Updated on 2024-12-03 GMT+08:00

Buying a VPN Connection

Scenarios

To connect your on-premises data center or private network to your ECSs in a VPC, you need to create a VPN connection after a VPN gateway is obtained.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Click Service List and choose Networking > Virtual Private Network.
  4. In the navigation pane on the left, choose Virtual Private Network > Classic – VPN Connections.

    If Enterprise Edition VPN is available for the selected region, choose Virtual Private Network > Classic.

  5. On the VPN Connections page, click Buy VPN Connection.
  6. Configure the parameters as prompted and click Pay Now. Table 1 describes the VPN connection parameters.
    Table 1 Description of VPN connection parameters

    Parameter

    Description

    Example Value

    Region

    Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across regions. For low network latency and fast resource access, select the region nearest to your target users.

    CN North-Beijing4

    Name

    Name of a VPN connection.

    vpn-001

    VPN Gateway

    Name of the VPN gateway for which the VPN connection is created.

    vpcgw-001

    Local Subnet

    VPC subnets that will access your on-premises network through a VPN. You can set the local subnet using either of the following methods:

    • Select subnet: Select the subnets that need to access your on-premises data center or private network.
    • Specify CIDR block: Enter the CIDR blocks that need to access your on-premises data center or private network.
      NOTE:

      CIDR blocks of local subnets cannot overlap.

    192.168.1.0/24,

    192.168.2.0/24

    Remote Gateway

    The public IP address of the gateway in your data center or on the private network. This IP address is used for communicating with your VPC.

    N/A

    Remote Subnet

    The subnets of your on-premises network that will access a VPC through a VPN. The remote and local subnets cannot overlap with each other. The remote subnet cannot overlap with CIDR blocks involved in existing VPC peering, Direct Connect, or Cloud Connect connections created for the local VPC.

    NOTE:

    CIDR blocks of remote subnets cannot overlap.

    192.168.3.0/24,

    192.168.4.0/24

    PSK

    Private key shared by two ends of a VPN connection for negotiation. PSKs configured at both ends of the VPN connection must be the same.

    The PSK:

    • Contains 6 to 128 characters.
    • Can contain only:
      • Digits
      • Letters
      • Special characters: ~ ` ! @ # $ % ^ ( ) - _ + = [ ] { } | \ , . / : ;

    Test@123

    Confirm PSK

    Enter the PSK again.

    Test@123

    Advanced Settings

    • Default: Use default IKE and IPsec policies.
    • Existing: Use existing IKE and IPsec policies.
    • Custom: including IKE Policy and IPsec Policy, which specifies the encryption and authentication algorithms of a VPN tunnel. For details, see Table 2 and Table 3.

    Custom

    Table 2 IKE policy

    Parameter

    Description

    Example Value

    Authentication Algorithm

    Hash algorithm used for authentication. The following algorithms are supported:

    • MD5 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • SHA1 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • SHA2-256
    • SHA2-384
    • SHA2-512

    The default algorithm is SHA2-256.

    SHA2-256

    Encryption Algorithm

    Encryption algorithm. The following algorithms are supported:

    • AES-128
    • AES-192
    • AES-256
    • 3DES (This algorithm is insecure. Exercise caution when using this algorithm.)

    The default algorithm is AES-128.

    AES-128

    DH Algorithm

    Diffie-Hellman key exchange algorithm. The following algorithms are supported:

    • Group 1 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • Group 2 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • Group 5 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • Group 14
    • Group 15
    • Group 16
    • Group 19
    • Group 20
    • Group 21

    The default algorithm is Group 14.

    Group 14

    Version

    Version of the IKE protocol. The value can be one of the following:

    • v1 (not recommended due to security risks)
    • v2

    The default value is v2.

    v2

    Lifetime (s)

    Lifetime of an SA, in seconds

    An SA will be renegotiated when its lifetime expires.

    The default value is 86400.

    86400

    Table 3 IPsec policy

    Parameter

    Description

    Example Value

    Authentication Algorithm

    Hash algorithm used for authentication. The following algorithms are supported:

    • SHA1 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • MD5 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • SHA2-256
    • SHA2-384
    • SHA2-512

    The default algorithm is SHA2-256.

    SHA2-256

    Encryption Algorithm

    Encryption algorithm. The following algorithms are supported:

    • AES-128
    • AES-192
    • AES-256
    • 3DES (This algorithm is insecure. Exercise caution when using this algorithm.)

    The default algorithm is AES-128.

    AES-128

    PFS

    Algorithm used by the Perfect forward secrecy (PFS) function.

    PFS supports the following algorithms:

    • DH group 1 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • DH group 2 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • DH group 5 (This algorithm is insecure. Exercise caution when using this algorithm.)
    • DH group 14
    • DH group 15
    • DH group 16
    • DH group 19
    • DH group 20
    • DH group 21

    The default algorithm is DH group 14.

    DH group 14

    Transfer Protocol

    Security protocol used in IPsec to transmit and encapsulate user data. The following protocols are supported:

    • AH
    • ESP
    • AH-ESP

    The default protocol is ESP.

    ESP

    Lifetime (s)

    Lifetime of an SA, in seconds

    An SA will be renegotiated when its lifetime expires.

    The default value is 3600.

    3600

    An IKE policy specifies the encryption and authentication algorithms to be used in the negotiation phase of an IPsec tunnel. An IPsec policy specifies the protocol, encryption algorithm, and authentication algorithm to be used in the data transmission phase of an IPsec tunnel. The IKE and IPsec policies must be the same at both ends of a VPN connection. If they are different, the VPN connection cannot be set up.

    The following algorithms are not recommended because they are not secure enough:

    • Authentication algorithms: SHA1 and MD5
    • Encryption algorithm: 3DES
    • DH algorithms: Group 1, Group 2, and Group 5
  7. Click Submit.
  8. You need to configure an IPsec VPN tunnel on the router or firewall in your on-premises data center.