Help Center> Virtual Private Network> Getting Started> Classic VPN Purchase Process> Buying a VPN (LA-Mexico City1/LA-Sao Paulo1)
Updated on 2024-05-07 GMT+08:00
View PDF

Buying a VPN (LA-Mexico City1/LA-Sao Paulo1)

Overview

By default, ECSs in a VPC cannot communicate with devices in your on-premises data center or private network. To enable communication between them, you can use a VPN by creating it in your VPC and updating security group rules.

IPsec VPN Topology

In Figure 1, the VPC has subnets 192.168.1.0/24 and 192.168.2.0/24. Your on-premises data center has subnets 192.168.3.0/24 and 192.168.4.0/24. You can use VPN to enable subnets in the VPC to communicate with those in your data center.

Figure 1 IPsec VPN

Site-to-site VPN is supported to enable communication between VPC subnets and on-premises data center subnets. Before establishing an IPsec VPN, ensure that the on-premises data center where the VPN is to be established meets the following conditions:

  • On-premises devices that support the standard IPsec protocol are available.
  • The on-premises devices have fixed public IP addresses, which can be statically configured or translated by NAT.
  • The on-premises subnets do not conflict with VPC subnets, and devices in the on-premises subnets can communicate with the on-premises devices.

If the preceding conditions are met, ensure that the IKE policies and IPsec policies at both ends are consistent and the subnets at both ends are matched pairs when configuring IPsec VPN.

After the configuration is complete, VPN negotiation needs to be triggered by private network data flows.

Scenarios

You need a VPN that sets up a secure, isolated communications tunnel between your on-premises data center and cloud services.

Prerequisites

  • A VPC has been created. For details about how to create a VPC, see Creating a VPC and Subnet.
  • Security group rules have been configured for the VPC, and ECSs can communicate with other devices on the cloud. For details about how to configure security group rules, see Security Group Rules.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Click Service List and choose Networking > Virtual Private Network.
  4. On the Virtual Private Network page, click Buy VPN.
  5. Configure required parameters and click Next.

    Table 1, Table 2, and Table 3 lists the parameters and their descriptions.

    Table 1 Basic parameters

    Parameter

    Description

    Example Value

    Region

    Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across regions. For low network latency and fast resource access, select the region nearest to your target users.

    AP-Singapore

    Billing Mode

    VPNs are billed on a pay-per-use basis.

    Pay-per-use

    Name

    The VPN name

    VPN-001

    VPC

    The VPC name

    VPC-001

    Local Subnet

    VPC subnets that will access your on-premises network through a VPN.

    192.168.1.0/24,

    192.168.2.0/24

    Remote Gateway

    The public IP address of the gateway in your data center or on the private network. This IP address is used for communicating with your VPC.

    N/A

    Remote Subnet

    The subnets of your on-premises network that will access a VPC through a VPN. The remote and local subnets cannot overlap with each other. The remote subnets cannot overlap with CIDR blocks involved in existing VPC peering connections created for the VPC.

    192.168.3.0/24,

    192.168.4.0/24

    PSK

    Private key shared by two ends of a VPN connection for negotiation. PSKs configured at both ends of the VPN connection must be the same.

    The PSK can contain 6 to 128 characters.

    Test@123

    Confirm PSK

    Enter the PSK again.

    Test@123

    Advanced Settings
    • Default: Use default IKE and IPsec policies.
    • Custom: Use custom IKE and IPsec policies. For details, see Table 2 and Table 3.

    Custom
    Table 2 IKE policy

    Parameter

    Description

    Example Value

    Authentication Algorithm

    Hash algorithm used for authentication. The following algorithms are supported:

    • MD5 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • SHA1 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • SHA2-256
    • SHA2-384
    • SHA2-512

    The default value is SHA2-256.

    SHA2-256

    Encryption Algorithm

    Encryption algorithm. The following algorithms are supported:

    • AES-128
    • AES-192
    • AES-256
    • 3DES (This algorithm is insecure. Exercise caution when using this algorithm.)

    The default algorithm is AES-128.

    AES-128

    DH Algorithm

    Diffie-Hellman key exchange algorithm. The following algorithms are supported:

    • Group 2 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • Group 5 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • Group 14
    • Group 15

    The default value is Group 14.

    Group 14

    Version

    Version of the IKE protocol. The value can be one of the following:

    • v1 (not recommended due to security risks)
    • v2

    The default value is v2.

    v2

    Lifetime (s)

    Lifetime of an SA, in seconds

    An SA will be renegotiated when its lifetime expires.

    The default value is 86400.

    86400

    Negotiation Mode

    This parameter is only available when Version is set to v1. You can set Negotiation Mode to Main or Aggressive.

    The default mode is Main.

    Main
    Table 3 IPsec policy

    Parameter

    Description

    Example Value

    Authentication Algorithm

    Hash algorithm used for authentication. The following algorithms are supported:

    • SHA1 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • MD5 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • SHA2-256
    • SHA2-384
    • SHA2-512

    The default value is SHA2-256.

    SHA2-256

    Encryption Algorithm

    Encryption algorithm. The following algorithms are supported:

    • AES-128
    • AES-192
    • AES-256
    • 3DES (This algorithm is insecure. Exercise caution when using this algorithm.)

    The default algorithm is AES-128.

    AES-128

    PFS

    Algorithm used by the Perfect forward secrecy (PFS) function.

    PFS supports the following algorithms:

    • DH group 2 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • DH group 5 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • DH group 14

    The default value is DH group 14.

    DH group 14

    Transfer Protocol

    Security protocol used in IPsec to transmit and encapsulate user data. The following protocols are supported:

    • AH
    • AH-ESP

    The default protocol is ESP.

    ESP

    Lifetime (s)

    Lifetime of an SA, in seconds

    An SA will be renegotiated when its lifetime expires.

    The default value is 3600.

    3600

    An IKE policy specifies the encryption and authentication algorithms to be used in the negotiation phase of an IPsec tunnel. An IPsec policy specifies the protocol, encryption algorithm, and authentication algorithm to be used in the data transmission phase of an IPsec tunnel. The IKE and IPsec policies must be the same at both ends of a VPN connection. If they are different, the VPN connection cannot be set up.

    The following algorithms are not recommended because they are not secure enough:

    • Authentication algorithms: SHA1 and MD5
    • Encryption algorithm: 3DES
    • DH algorithms: Group 1, Group 2, and Group 5
  6. Submit your application.

    After the IPsec VPN is created, a public IP address is assigned to the VPN. The IP address is the local gateway address of the created VPN. When configuring the remote tunnel in your data center, you must set the remote gateway address to this IP address.

  7. You need to configure an IPsec VPN tunnel on the router or firewall in your on-premises data center.