Creating a VPN Connection
Scenario
To connect your on-premises data center or private network to your ECSs in a VPC, you need to create VPN connections after creating a VPN gateway and a customer gateway.
Notes and Constraints
- When creating a VPN connection in static routing mode, ensure that the customer gateway supports ICMP and is correctly configured with the customer interface IP address of the VPN connection before enabling NQA. Otherwise, traffic will fail to be forwarded.
- When creating a VPN connection in policy-based mode and adding multiple policy rules, ensure that the source and destination CIDR blocks in the rules do not overlap. Otherwise, data flows may be incorrectly matched or IPsec tunnels may flap.
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- Click in the upper left corner of the page, and choose .
- In the navigation pane on the left, choose .
- On the VPN Connections page, click Buy VPN Connection.
For higher reliability, you are advised to create a VPN connection between each of the two EIPs of a VPN gateway and a customer gateway.
- Set parameters as prompted and click Buy Now.
Table 1 lists the VPN connection parameters.
Table 1 Description of VPN connection parameters Parameter
Description
Example Value
Name
Name of a VPN connection. The value can contain only letters, digits, underscores (_), hyphens (-), and periods (.).
vpn-001
VPN Gateway
Name of the VPN gateway for which the VPN connection is created.
You can also click Create VPN Gateway to create a VPN gateway. For details about related parameters, see Table 2.
If you use a VPN gateway of the GM specification and no certificate has been bound to the VPN gateway, click Upload Certificate to upload certificates. Otherwise, VPN connections cannot be set up.
vpngw-001
Gateway IP Address
IP address of the VPN gateway.
The same address of a VPN gateway cannot be repeatedly selected when you create VPN connections between the VPN gateway and the same customer gateway.
Available gateway IP address
Customer Gateway
Name of a customer gateway.
You can also click Create Customer Gateway to create a customer gateway. For details about related parameters, see Table 1.
If you use a customer gateway that supports SM series cryptographic algorithms and no CA certificate has been bound to the customer gateway, upload a CA certificate by referring to Uploading a Certificate for a Customer Gateway. Otherwise, VPN connections cannot be set up.
NOTE:If a customer gateway connects to multiple VPN gateways, the BGP ASNs and VPN types of the VPN gateways must be the same.
cgw-001
VPN Type
IPsec connection mode, which can be route-based or policy-based.
- Static routing
Determines the data that enters the IPsec VPN tunnel based on the route configuration (local subnet and customer subnet).
Application scenario: Communication between customer gateways
- BGP routing
Determines the traffic that can enter the IPsec VPN tunnel based on BGP routes.
Application scenario: Communication between customer gateways, many or frequently changing interconnection subnets, or backup between VPN and Direct Connect
- Policy-based
Determines the data that enters the IPsec VPN tunnel based on the policy (between the customer network and VPC). Policy rules can be defined based on the source and destination CIDR blocks.
Application scenario: Isolation between customer gateways
- Policy template
The VPN gateway passively responds to the IPsec connection requests from the customer gateway. After authenticating the customer gateway, the VPN gateway accepts the policy rules defined on the customer gateway based on source and destination CIDR blocks.
- Address groups cannot be used to configure the source and destination subnets in a policy on customer gateway devices.
- Only IKEv2 is supported in the policy template mode.
Application scenario: The customer gateway uses a non-fixed IP address.
Static routing
Customer Subnet
Customer-side subnet that needs to access the VPC on the cloud through VPN connections.
If there are multiple customer subnets, separate them with commas (,).
NOTE:- The customer subnet can overlap with the local subnet but cannot be the same as the local subnet.
- A customer subnet cannot be included in the existing subnets of the VPC associated with the VPN gateway. It also cannot be the destination address in the route table of the VPC associated with the VPN gateway.
- Customer subnets cannot be the reserved CIDR blocks of VPCs, for example, 100.64.0.0/10 or 214.0.0.0/8.
- If the interconnection subnet is associated with an ACL rule, ensure that the ACL rule permits the TCP port for traffic between all local and customer subnets.
- Address groups cannot be used to configure the source and destination subnets in a policy on customer gateway devices.
172.16.1.0/24,172.16.2.0/24
Interface IP Address Assignment
This parameter is available only when VPN Type is set to Static routing or BGP routing.
NOTE:- Set interface IP addresses to the tunnel interface IP addresses used by the VPN gateway and customer gateway to communicate with each other.
- If the tunnel interface address of the customer gateway is fixed, select Manually specify, and set the tunnel interface address of the VPN gateway based on the tunnel interface address of the customer gateway.
- Manually specify
- Set Local Tunnel Interface Address to the tunnel interface address of the VPN gateway, which can reside only on the 169.254.x.x/30 CIDR block (except 169.254.195.x/30). Then, the system automatically sets Customer Tunnel Interface Address to a random value based on the setting of Local Tunnel Interface Address.
For example, when you set Local Tunnel Interface Address to 169.254.1.6/30, the system automatically sets Customer Tunnel Interface Address to 169.254.1.5/30.
- When you set VPN Type to BGP routing and configure tunnel interface addresses in Manually specify mode, ensure that the local and remote tunnel interface addresses configured on the customer gateway device (the other end of the VPN connection) are the same as the values of Customer Tunnel Interface Address and Local Tunnel Interface Address, respectively.
- Set Local Tunnel Interface Address to the tunnel interface address of the VPN gateway, which can reside only on the 169.254.x.x/30 CIDR block (except 169.254.195.x/30). Then, the system automatically sets Customer Tunnel Interface Address to a random value based on the setting of Local Tunnel Interface Address.
- Automatically assign
- By default, an IP address on the 169.254.x.x/30 CIDR block is assigned to the tunnel interface of the VPN gateway.
- To view the automatically assigned local and customer interface IP addresses, click Modify VPN Connection on the VPN Connections page.
- When you set VPN Type to BGP routing and select Automatically assign, check the automatically assigned local and customer tunnel interface addresses after the VPN connection is created. Ensure that the local and remote tunnel interface addresses configured on the customer gateway device (the other end of the VPN connection) are the reverse of the settings on the cloud side.
Automatically assign
Local Tunnel Interface Address
This parameter is available only when Interface IP Address Assignment is set to Manually specify.
Tunnel interface IP address configured on the VPN gateway.
N/A
Customer Tunnel Interface Address
This parameter is available only when Interface IP Address Assignment is set to Manually specify.
Tunnel interface IP address configured on the customer gateway device.
N/A
Link Detection
This parameter is available only when VPN Type is set to Static routing.
NOTE:When enabling this function, ensure that the customer gateway supports ICMP and is correctly configured with the customer interface IP address of the VPN connection. Otherwise, traffic will fail to be forwarded.
After this function is enabled, the VPN gateway automatically performs Network Quality Analysis (NQA) on the customer interface IP address of the customer gateway. For details about NQA, see Huawei Cloud VPN NQA.
Selected
PSK
The PSKs configured for the VPN gateway and customer gateway must be the same.
The PSK:
- Contains 8 to 128 characters.
- Can contain only three or more types of the following characters:
- Digits
- Uppercase letters
- Lowercase letters
- Special characters: ~ ! @ # $ % ^ ( ) - _ + = { } , . / : ;
NOTE:This parameter is not available for VPN connections set up using SM series cryptographic algorithms.
Test@123
Confirm PSK
Enter the PSK again.
NOTE:This parameter is not available for VPN connections set up using SM series cryptographic algorithms.
Test@123
Policy
This parameter is available only when VPN Type is set to Policy-based.
Defines the data flow that enters the encrypted VPN connection between the local and customer subnets. You need to configure the source and destination CIDR blocks in each policy rule. By default, a maximum of five policy rules can be configured.
- Source CIDR block 1: 192.168.1.0/24
- Destination CIDR block 1: 172.16.1.0/24,172.16.2.0/24
- Source CIDR block 2: 192.168.2.0/24
- Destination CIDR block 2: 172.16.1.0/24,172.16.2.0/24
Policy Settings
Custom
Policy Template
This parameter is available only when VPN Type is set to Policy template.
The policy template cannot be modified here. For details about the modification, see Modifying the Policy Template of a VPN Gateway.
-
Tag
- Tag of a VPN resource. The value consists of a key and a value. A maximum of 20 tags can be added.
- You can select predefined tags or customize tags.
- To view predefined tags, click View predefined tags.
-
An IKE policy specifies the encryption and authentication algorithms to use in the negotiation phase of an IPsec tunnel. An IPsec policy specifies the protocol, encryption algorithm, and authentication algorithm to use in the data transmission phase of an IPsec tunnel. The policy settings for VPN connections must be the same at the VPC and on-premises data center sides. If they are different, VPN negotiation will fail, causing the failure to establish VPN connections.
The following algorithms are not recommended because they are not secure enough:
- Authentication algorithms: SHA1 and MD5
- Encryption algorithms: 3DES, AES-128, AES-192, and AES-256
Because some customer devices do not support secure encryption algorithms, the default encryption algorithm of VPN connections is still AES-128. You are advised to use a more secure encryption algorithm if customer devices support secure encryption algorithms.
- DH algorithms: Group 1, Group 2, Group 5, and Group 14
- Static routing
- Confirm the VPN connection configuration and click Submit.
- Repeat the preceding operations to create the other VPN connection.
For details about IP address configuration, see Context.
For details about scenario-specific configuration examples, see Administrator Guide.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot