What Are VPN Negotiation Parameters? What Are Their Default Values?
Policy |
Parameter |
Value |
---|---|---|
IKE |
Authentication Algorithm |
|
Encryption Algorithm |
|
|
DH Algorithm |
NOTE:
In some regions, only Group 14, Group 2, and Group 5 are available. |
|
Version |
|
|
Lifecycle (s) |
86400 (default) Unit: second Value range: 60 to 604800 |
|
IPsec |
Authentication Algorithm |
|
Encryption Algorithm |
|
|
PFS |
NOTE:
In some regions, only DH group 14, DH group 2, and DH group 5 are available. |
|
Transfer Protocol |
|
|
Lifecycle (s) |
3600 (default) Unit: second Value range: 480 to 604800 |
- Perfect Forward Secrecy (PFS) is a security feature.
IKE negotiation has two phases, phase one and phase two. The key of phase two (IPsec SA) is derived from the key generated in phase one. Once the key in phase one is disclosed, the security of the IPsec VPN may be adversely affected. To improve the key security, IKE provides PFS. After PFS is configured, an additional DH exchange will be performed during IPsec SA negotiation, and a new IPsec SA key will be generated, improving IPsec SA security.
- To ensure security, PFS is enabled on Huawei Cloud by default. Ensure that PFS is also enabled on the on-premises gateway. Otherwise, the negotiation will fail.
- To enable PFS, ensure that the configurations at both ends of a VPN are the same.
- The traffic-based lifetime of IPsec SA on the Huawei Cloud VPN is default to 1,843,200 KB and cannot be changed. This lifetime does not affect the establishment of an IPsec SA.
VPN Negotiation and Interconnection FAQs
- What Devices Can Be Connected to Huawei Cloud Through a VPN?
- What Are VPN Negotiation Parameters? What Are Their Default Values?
- Will an IPsec VPN Connection Be Established Automatically?
- How Do I Configure a VPN on an On-premises Device? (Configuring the VPN on a Huawei USG6600 Series Firewall)
- How Should I Configure an On-premises Gateway When I Use a VPN to Connect to the Cloud?
- Can Huawei Cloud VPN Connect to a Remote Gateway Through a Domain Name?
- How Many Tunnels Does My VPN Connection Have?
- How Do I Allow Specific Servers to Access a VPC Subnet Through a Created VPN Connection?
- Do Huawei Cloud VPNs Have the DPD Mechanism Enabled?
- How Can I Use Security Groups to Prevent ECSs in a VPC From Being Accessed Through a VPN to Implement Security Isolation?
- Will a VPN Connection Be Reestablished After Its Configuration Is Modified?
- Why Cannot I Initiate Negotiation from Amazon Web Services to Huawei Cloud After They Are Interconnected?
- How Do I Configure DPD for Interconnecting with Huawei Cloud?
- What Should I Do If My Firewall Cannot Receive Response Packets from the Huawei Cloud VPN Gateway in the IKE Phase?
- What Should I Do If My Firewall Cannot Receive Response Packets from the Huawei Cloud VPN Subnet?
- What Are the Bits of the DH Groups Used by Huawei Cloud VPN?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbotmore