Updated on 2022-08-18 GMT+08:00

Creating a VPN Connection

Scenarios

To connect your ECSs in a VPC to your on-premises private network, you must create a VPN connection after a VPN gateway is obtained.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. On the console homepage, under Network, click Virtual Private Network.
  4. In the navigation pane on the left, choose Virtual Private Network > VPN Connections.
  5. On the VPN Connections page, click Create VPN Connection.
  6. Configure the parameters as prompted and click Next. For details about the VPN connection parameters, see Table 1.
    Table 1 VPN connection parameter description

    Parameter

    Description

    Example Value

    Region

    Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For low network latency and quick resource access, select the region nearest to your target users.

    N/A

    Name

    The VPN connection name

    vpn-001

    VPN Gateway

    The name of the VPN gateway used by the VPN connection

    vpcgw-001

    Local Subnet

    The VPC subnets that will access your on-premises network through a VPN You can set the local subnet using either of the following methods:

    • Select subnet
    • Specify CIDR block
      NOTE:

      CIDR blocks of local subnets cannot overlap.

    192.168.1.0/24,

    192.168.2.0/24

    Remote Gateway

    The public IP address of the gateway in your on-premises network. This IP address is used for communications with your VPC.

    N/A

    Remote Subnet

    The subnets of your on-premises network that will access a VPC through a VPN The remote and local subnets cannot overlap with each other. The remote subnet cannot overlap with CIDR blocks involved in existing VPC peering, Direct Connect, or Cloud Connect connections created for the local VPC.

    NOTE:

    CIDR blocks of remote subnets cannot overlap.

    192.168.3.0/24,

    192.168.4.0/24

    PSK

    The pre-shared key, a private key shared by two ends of a VPN connection for negotiation

    PSKs configured at both ends of the VPN connection must be the same.

    Enter 6 to 128 characters.

    Test@123

    Confirm PSK

    Enter the pre-shared key again.

    Test@123

    Advanced Settings

    • Default: uses default IKE and IPsec policies.
    • Existing: uses existing IKE and IPsec policies.
    • Custom: including IKE Policy and IPsec Policy, which specifies the encryption and authentication algorithms of a VPN tunnel. For details about the policies, see Table 2 and Table 3.

    Custom

    Table 2 IKE policy

    Parameter

    Description

    Example Value

    Authentication Algorithm

    The hash algorithm used for authentication, which can be SHA1, SHA2-256, SHA2-384, SHA2-512, or MD5

    The default algorithm is SHA2-256.

    SHA2-256

    Encryption Algorithm

    The encryption algorithm, which can be AES-128, AES-192, AES-256, or 3DES

    3DES is not recommended because it is not strong enough to protect data.

    The default algorithm is AES-128.

    AES-128

    DH Algorithm

    The Diffie-Hellman key exchange algorithm, which can be Group 2, Group 5, or Group 14

    The default algorithm is Group 14.

    Group 14

    Version

    The version of the IKE protocol, which can be v1 or v2

    The default version is v2.

    v2

    Lifecycle (s)

    The lifetime of the SA, in seconds.

    The SA will be renegotiated if its lifetime expires.

    The default lifecycle is 86400 seconds.

    86400

    Table 3 IPsec policy

    Parameter

    Description

    Example Value

    Authentication Algorithm

    The hash algorithm used for authentication, which can be SHA1, SHA2-256, SHA2-384, SHA2-512, or MD5

    The default algorithm is SHA2-256.

    SHA2-256

    Encryption Algorithm

    The encryption algorithm, which can be AES-128, AES-192, AES-256, or 3DES

    3DES is not recommended because it is not strong enough to protect data.

    The default algorithm is AES-128.

    AES-128

    PFS

    The perfect forward secrecy (PFS), which is used to configure the IPsec tunnel negotiation

    The PFS algorithm can be DH group 2, DH group 5, or DH group 14.

    The default algorithm is DH group 14.

    DH group 14

    Transfer Protocol

    The security protocol used for IPsec to transmit and encapsulate user data, which can be AH, ESP, or AH-ESP

    The default protocol is ESP.

    ESP

    Lifecycle (s)

    The lifetime of the SA, in seconds.

    The SA will be renegotiated if its lifetime expires.

    The default lifecycle is 3600 seconds.

    3600

    The IKE policy specifies the encryption and authentication algorithms to use in the negotiation phase of an IPsec tunnel. The IPsec policy specifies the protocol, encryption algorithm, and authentication algorithm to use in the data transmission phase of an IPsec tunnel. Settings of these parameters must be the same at both ends of the VPN connection. If they are different, the VPN connection cannot be set up.

  7. Click Submit.