What Are VPN Negotiation Parameters? What Are Their Default Values?
Policy |
Parameter |
Value |
---|---|---|
IKE |
Authentication Algorithm |
|
Encryption Algorithm |
|
|
DH Algorithm |
NOTE:
In some regions, only Group 14, Group 2, and Group 5 are available. |
|
Version |
|
|
Lifecycle (s) |
86400 (default) Unit: second Value range: 60 to 604800 |
|
IPsec |
Authentication Algorithm |
|
Encryption Algorithm |
|
|
PFS |
NOTE:
In some regions, only DH group 14, DH group 2, and DH group 5 are available. |
|
Transfer Protocol |
|
|
Lifecycle (s) |
3600 (default) Unit: second Value range: 480 to 604800 |
- Perfect Forward Secrecy (PFS) is a security feature.
IKE negotiation has two phases, phase one and phase two. The key of phase two (IPsec SA) is derived from the key generated in phase one. Once the key in phase one is disclosed, the security of the IPsec VPN may be adversely affected. To improve the key security, IKE provides PFS. After PFS is configured, an additional DH exchange will be performed during IPsec SA negotiation, and a new IPsec SA key will be generated, improving IPsec SA security.
- To ensure security, PFS is enabled on Huawei Cloud by default. Ensure that PFS is also enabled on the on-premises gateway. Otherwise, the negotiation will fail.
- To enable PFS, ensure that the configurations at both ends of a VPN are the same.
- The traffic-based lifetime of IPsec SA on the Huawei Cloud VPN is default to 1,843,200 KB and cannot be changed. This lifetime does not affect the establishment of an IPsec SA.
General Questions FAQs
- What Devices Can Be Connected to Huawei Cloud Through a VPN?
- What Are VPN Negotiation Parameters? What Are Their Default Values?
- Can I Deploy Applications on the Cloud, Databases in an On-premises Data Center, and Then Connect Them Through a VPN?
- Can I Visit Websites Across International Borders Using a VPN?
- What Is a VPN Connection? How Do I Set the Number of VPN Connections When Buying a VPN Gateway?
- Will I Be Notified If a VPN Connection Is Interrupted?
- Are a Username and Password Required for Creating an IPsec VPN Connection?
- What Are the Differences Between the Application Scenarios and Connection Modes of IPsec and SSL VPNs?
- Will an IPsec VPN Connection Be Established Automatically?
- What Will I Be Charged for Creating a VPN? Will I Be Charged for VPN Gateway IP Addresses?
- Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted?
- Which VPN Resources Can Be Monitored?
- Which Direction of the Bandwidth Is Limited and What Is the Unit of the Bandwidth?
- What Is the Actual Network Speed of a VPN Connection?
- Can a VPN Billed by Traffic Use a Shared Data Package?
- What Are the Relationships Between a VPC, a VPN Gateway, and a VPN Connection?
- What Is a Remote Gateway and Remote Subnet in a VPN Connection?
- How Many VPN Connections Do I Need to Connect to Multiple On-premises Servers?
- Does a VPN Allow for Communications Between Two VPCs?
- What Are the Impacts of a VPN on an On-premises Network? What Are the Changes to the Route for Accessing an ECS?
- Can I Use a Network with Two Egresses to Establish Two VPN Connections with the Same VPC?
- How Can I Prevent VPN Disconnections?
- Why Is Not Connected Displayed as the Status for a Successfully Created VPN Connection?
- What Can I Do If VPN Connection Setup Fails?
- Can an EIP Be Used as a VPN Gateway IP Address?
- Why Is the VPN Connection Always in the Not Connected State Even After Its Configuration Is Complete?
- Do I Need to Configure ACL Rules on the Huawei Cloud Management Console After I Configured ACL Rules on the On-premises Gateway Device?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbotmore