Updated on 2024-12-04 GMT+08:00

Modifying a VPN Connection

Scenario

A VPN connection is an encrypted communications channel established between a VPN gateway in a VPC and a customer gateway in your on-premises data center. You can modify a VPN connection when required.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Click in the upper left corner of the page, and choose Networking > Virtual Private Network.
  4. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Connections.
  5. On the VPN Connections page, locate the VPN connection to modify, and click Modify VPN Connection or Modify Policy Settings.
  6. Modify VPN connection parameters as prompted.

    For VPN connections in policy template mode, you can modify the policy settings on the VPN Gateways page, instead of on the VPN Connections page. For details, see Modifying the Policy Template of a VPN Gateway.

  7. Click OK.

If you change the PSK or modify the IKE or IPsec policy of a VPN connection, ensure that the new configurations are consistent with those on the customer gateway. Otherwise, the VPN connection will be interrupted.

Only some of the parameters take effect immediately after being modified, as described in Table 1.

Table 1 Time when new parameter settings take effect

Item

Parameter

When New Settings Take Effect

How to Modify

-

PSK

  • When IKEv1 is used, the new setting takes effect in the next negotiation period.
  • When IKEv2 is used, the new setting takes effect after the VPN connection is re-established.
NOTE:

This parameter is not available for VPN connections set up using SM series cryptographic algorithms.

  • When IKEv1 is used:

    Locate the VPN connection to modify, choose More > Reset PSK on the right, and change the PSK as prompted.

  • When IKEv2 is used:
    1. Delete the current VPN connection.
    2. Create a new VPN connection.

IKEv1 policy

Encryption Algorithm

The new settings take effect in the next negotiation period.

NOTE:
  • The following parameters cannot be modified for VPN connections set up using SM series cryptographic algorithms: Encryption Algorithm, Authentication Algorithm, and Negotiation Mode.
  • The following parameters are not available for VPN connections set up using SM series cryptographic algorithms: DH Algorithm, Local ID, and Customer ID.

Locate the VPN connection to modify, and click Modify VPN Configuration.

Authentication Algorithm

DH Algorithm

Negotiation Mode

Local ID

Customer ID

Lifetime (s)

Version

The new settings take effect immediately.

NOTE:

This parameter is not available for VPN connections set up using SM series cryptographic algorithms.

IKEv2 policy

Encryption Algorithm

The new settings take effect in the next negotiation period.

Locate the VPN connection to modify, and click Modify VPN Configuration.

Authentication Algorithm

DH Algorithm

Lifetime (s)

Version

The new settings take effect immediately.

Local ID

The new settings take effect after the VPN connection is re-established.

  1. Delete the current VPN connection.
  2. Create a new VPN connection.

Customer ID

IPsec policy

Encryption Algorithm

The new settings take effect in the next negotiation period.

NOTE:
  • Encryption Algorithm and Authentication Algorithm cannot be modified for VPN connections set up using SM series cryptographic algorithms.
  • The PFS parameter is not available for VPN connections set up using SM series cryptographic algorithms.

Locate the VPN connection to modify, and click Modify VPN Configuration.

Authentication Algorithm

PFS

Lifetime (s)

Transfer Protocol

This parameter cannot be modified on the management console.

Table 2 describes the parameters related to VPN connection modification.

Table 2 Parameters related to VPN connection modification

Parameter

Description

Modifiable or Not

Name

Name of a VPN connection. The value can contain only letters, digits, underscores (_), hyphens (-), and periods (.).

Y

Customer Gateway

Gateway used for communicating with a VPC through VPN.

Y

Customer Subnet

Subnet in the on-premises data center that needs to access the VPC on Huawei Cloud.

Y

Policy Settings

There are IKE and IPsec policies.

Y

Policy

The settings include the source and destination CIDR blocks.

Y

PSK

The PSKs configured for the VPN gateway and customer gateway must be the same.

Y

Billing Mode

  • Yearly/Monthly: You are billed by month or year. By default, 10 VPN connection groups are included free of charge with the purchase of a VPN gateway.
  • Pay-per-use: VPN gateways and VPN connection groups are billed by usage duration, and the billing cycle is 1 hour.

The billing mode can only be changed from pay-per-use to yearly/monthly.

Local Tunnel Interface Address

Tunnel interface IP address configured on the VPN gateway.

Y

Customer Tunnel Interface Address

Tunnel interface IP address configured on the customer gateway device.

Y

VPN Gateway

VPN gateway that has been created.

N

Gateway IP Address

IP address used by the customer gateway to communicate with the VPN gateway. The value must be a static address.

Ensure that UDP port 4500 is permitted in a firewall rule on the customer gateway in your on-premises data center or private network.

N

Interface IP Address Assignment

Mode in which IP addresses of the local and customer interfaces are assigned. The options include Manually specify and Automatically assign.

N

Link Detection

This function is used for route reliability detection in multi-link scenarios.

NOTE:

When enabling this function, ensure that the customer gateway supports ICMP and is correctly configured with the customer interface IP address of the VPN connection. Otherwise, VPN traffic will fail to be forwarded.

N