption algorithms.

    • DH algorithms: Group 1, Group 2, Group 5, and Group 14
  7. Confirm the VPN connection configuration and click Submit.