What Are VPN Negotiation Parameters? What Are Their Default Values?
- Perfect Forward Secrecy (PFS) is a security feature.
IKE negotiation has two phases, phase one and phase two. The key of phase two (IPsec SA) is derived from the key generated in phase one. Once the key in phase one is disclosed, the security of the IPsec VPN may be adversely affected. To improve the key security, IKE provides PFS. When PFS is enabled, an additional DH exchange will be performed during IPsec SA negotiation to generate a new IPsec SA key, improving IPsec SA security.
- For security purposes, PFS is enabled on Huawei Cloud by default. Ensure that PFS is also enabled on the gateway device in your on-premises data center and the PFS settings on both ends are the same. Otherwise, the negotiation will fail.
- The default traffic-based lifetime of an IPsec SA is 1,843,200 KB and cannot be changed for the Huawei Cloud VPN. This parameter is not involved in negotiation and has no impact on the establishment of an IPsec SA.
VPN Negotiation and Interconnection FAQs
- What Devices Can Be Connected to Huawei Cloud Through a VPN?
- What Are VPN Negotiation Parameters? What Are Their Default Values?
- Is an IPsec VPN Connection Automatically Established?
- How Do I Configure a VPN on an On-premises Device? (Example of Configuring VPN on a Huawei USG6600 Series Firewall)
- Does Huawei Cloud VPN Support Interconnection with a Customer Gateway Through a Domain Name?
- How Many Tunnels Does My VPN Connection Have?
- How Do I Allow Specific Hosts to Access a VPC Subnet Through a Created VPN Connection?
- Do Huawei Cloud VPNs Have the DPD Function Enabled?
- How Can I Use Security Groups to Prevent VPN Access to Some ECSs in a VPC to Implement Security Isolation?
- Will a VPN Connection Be Re-established After Its Configuration Is Modified?
- Why Cannot I Initiate Negotiation from Amazon Web Services to Huawei Cloud After They Are Interconnected?
- How Do I Configure DPD for Interconnection with Huawei Cloud?
- What Should I Do If My Firewall Cannot Receive Response Packets from the Huawei Cloud VPN Gateway in IKE Phase 1?
- What Should I Do If My Firewall Cannot Receive Response Packets from a Huawei Cloud VPN Subnet?
- How Many Bits Do the DH Groups Used by Huawei Cloud VPN Have?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbotmore