Configuring VPN
- Configure the VPN service in the CN-Hong Kong region of Huawei Cloud.
- Click
in the upper left corner and select the CN-Hong Kong region.
- Choose Networking > Virtual Private Network.
- In the navigation pane on the left, choose Virtual Private Network > Classic.
- On the VPN Gateways page, click Buy VPN Gateway.
- Configure parameters based on Table 1 and click Buy Now.
Table 1 Descriptions of VPN gateway parameters Parameter
Description
Example Value
Billing Mode
VPN gateways in this region can be billed on a pay-per-use basis.
Pay-per-use
Region
The networks in different regions are not connected to each other, so resources cannot be shared across regions. For low network latency and fast resource access, select the region nearest to your target users.
In this example, select CN-Hong Kong.
CN-Hong Kong
Name
Name of a VPN gateway.
vpcgw-001
VPC
Name of the VPC to which the VPN gateway connects.
Select a VPC in the CN-Hong Kong region.
vpc-001
Type
VPN type. The default value is IPsec.
IPsec
Billed By
Pay-per-use billing includes two modes: billed by bandwidth and billed by traffic.
- Bandwidth: You need to specify a bandwidth limit and pay for the amount of time you use the bandwidth.
- Traffic: You need to specify a bandwidth limit and pay for the traffic you generate.
Traffic
Bandwidth (Mbit/s)
Bandwidth of the VPN gateway, in Mbit/s. The bandwidth is shared by all VPN connections created for the VPN gateway. The total bandwidth of all VPN connections created for a VPN gateway cannot exceed the VPN gateway bandwidth.
During the use of VPN, if the network traffic exceeds the VPN gateway bandwidth, network congestion may occur and VPN connections may be interrupted. As such, ensure that you configure enough bandwidth.
You can configure alarm rules on Cloud Eye to monitor the bandwidth.
100
Table 2 Description of VPN connection parameters Parameter
Description
Example Value
Name
Name of a VPN connection.
vpn-001
VPN Gateway
Name of the VPN gateway for which the VPN connection is created.
vpcgw-001
Local Subnet
VPC subnets that need to access the on-premises network through VPN.
Select Specify CIDR Block, and enter subnets in the CN-Hong Kong and South China regions to ensure that traffic from the South China region can also enter the VPN tunnel.
In this example, enter 10.0.2.0/24 and 10.0.3.0/24.
10.0.2.0/24,
10.0.3.0/24
Remote Gateway
Address of the VPN gateway in the on-premises data center.
Set this parameter to the address of the VPN gateway in the on-premises data center in Thailand.
-
Remote Subnet
Subnets of the on-premises network that need to access a VPC through VPN
In this example, enter 10.0.1.0/24.
10.0.1.0/24
PSK
Pre-shared key, which is a private key shared by the two ends of a VPN connection. The PSK configurations at both ends of a VPN connection must be the same. This key is used for VPN connection negotiation.
The PSK:
- Must contain 6 to 128 characters.
- Can contain only:
- Digits
- Letters
- Special characters ~`!@#$%^()-_+=[]{}|\,./:;
Test@123
Confirm PSK
Reenter the pre-shared key.
Test@123
Advanced Settings
Custom
Table 3 IKE policy Parameter
Description
Example Value
Authentication Algorithm
Hash algorithm used for authentication. The options include SHA1, SHA2-256, SHA2-384, SHA2-512, and MD5
The default value is SHA2-256.
SHA2-256
Encryption Algorithm
Encryption algorithm. The options include AES-128, AES-192, AES-256, and 3DES (Insecure. Not Recommended.).
The default value is AES-128.
AES-128
DH Algorithm
Diffie-Hellman key exchange algorithm. The options include Group 1, Group 2, Group 5, Group 14 , Group 15, Group 16, Group 19, Group 20, and Group 21
The default value is Group 14.
DH algorithms configured at both ends of a VPN connection must be the same. Otherwise, the negotiation will fail.
Group 14
Version
IKE key exchange protocol version. The options include v1 (not recommended due to security risks) and v2.
The default value is v2.
v2
Lifetime (s)
Lifetime of an SA, in seconds
An SA will be renegotiated when its lifetime expires.
The default value is 86400.
86400
Negotiation Mode
This parameter is available only when Version is set to v1. You can set Negotiation Mode to Main or Aggressive.
The default mode is Main.
Main
Table 4 IPsec policy Parameter
Description
Example Value
Authentication Algorithm
Hash algorithm used for authentication. The options include SHA1, SHA2-256, SHA2-384, SHA2-512, and MD5
The default value is SHA2-256.
SHA2-256
Encryption Algorithm
Encryption algorithm. The options include AES-128, AES-192, AES-256, and 3DES (Insecure. Not Recommended.).
The default value is AES-128.
AES-128
PFS
Algorithm used by the Perfect forward secrecy (PFS) function.
The PFS algorithm can be DH group 1, DH group 2, DH group 5, DH group 14, DH group 15, DH group 16, DH group 19, DH group 20, or DH group 21.
The default value is DH group 14.
DH group 14
Transfer Protocol
Security protocol used in IPsec to transmit and encapsulate user data. The options include AH, ESP, and AH-ESP.
The default value is ESP.
ESP
Lifetime (s)
Lifetime of an SA, in seconds
An SA will be renegotiated when its lifetime expires.
The default value is 3600.
3600
The following algorithms are not recommended because they are not secure enough:
- Authentication algorithms: SHA1 and MD5
- Encryption algorithm: 3DES
- DH algorithms: Group 1, Group 2, and Group 5
- Click
- Configure the VPN gateway in the on-premises data center in Thailand.
Configure VPN on the VPN gateway device in the on-premises data center.
Configure an ACL referenced by the IPsec policy as follows:
- Source CIDR block: 10.0.1.0/24
- Destination CIDR blocks: 10.0.2.0/24 and 10.0.3.0/24
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot