Updated on 2025-07-16 GMT+08:00

Configuring VPN

  1. Configure the VPN service in the CN-Hong Kong region of Huawei Cloud.

    1. Click in the upper left corner and select the CN-Hong Kong region.
    2. Choose Networking > Virtual Private Network.
    3. In the navigation pane on the left, choose Virtual Private Network > Classic.
    4. On the VPN Gateways page, click Buy VPN Gateway.
    5. Configure parameters based on Table 1 and click Buy Now.
      Table 1 Descriptions of VPN gateway parameters

      Parameter

      Description

      Example Value

      Billing Mode

      VPN gateways in this region can be billed on a pay-per-use basis.

      Pay-per-use

      Region

      The networks in different regions are not connected to each other, so resources cannot be shared across regions. For low network latency and fast resource access, select the region nearest to your target users.

      In this example, select CN-Hong Kong.

      CN-Hong Kong

      Name

      Name of a VPN gateway.

      vpcgw-001

      VPC

      Name of the VPC to which the VPN gateway connects.

      Select a VPC in the CN-Hong Kong region.

      vpc-001

      Type

      VPN type. The default value is IPsec.

      IPsec

      Billed By

      Pay-per-use billing includes two modes: billed by bandwidth and billed by traffic.

      • Bandwidth: You need to specify a bandwidth limit and pay for the amount of time you use the bandwidth.
      • Traffic: You need to specify a bandwidth limit and pay for the traffic you generate.

      Traffic

      Bandwidth (Mbit/s)

      Bandwidth of the VPN gateway, in Mbit/s. The bandwidth is shared by all VPN connections created for the VPN gateway. The total bandwidth of all VPN connections created for a VPN gateway cannot exceed the VPN gateway bandwidth.

      During the use of VPN, if the network traffic exceeds the VPN gateway bandwidth, network congestion may occur and VPN connections may be interrupted. As such, ensure that you configure enough bandwidth.

      You can configure alarm rules on Cloud Eye to monitor the bandwidth.

      100

      Table 2 Description of VPN connection parameters

      Parameter

      Description

      Example Value

      Name

      Name of a VPN connection.

      vpn-001

      VPN Gateway

      Name of the VPN gateway for which the VPN connection is created.

      vpcgw-001

      Local Subnet

      VPC subnets that need to access the on-premises network through VPN.

      Select Specify CIDR Block, and enter subnets in the CN-Hong Kong and South China regions to ensure that traffic from the South China region can also enter the VPN tunnel.

      In this example, enter 10.0.2.0/24 and 10.0.3.0/24.

      10.0.2.0/24,

      10.0.3.0/24

      Remote Gateway

      Address of the VPN gateway in the on-premises data center.

      Set this parameter to the address of the VPN gateway in the on-premises data center in Thailand.

      -

      Remote Subnet

      Subnets of the on-premises network that need to access a VPC through VPN

      In this example, enter 10.0.1.0/24.

      10.0.1.0/24

      PSK

      Pre-shared key, which is a private key shared by the two ends of a VPN connection. The PSK configurations at both ends of a VPN connection must be the same. This key is used for VPN connection negotiation.

      The PSK:

      • Must contain 6 to 128 characters.
      • Can contain only:
        • Digits
        • Letters
        • Special characters ~`!@#$%^()-_+=[]{}|\,./:;

      Test@123

      Confirm PSK

      Reenter the pre-shared key.

      Test@123

      Advanced Settings

      • Default: Use default IKE and IPsec policies.
      • Custom: Use custom IKE and IPsec policies. For details about the policies, see Table 3 and Table 4.

      Custom

      Table 3 IKE policy

      Parameter

      Description

      Example Value

      Authentication Algorithm

      Hash algorithm used for authentication. The options include SHA1, SHA2-256, SHA2-384, SHA2-512, and MD5

      The default value is SHA2-256.

      SHA2-256

      Encryption Algorithm

      Encryption algorithm. The options include AES-128, AES-192, AES-256, and 3DES (Insecure. Not Recommended.).

      The default value is AES-128.

      AES-128

      DH Algorithm

      Diffie-Hellman key exchange algorithm. The options include Group 1, Group 2, Group 5, Group 14 , Group 15, Group 16, Group 19, Group 20, and Group 21

      The default value is Group 14.

      DH algorithms configured at both ends of a VPN connection must be the same. Otherwise, the negotiation will fail.

      Group 14

      Version

      IKE key exchange protocol version. The options include v1 (not recommended due to security risks) and v2.

      The default value is v2.

      v2

      Lifetime (s)

      Lifetime of an SA, in seconds

      An SA will be renegotiated when its lifetime expires.

      The default value is 86400.

      86400

      Negotiation Mode

      This parameter is available only when Version is set to v1. You can set Negotiation Mode to Main or Aggressive.

      The default mode is Main.

      Main

      Table 4 IPsec policy

      Parameter

      Description

      Example Value

      Authentication Algorithm

      Hash algorithm used for authentication. The options include SHA1, SHA2-256, SHA2-384, SHA2-512, and MD5

      The default value is SHA2-256.

      SHA2-256

      Encryption Algorithm

      Encryption algorithm. The options include AES-128, AES-192, AES-256, and 3DES (Insecure. Not Recommended.).

      The default value is AES-128.

      AES-128

      PFS

      Algorithm used by the Perfect forward secrecy (PFS) function.

      The PFS algorithm can be DH group 1, DH group 2, DH group 5, DH group 14, DH group 15, DH group 16, DH group 19, DH group 20, or DH group 21.

      The default value is DH group 14.

      DH group 14

      Transfer Protocol

      Security protocol used in IPsec to transmit and encapsulate user data. The options include AH, ESP, and AH-ESP.

      The default value is ESP.

      ESP

      Lifetime (s)

      Lifetime of an SA, in seconds

      An SA will be renegotiated when its lifetime expires.

      The default value is 3600.

      3600

      The following algorithms are not recommended because they are not secure enough:

      • Authentication algorithms: SHA1 and MD5
      • Encryption algorithm: 3DES
      • DH algorithms: Group 1, Group 2, and Group 5

  2. Configure the VPN gateway in the on-premises data center in Thailand.

    Configure VPN on the VPN gateway device in the on-premises data center.

    Configure an ACL referenced by the IPsec policy as follows:

    • Source CIDR block: 10.0.1.0/24
    • Destination CIDR blocks: 10.0.2.0/24 and 10.0.3.0/24