Updated on 2024-12-04 GMT+08:00

Modifying the Policy Template of a VPN Gateway

Scenario

If the specification of a VPN gateway is Professional 1: non-fixed IP address or Professional 2: non-fixed IP address, you can modify the policy template for the VPN gateway.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Click in the upper left corner of the page, and choose Networking > Virtual Private Network.
  4. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
  5. Click the S2C VPN Gateways tab.
  6. Locate the row that contains the target VPN gateway, and click View/Modify Policy Template in the Operation column. On the Policy Template tab page, click Modify Policy Template to modify the policy template.

    After the policy template is modified, the customer gateway with a non-fixed IP address must update the corresponding configuration (requiring manual modification) and connect to the VPN gateway again. Otherwise, the connection will be interrupted.

    Table 1 Description of policy template parameters

    Parameter

    Description

    Support for Modification

    IKE Policy

    Version

    Version of the IKE protocol. The supported version is v2.

    ×

    Authentication Algorithm

    Hash algorithm used for authentication. The following options are available:

    • SHA2-256
    • SHA2-384
    • SHA2-512

    The default algorithm is SHA2-256.

    Encryption Algorithm

    Encryption algorithm. The following options are available:

    • AES-128-GCM-16
    • AES-256-GCM-16
    • AES-128(Insecure. Not recommended.)
    • AES-192(Insecure. Not recommended.)
    • AES-256(Insecure. Not recommended.)

    The default value is AES-128.

    DH Algorithm

    The following algorithms are supported:

    • Group 14(Insecure. Not recommended.)
    • Group 15
    • Group 16
    • Group 19
    • Group 20
    • Group 21

    The default value is Group 15.

    Lifetime (s)

    Lifetime of a security association (SA).

    An SA will be renegotiated when its lifetime expires.

    • Unit: second
    • Value range: 60 to 604800

    The default value is 86400.

    Local ID

    Authentication identifier of the VPN gateway used in IPsec negotiation. The VPN gateway ID configured on the customer gateway must be the same as the local ID configured here. Otherwise, IPsec negotiation fails.

    By default, EIPs of the VPN gateways are used.

    ×

    IPsec Policy

    Authentication Algorithm

    Hash algorithm used for authentication. The following options are available:

    • SHA2-256
    • SHA2-384
    • SHA2-512

    The default algorithm is SHA2-256.

    Encryption Algorithm

    Encryption algorithm. The following options are available:

    • AES-128-GCM-16
    • AES-256-GCM-16
    • AES-128(Insecure. Not recommended.)
    • AES-192(Insecure. Not recommended.)
    • AES-256(Insecure. Not recommended.)

    The default value is AES-128.

    PFS

    Algorithm used by the Perfect forward secrecy (PFS) function.

    PFS supports the following algorithms:

    • DH group 14(Insecure. Not recommended.)
    • DH group 15
    • DH group 16
    • DH group 19
    • DH group 20
    • DH group 21
    • Disable

    The default value is DH group 15.

    Transfer Protocol

    Security protocol used in IPsec to transmit and encapsulate user data.

    Currently, ESP is supported.

    ×

    Lifetime (s)

    Lifetime of an SA.

    An SA will be renegotiated when its lifetime expires.

    • Unit: second
    • Value range: 30 to 604800

    The default value is 3600.

  7. Click OK.