Creating a VPN Connection

Scenarios

To connect your on-premises data center or private network to your ECSs in a VPC, you need to create VPN connections after creating a VPN gateway and a customer gateway.

Procedure

1. Log in to the management console.
2. Click in the upper left corner and select the desired region and project.
3. Click Service List and choose Networking > Virtual Private Network.
4. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Connections.
5. On the VPN Connections page, click Buy VPN Connection.
   

   For higher reliability, you are advised to create a VPN connection between each of the two EIPs of a VPN gateway and the IP address of a customer gateway.

6. Set parameters as prompted and click Next.
   Table 1 lists the VPN connection parameters.

   Table 1 Description of VPN connection parameters

   Parameter	Description	Example Value
   Name	Name of a VPN connection.	vpn-001
   VPN Gateway	Name of the VPN gateway for which the VPN connection is created. You can also click Create VPN Gateway to create a VPN gateway. For details about related parameters, see Table 2.	vpngw-001
   Gateway IP Address	IP address of the VPN gateway. The same EIP of a VPN gateway cannot be repeatedly selected when you create VPN connections between the VPN gateway and the same customer gateway.	Available gateway IP address
   Customer Gateway	Name of a customer gateway. You can also click Create Customer Gateway to create a customer gateway. For details about related parameters, see Table 1. NOTE: If a customer gateway connects to multiple VPN gateways, the BGP ASNs and VPN types of the VPN gateways must be the same.	cgw-001
   VPN Type	IPsec connection mode, which can be route-based or policy-based. Static routing Determines the data that enters the IPsec VPN tunnel based on the route configuration (local subnet and customer subnet). Application scenario: Communication between customer gateways BGP routing Determines the traffic that can enter the IPsec VPN tunnel based on BGP routes. Application scenario: Communication between customer gateways + Many or frequently changed interconnection subnets or backup between VPC and Direct Connect Policy-based Determines the data that enters the IPsec VPN tunnel based on the policy (between the customer network and VPC). Policy rules can be defined based on the source and destination CIDR blocks. Application scenario: Isolation between customer gateways	Static routing
   Customer Subnet	Subnets in your on-premises data center that need to communicate with a VPC through the customer gateway. If there are multiple customer subnets, separate them with commas (,). NOTE: A customer subnet cannot be included in any local subnet or any subnet of the VPC to which the VPN gateway is attached. Reserved VPC CIDR blocks such as 100.64.0.0/10 and 214.0.0.0/8 cannot be used as customer subnets.	172.16.1.0/24,172.16.2.0/24
   Interface IP Address Assignment	This parameter is available only when VPN Type is set to Static routing or BGP routing. NOTE: Set interface IP addresses to the tunnel interface IP addresses used by the VPN gateway and customer gateway to communicate with each other. If the tunnel interface address of the customer gateway is fixed, select Manually specify, and set the tunnel interface address of the VPN gateway based on the tunnel interface address of the customer gateway. Manually specify Set Local Interface IP Address to the tunnel interface address of the VPN gateway, which can reside only on the 169.254.x.x/30 CIDR block (except 169.254.195.x/30). Then, the system automatically sets Customer Interface IP Address to a random value based on the setting of Local Interface IP Address. For example, when you set Local Interface IP Address to 169.254.1.6/30, the system automatically sets the Customer Interface IP Address to 169.254.1.5/30. Automatically assign By default, an IP address on the 169.254.x.x/30 CIDR block is assigned to the tunnel interface of the VPN gateway. To view the automatically assigned local and customer interface IP addresses, click Modify VPN Connection on the VPN Connections page.	Automatically assign
   Local Tunnel Interface Address	This parameter is available only when Interface IP Address Assignment is set to Manually specify. Tunnel interface IP address configured on the VPN gateway.	N/A
   Customer Tunnel Interface Address	This parameter is available only when Interface IP Address Assignment is set to Manually specify. Tunnel interface IP address configured on the customer gateway device.	N/A
   Link Detection	This parameter is available only when VPN Type is set to Static routing. NOTE: When enabling this function, ensure that the customer gateway supports ICMP and is correctly configured with the customer interface IP address of the VPN connection. Otherwise, traffic will fail to be forwarded. After this function is enabled, the VPN gateway automatically performs Network Quality Analysis (NQA) on the customer interface IP address of the customer gateway.	Selected
   PSK	The PSKs configured for the VPN gateway and customer gateway must be the same. The PSK: Contains 8 to 128 characters. Can contain only three or more types of the following characters: Digits Uppercase letters Lowercase letters Special characters: ~ ! @ # $ % ^ ( ) - _ + = { } , . / : ;	Test@123
   Confirm PSK	Enter the PSK again.	Test@123
   Policy	This parameter is available only when VPN Type is set to Policy-based. Defines the data flow that enters the encrypted VPN connection between the local and customer subnets. You need to configure the source and destination CIDR blocks in each policy rule. By default, a maximum of five policy rules can be configured. Source CIDR Block The source CIDR block must contain some CIDR blocks of the local subnets. 0.0.0.0/0 indicates any IP address. Destination CIDR block The destination CIDR block must contain all the CIDR blocks of the customer subnets. A policy rule supports a maximum of five destination CIDR blocks, which are separated by commas (,). NOTE: When Associate With is set to VPC for the VPN gateway and VPN Type is set to Policy-based for the VPN connection, do not set Destination CIDR Block to 0.0.0.0. Otherwise, traffic may fail to be forwarded.	Source CIDR block 1: 192.168.1.0/24 Destination CIDR block 1: 172.16.1.0/24,172.16.2.0/24 Source CIDR block 2: 192.168.2.0/24 Destination CIDR block 2: 172.16.1.0/24,172.16.2.0/24
   Policy Settings	Default: Use default IKE and IPsec policies. Custom: Use custom IKE and IPsec policies. For details about the policies, see Table 2 and Table 3.	Custom

   Table 2 IKE policy

   Parameter	Description	Example Value
   Version	Version of the IKE protocol. The value can be one of the following: v1 (v1 has low security. If the device supports v2, v2 is recommended.) v2 The default value is v2.	v2
   Negotiation Mode	This parameter is available only when Version is v1. Main Aggressive	Main
   Authentication Algorithm	Hash algorithm used for authentication. The following options are available: SHA1(Insecure. Not recommended.) MD5(Insecure. Not recommended.) SHA2-256 SHA2-384 SHA2-512 The default value is SHA2-256.	SHA2-256
   Encryption Algorithm	Encryption algorithm. The following options are available: 3DES(Insecure. Not recommended.) AES-128 AES-192 AES-256 AES-256-GCM-16 When this encryption algorithm is used, the IKE version can only be v2. The default value is AES-128.	AES-128
   DH Algorithm	The following algorithms are supported: Group 1(Insecure. Not recommended.) Group 2(Insecure. Not recommended.) Group 5(Insecure. Not recommended.) Group 14(Insecure. Not recommended.) Group 15 Group 16 Group 19 Group 20 Group 21 The default value is Group 15.	Group 14
   Lifetime (s)	Lifetime of a security association (SA). An SA will be renegotiated when its lifetime expires. Unit: second The value ranges from 60 to 604800. The default value is 86400.	86400
   Local ID	Authentication identifier of the VPN gateway used in IPsec negotiation. The VPN gateway ID configured on the customer gateway must be the same as the local ID configured here. Otherwise, IPsec negotiation fails. IP Address (default value) The system automatically sets this parameter to the selected EIP of the VPN gateway. FQDN Set the full qualified domain name (FQDN) to a string of 1 to 128 case-sensitive characters that can contain letters, digits, and special characters (excluding &, <, >, [, ], \, ?, and spaces).	IP Address
   Customer ID	Authentication identifier of the customer gateway used in IPsec negotiation. The customer gateway ID configured on the customer gateway must be the same as the customer ID configured here. Otherwise, IPsec negotiation fails. IP Address (default value) The system automatically sets this parameter to the IP address of the customer gateway. FQDN Set the full qualified domain name (FQDN) to a string of 1 to 128 case-sensitive characters that can contain letters, digits, and special characters (excluding &, <, >, [, ], \, ?, and spaces).	IP Address

   Table 3 IPsec policy

   Parameter	Description	Example Value
   Authentication Algorithm	Hash algorithm used for authentication. The following options are available: SHA1(Insecure. Not recommended.) MD5(Insecure. Not recommended.) SHA2-256 SHA2-384 SHA2-512 The default value is SHA2-256.	SHA2-256
   Encryption Algorithm	Encryption algorithm. The following options are available: 3DES(Insecure. Not recommended.) AES-128 AES-192 AES-256 AES-128-GCM-16 AES-256-GCM-16 The default value is AES-128.	AES-128
   PFS	Algorithm used by the Perfect forward secrecy (PFS) function. PFS supports the following algorithms: Disable(Insecure. Not recommended.) DH group 1(Insecure. Not recommended.) DH group 2(Insecure. Not recommended.) DH group 5(Insecure. Not recommended.) DH group 14(Insecure. Not recommended.) DH group 15 DH group 16 DH group 19 DH group 20 DH group 21 The default value is DH group 15.	DH group 15
   Transfer Protocol	Security protocol used in IPsec to transmit and encapsulate user data. The following protocols are supported: ESP The default value is ESP.	ESP
   Lifetime (s)	Lifetime of an SA. An SA will be renegotiated when its lifetime expires. Unit: second The value ranges from 30 to 604800. The default value is 3600.	3600
   Packet Encapsulation Mode	The default value is TUNNEL.	TUNNEL

   

   An IKE policy specifies the encryption and authentication algorithms to use in the negotiation phase of an IPsec tunnel. An IPsec policy specifies the protocol, encryption algorithm, and authentication algorithm to use in the data transmission phase of an IPsec tunnel. The policy settings for VPN connections must be the same at the VPC and on-premises data center sides. If they are different, VPN negotiation will fail, causing the failure to establish VPN connections.

   The following algorithms are not recommended because they are not secure enough:

   • Authentication algorithms: SHA1 and MD5

   • Encryption algorithm: 3DES

   • DH algorithms: Group 1, Group 2, Group 5, and Group 14
7. Confirm the VPN connection configuration and click Submit.
8. Repeat the preceding operations to create the other VPN connection.

   For details about IP address configuration, see Context.

   For details about scenario-specific configuration examples, see Administrator Guide.