Help Center> Virtual Private Network> User Guide (Paris Regions) > Getting Started> Creating a VPN Connection
Updated on 2022-01-25 GMT+08:00
View PDF

Creating a VPN Connection

Scenarios

To connect your ECSs in a VPC to your local data center or a private network, you must create a VPN connection after a VPN gateway is obtained.

Procedure

  1. Log in to the management console.
  2. On the console homepage, under Network, click Virtual Private Cloud.
  3. In the navigation pane on the left, choose Virtual Private Network > VPN Connections.
  4. On the VPN Connections page, click Buy VPN Connection.
  5. Set the parameters as prompted and click Next. For details about the VPN connection parameters, see Table 1.
    Table 1 VPN connection parameter description

    Parameter

    Description

    Example Value

    Region

    Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you.

    N/A

    Name

    The VPN connection name.

    vpn-001

    VPN Gateway

    The name of the VPN gateway used by the VPN connection.

    vpcgw-001

    Local Subnet

    The VPC subnets that access the customer network through VPN. You can set the local subnet using either of the following methods:

    • Select subnet
    • Specify CIDR block

    192.168.1.0/24,

    192.168.2.0/24

    Remote Gateway

    The public IP address of the gateway in your data center or on the private network. This IP address is used for communication with your VPC. In active-active mode, you can enter two remote gateway addresses.

    N/A

    Remote Subnet

    The subnets in the on-premises data center that access a VPC through VPN. The remote and local subnets cannot overlap with each other. The remote subnet cannot overlap with CIDR blocks involved in existing VPC peering, Direct Connect, or Cloud Connect connections created for the local VPC.

    192.168.3.0/24,

    192.168.4.0/24

    PSK

    The pre-shared key, which is a private key shared by two ends of a VPN connection. The PSK configurations for both ends of a VPN connection must be the same. This key is used for VPN connection negotiation.

    The value is a string of 6 to 128 characters.

    Test@123

    Confirm PSK

    Enter the pre-shared key again.

    Test@123

    Advanced Settings
    • Default: uses default IKE and IPsec policies.
    • Existing: uses existing IKE and IPsec policies.
    • Custom: including IKE Policy and IPsec Policy, which specifies the encryption and authentication algorithms of a VPN tunnel. For details about the policies, see Table 2 and Table 3.

    Custom
    Table 2 IKE policy

    Parameter

    Description

    Example Value

    Authentication Algorithm

    The hash algorithm used for authentication. The value can be SHA1, SHA2-256, SHA2-384, SHA2-512, or MD5.

    The default value is SHA1.

    SHA1

    Encryption Algorithm

    The encryption algorithm. The value can be AES-128, AES-192, AES-256, or 3DES. The 3DES algorithm is not recommended because it is not strong enough to protect data.

    The default value is AES-128.

    AES-128

    DH Algorithm

    The Diffie-Hellman key exchange algorithm. The value can be Group 2, Group 5, or Group 14.

    The Diffie-Hellman key exchange algorithm. The value can be Group 1, Group 2, Group 5, Group 14, Group 15, Group 16, Group 19, Group 20, or Group 21.

    The default value is Group 5.

    Group 5

    Version

    The version of the IKE protocol. The value can be v1 or v2.

    The default value is v1.

    v2

    Lifecycle (s)

    The lifetime of the SA, in seconds.

    The SA will be renegotiated if its lifetime expires.

    The default value is 86400.

    86400

    Negotiation Mode

    If the IKE policy version is v1, the negotiation mode can be configured. The value can be Main or Aggressive.

    The default value is Main.

    Main
    Table 3 IPsec policy

    Parameter

    Description

    Example Value

    Authentication Algorithm

    The hash algorithm used for authentication. The value can be SHA1, SHA2-256, SHA2-384, SHA2-512, or MD5.

    The default value is SHA1.

    SHA1

    Encryption Algorithm

    The encryption algorithm. The value can be AES-128, AES-192, AES-256, or 3DES. The 3DES algorithm is not recommended because it is not strong enough to protect data.

    The default value is AES-128.

    AES-128

    PFS

    The perfect forward secrecy (PFS), which is used to configure the IPsec tunnel negotiation.

    The value can be DH group 2, DH group 5, or DH group 14.

    The value can be DH group 1, DH group 2, DH group 5, DH group 14, DH group 15, DH group 16, DH group 19, DH group 20, or DH group 21.

    The default value is DH group 5.

    DH group 5

    Transfer Protocol

    The security protocol used for IPsec to transmit and encapsulate user data. The value can be AH, ESP, or AH-ESP.

    The default value is ESP.

    ESP

    Lifecycle (s)

    The lifetime of the SA, in seconds.

    The SA will be renegotiated if its lifetime expires.

    The default value is 3600.

    3600

    The IKE policy specifies the encryption and authentication algorithms to use in the negotiation phase of an IPsec tunnel. The IPsec policy specifies the protocol, encryption algorithm, and authentication algorithm to use in the data transmission phase of an IPsec tunnel. These parameters must be the same between the VPN connection in your VPC and that in your data center. If they are different, the VPN connection cannot be set up.

  6. Click Submit.
  7. Due to the symmetry of the tunnel, you also need to configure the IPsec VPN on your router or firewall in the data center.
Parent topic: Getting Started