Updated on 2024-12-03 GMT+08:00

Example 5: Creating a Server

Scenario

This section describes how to create a VPN server by calling an API.

Prerequisites

  • You have created a yearly/monthly P2C VPN gateway.
  • You have purchased or uploaded a server certificate in the CCM. For details, see Purchasing an SSL Certificate or Uploading an External Certificate.
  • You have determined the endpoint for calling APIs.
  • You have obtained a user token if you need to use token authentication. In addition, you need to add X-Auth-Token to the request header when calling an API. For details about token authentication, see Authentication.

The token obtained through IAM is valid for only 24 hours. When using a token for authentication, cache it to avoid frequent calling.

Data Preparation

A VPN server supports two authentication modes: certificate authentication and password authentication.

Table 1 Key parameters in a request for creating a VPN server in certificate authentication mode

Parameter

Description

Example Value

p2c_vgw_id

Specifies the ID of the P2C VPN gateway that has been created.

595210dc-7998-4ba3-aeb9-516fbcf7853c

client_cidr

Specifies a client CIDR block.

100.10.1.0/24

local_subnets

Specifies the list of local CIDR blocks.

192.168.0.0/24,192.168.1.0/24

server_certificate.id

Specifies a server certificate ID, which can be obtained from the CCM.

scs1717051012106

client_ca_certificate.content

Specifies the content of client CA certificates.

-----BEGIN CERTIFICATE-----******-----END CERTIFICATE-----

Table 2 Key parameters in a request for creating a VPN server in password authentication mode

Parameter

Description

Example Value

p2c_vgw_id

Specifies the ID of the P2C VPN gateway that has been created.

dea8c4fb-be5c-4d50-be9a-f9a5f3a9afc6

client_cidr

Specifies a client CIDR block.

100.10.2.0/24

local_subnets

Specifies the list of local CIDR blocks.

192.168.0.0/24,192.168.1.0/24

server_certificate.id

Specifies a server certificate ID, which can be obtained from the CCM.

scs1717051012106

Procedure

  1. Create a VPN server.
    1. Send POST https://{endpoint}/v5/{project_id}/p2c-vpn-gateways/{p2c_vgw_id}/vpn-servers. {p2c_vgw_id} specifies the ID of the created P2C VPN gateway.
    2. Add X-Auth-Token to the request header.
    3. Set parameters in the request body.

      In certificate authentication mode, the input parameters are as follows:

      {
        "vpn_server": {
          "tunnel_protocol": "SSL",
          "client_cidr": "100.10.1.0/24",
          "local_subnets": [
            "192.168.0.0/24",
            "192.168.1.0/24"
          ],
          "client_auth_type": "CERT",
          "server_certificate": {
            "id": "scs1717051012106"
          },
          "client_ca_certificates": [
            {
              "content" : "-----BEGIN CERTIFICATE-----******-----END CERTIFICATE-----"
            }
          ],
          "ssl_options": {
            "protocol": "TCP",
            "port": 443,
            "encryption_algorithm": "AES-128-GCM",
            "is_compressed": false
          }
        }
      }

      In password authentication mode, the input parameters are as follows:

      {
        "vpn_server": {
          "tunnel_protocol": "SSL",
          "client_cidr": "100.10.2.0/24",
          "local_subnets": [
            "192.168.0.0/24",
            "192.168.1.0/24"
          ],
          "client_auth_type": "LOCAL_PASSWORD",
          "server_certificate": {
            "id": "scs1717051012106"
          },
          "ssl_options": {
            "protocol": "TCP",
            "port": 443,
            "encryption_algorithm": "AES-128-GCM",
            "is_compressed": false
          }
        }
      }
    4. Check the response.

      The request is successful if the following response is displayed. In the response, id specifies the ID of the created VPN server.

      {
          "vpn_server": {
              "id": "0e325fb6-83b9-4004-a343-8b6fc714a5d9"
          },
          "request_id": "bf23a5884def9be4576cff33e4dd78d5"
      }
  2. Query VPN server information.
    1. Send GET https://{endpoint}/v5/{project_id}/p2c-vpn-gateways/{p2c_vgw_id}/vpn-servers. {p2c_vgw_id} specifies the ID of the created P2C VPN gateway.
    2. Add X-Auth-Token to the request header.
    3. Check the response.

