Configuring VPN

1. Click in the upper left corner and select the CN-Hong Kong region.
2. Choose Networking > Virtual Private Network.
3. In the navigation pane on the left, choose Virtual Private Network > Classic.
4. On the VPN Gateways page, click Buy VPN Gateway.
5. Configure parameters based on Table 1 and click Buy Now.

   Table 1 Descriptions of VPN gateway parameters

   Parameter	Description	Example Value
   Billing Mode	VPN gateways in this region can be billed on a pay-per-use basis.	Pay-per-use
   Region	The networks in different regions are not connected to each other, so resources cannot be shared across regions. For low network latency and fast resource access, select the region nearest to your target users. In this example, select CN-Hong Kong.	CN-Hong Kong
   Name	Name of a VPN gateway.	vpcgw-001
   VPC	Name of the VPC to which the VPN gateway connects. Select a VPC in the CN-Hong Kong region.	vpc-001
   Type	VPN type. The default value is IPsec.	IPsec
   Billed By	Pay-per-use billing includes two modes: billed by bandwidth and billed by traffic. Bandwidth: You need to specify a bandwidth limit and pay for the amount of time you use the bandwidth. Traffic: You need to specify a bandwidth limit and pay for the traffic you generate.	Traffic
   Bandwidth (Mbit/s)	Bandwidth of the VPN gateway, in Mbit/s. The bandwidth is shared by all VPN connections created for the VPN gateway. The total bandwidth of all VPN connections created for a VPN gateway cannot exceed the VPN gateway bandwidth. During the use of VPN, if the network traffic exceeds the VPN gateway bandwidth, network congestion may occur and VPN connections may be interrupted. As such, ensure that you configure enough bandwidth. You can configure alarm rules on Cloud Eye to monitor the bandwidth.	100

   Table 2 Description of VPN connection parameters

   Parameter	Description	Example Value
   Name	Name of a VPN connection.	vpn-001
   VPN Gateway	Name of the VPN gateway for which the VPN connection is created.	vpcgw-001
   Local Subnet	VPC subnets that need to access the on-premises network through VPN. Select Specify CIDR Block, and enter subnets in the CN-Hong Kong and South China regions to ensure that traffic from the South China region can also enter the VPN tunnel. In this example, enter 10.0.2.0/24 and 10.0.3.0/24.	10.0.2.0/24, 10.0.3.0/24
   Remote Gateway	Address of the VPN gateway in the on-premises data center. Set this parameter to the address of the VPN gateway in the on-premises data center in Thailand.	-
   Remote Subnet	Subnets of the on-premises network that need to access a VPC through VPN In this example, enter 10.0.1.0/24.	10.0.1.0/24
   PSK	Pre-shared key, which is a private key shared by the two ends of a VPN connection. The PSK configurations at both ends of a VPN connection must be the same. This key is used for VPN connection negotiation. The PSK: Must contain 6 to 128 characters. Can contain only: Digits Letters Special characters ~`!@#$%^()-_+=[]{}|\,./:;	Test@123
   Confirm PSK	Reenter the pre-shared key.	Test@123
   Advanced Settings	Default: Use default IKE and IPsec policies. Custom: Use custom IKE and IPsec policies. For details about the policies, see Table 3 and Table 4.	Custom

   Table 3 IKE policy

   Parameter	Description	Example Value
   Authentication Algorithm	Hash algorithm used for authentication. The options include SHA1, SHA2-256, SHA2-384, SHA2-512, and MD5 The default value is SHA2-256.	SHA2-256
   Encryption Algorithm	Encryption algorithm. The options include AES-128, AES-192, AES-256, and 3DES (Insecure. Not Recommended.). The default value is AES-128.	AES-128
   DH Algorithm	Diffie-Hellman key exchange algorithm. The options include Group 1, Group 2, Group 5, Group 14 , Group 15, Group 16, Group 19, Group 20, and Group 21 The default value is Group 14. DH algorithms configured at both ends of a VPN connection must be the same. Otherwise, the negotiation will fail.	Group 14
   Version	IKE key exchange protocol version. The options include v1 (not recommended due to security risks) and v2. The default value is v2.	v2
   Lifetime (s)	Lifetime of an SA, in seconds An SA will be renegotiated when its lifetime expires. The default value is 86400.	86400
   Negotiation Mode	This parameter is available only when Version is set to v1. You can set Negotiation Mode to Main or Aggressive. The default mode is Main.	Main

   Table 4 IPsec policy

   Parameter	Description	Example Value
   Authentication Algorithm	Hash algorithm used for authentication. The options include SHA1, SHA2-256, SHA2-384, SHA2-512, and MD5 The default value is SHA2-256.	SHA2-256
   Encryption Algorithm	Encryption algorithm. The options include AES-128, AES-192, AES-256, and 3DES (Insecure. Not Recommended.). The default value is AES-128.	AES-128
   PFS	Algorithm used by the Perfect forward secrecy (PFS) function. The PFS algorithm can be DH group 1, DH group 2, DH group 5, DH group 14, DH group 15, DH group 16, DH group 19, DH group 20, or DH group 21. The default value is DH group 14.	DH group 14
   Transfer Protocol	Security protocol used in IPsec to transmit and encapsulate user data. The options include AH, ESP, and AH-ESP. The default value is ESP.	ESP
   Lifetime (s)	Lifetime of an SA, in seconds An SA will be renegotiated when its lifetime expires. The default value is 3600.	3600

   

   The following algorithms are not recommended because they are not secure enough:

   • Authentication algorithms: SHA1 and MD5
   • Encryption algorithm: 3DES
   • DH algorithms: Group 1, Group 2, and Group 5

Configure VPN on the VPN gateway device in the on-premises data center.

Configure an ACL referenced by the IPsec policy as follows:

• Source CIDR block: 10.0.1.0/24
• Destination CIDR blocks: 10.0.2.0/24 and 10.0.3.0/24