Help Center/ Virtual Private Network/ Getting Started/ Configuring S2C Enterprise Edition VPN to Connect an On-premises Data Center to a VPC/ Step 3: Creating VPN Connections
Updated on 2025-08-19 GMT+08:00
View PDF
Share

Step 3: Creating VPN Connections

Procedure

  1. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Connections.
  2. On the VPN Connection page, click Create VPN Connection.
  3. Set VPN connection parameters as prompted and click Buy Now.

    The following describes only key parameters. For details, see Creating a VPN Connection.

    Table 1 Description of VPN connection parameters

    Parameter

    Description

    Example Value

    Name

    Enter the name of VPN connection 1.

    vpn-001

    VPN Gateway

    Select the VPN gateway created in Step 3: Creating VPN Connections.

    vpngw-001

    VPN Gateway IP of Connection 1

    Select the active EIP of the VPN gateway.

    11.xx.xx.11

    Customer Gateway of Connection 1

    Select the customer gateway of connection 1.

    cgw-001

    VPN Gateway IP of Connection 2

    Select active EIP 2 of the VPN gateway.

    11.xx.xx.12

    Customer Gateway of Connection 2

    Select the customer gateway of connection 2.

    cgw-001

    VPN Type

    Select Static routing.

    Static routing

    Customer Subnet

    Enter the subnet of the on-premises data center that needs to access the VPC.

    NOTE:
    • The customer subnet can overlap with the local subnet but cannot be the same as the local subnet.
    • A customer subnet cannot be included in the existing subnets of the VPC associated with the VPN gateway. It also cannot be the destination address in the route table of the VPC associated with the VPN gateway.
    • Customer subnets cannot be the reserved CIDR blocks of VPCs, for example, 100.64.0.0/10, 100.64.0.0/12, and 214.0.0.0/8. The reserved CIDR blocks vary according to regions and are subject to those displayed on the console.

      If you need to use 100.64.0.0/10 or 100.64.0.0/12, submit a service ticket.

    • If the interconnection subnet is associated with an ACL rule, ensure that the ACL rule permits the TCP port for traffic between all local and customer subnets.
    • Address groups cannot be used to configure the source and destination subnets in a policy on customer gateway devices.
    • When Associate With is set to Enterprise Router and VPN Type is set to BGP routing, Policy template, or Policy-based, you do not need to configure customer subnets.

    172.16.0.0/16

    Connection 1's Configuration

    Configure the IP address assignment mode of gateway interfaces, local tunnel interface address, customer tunnel interface address, link detection, PSK, confirm PSK, and policies for connection 1.

    Set parameters based on the site requirements.

    Interface IP Address Assignment

    The options include Manually specify and Automatically assign.

    Manually specify

    Local Tunnel Interface Address

    Specify the tunnel interface address of the VPN gateway.

    NOTE:

    The local and remote interface addresses configured on the customer gateway device must be the same as the values of Customer Tunnel Interface IP Address and Local Tunnel Interface IP Address, respectively.

    169.254.70.2/30

    Customer Tunnel Interface Address

    Specify the tunnel interface address of the customer gateway device.

    169.254.70.1/30

    Link Detection

    This function is used for route reliability detection in multi-link scenarios.

    NOTE:

    When enabling this function, ensure that the customer gateway supports ICMP and is correctly configured with the customer interface IP address of the VPN connection. Otherwise, VPN traffic will fail to be forwarded.

    NQA enabled

    PSK, Confirm PSK

    Specify the negotiation key of the VPN connection.

    The PSKs configured on the VPN console and the customer gateway device must be the same.

    Test@123

    Policy Settings

    Configure the IKE and IPsec policies, which define the encryption algorithms used by the VPN tunnel.

    The policy settings on the VPN console and the customer gateway device must be the same.

    Default

    Connection 2's Configuration

    Determine whether to enable Same as that of connection 1.

    Disabled

    Local Tunnel Interface Address

    Specify the tunnel interface address of the VPN gateway.

    169.254.71.2/30

    Customer Tunnel Interface Address

    Specify the tunnel interface address of the customer gateway device.

    169.254.71.1/30

Verification

Check the created VPN connection on the VPN Connection page. The initial state of the VPN connection is Creating. As the customer gateway device has not been configured, no VPN connection can be established. After about 2 minutes, the VPN connection state changes to Not connected.