      If the status value of the server is PENDING_CREATE, the server is being created. If the status value of the server is ACTIVE, the server has been created.

      The response in certificate authentication mode is as follows:

      {
          "vpn_servers": [
              {
                  "id": "b26c9c74-5bb9-4df8-8b98-ecf2051e3482",
                  "p2c_vgw_id": "595210dc-7998-4ba3-aeb9-516fbcf7853c",
                  "client_cidr": "100.10.1.0/24",
                  "local_subnets": [
                      "192.168.0.0/24",
                      "192.168.1.0/24"
                  ],
                  "client_auth_type": "CERT",
                  "tunnel_protocol": "SSL",
                  "server_certificate": {
                      "id": "scs1717051012106",
                      "name": "test-05304",
                      "issuer": "C=CN,ST=beijing,L=haidian,O=lesaas,OU=root,CN=www.root.huawei.com",
                      "subject": "C=CN,ST=beijing,L=haidian,O=server,OU=server,CN=www.server.huawei.com",
                      "serial_number": "350612543125953290200975245211283057292471206725",
                      "expiration_time": "2024-06-29T06:39:46Z",
                      "signature_algorithm": "SHA256WITHRSA"
                  },
                  "client_ca_certificates": [
                      {
                          "id": "7e971612-f720-4d31-88b5-fc6280b88e36",
                          "name": "ca-cert-123e",
                          "issuer": "C=CN,ST=JS,L=NJ,O=NYS,OU=N10,CN=test.huawei.com",
                          "subject": "C=CN,ST=JS,L=NJ,O=NYS,OU=N10,CN=testCA.huawei.com",
                          "serial_number": "1591942200161",
                          "expiration_time": "2033-11-06T11:39:14Z",
                          "signature_algorithm": "SHA256WITHRSA",
                          "created_at": "2024-06-18T12:19:17.978Z",
                          "updated_at": "2024-06-18T12:19:17.978Z"
                      }
                  ],
                  "ssl_options": {
                      "protocol": "TCP",
                      "port": 443,
                      "encryption_algorithm": "AES-128-GCM",
                      "authentication_algorithm": "SHA256",
                      "is_compressed": false
                  },
                  "status": "ACTIVE",
                  "created_at": "2024-06-18T12:19:17.978Z",
                  "updated_at": "2024-06-18T12:19:17.978Z"
              }
          ],
          "request_id": "68188a14243b1b54d0b45a82d9123b98"
      }

      The response in password authentication mode is as follows:

      {
          "vpn_servers": [
              {
                  "id": "0e325fb6-83b9-4004-a343-8b6fc714a5d9",
                  "p2c_vgw_id": "dea8c4fb-be5c-4d50-be9a-f9a5f3a9afc6",
                  "client_cidr": "100.10.2.0/24",
                  "local_subnets": [
                      "192.168.0.0/24",
                      "192.168.1.0/24"
                  ],
                  "client_auth_type": "LOCAL_PASSWORD",
                  "tunnel_protocol": "SSL",
                  "server_certificate": {
                      "id": "scs1717051012106",
                      "name": "test-05304",
                      "issuer": "C=CN,ST=beijing,L=haidian,O=lesaas,OU=root,CN=www.root.huawei.com",
                      "subject": "C=CN,ST=beijing,L=haidian,O=server,OU=server,CN=www.server.huawei.com",
                      "serial_number": "350612543125953290200975245211283057292471206725",
                      "expiration_time": "2024-06-29T06:39:46Z",
                      "signature_algorithm": "SHA256WITHRSA"
                  },
                  "client_ca_certificates": [],
                  "ssl_options": {
                      "protocol": "TCP",
                      "port": 443,
                      "encryption_algorithm": "AES-128-GCM",
                      "authentication_algorithm": "SHA256",
                      "is_compressed": false
                  },
                  "status": "ACTIVE",
                  "created_at": "2024-06-18T12:21:54.889Z",
                  "updated_at": "2024-06-18T12:21:54.889Z"
              }
          ],
          "request_id": "f8e64d41466085f06383dc59ffb28230"
      }