หน้านี้ยังไม่พร้อมใช้งานในภาษาท้องถิ่นของคุณ เรากำลังพยายามอย่างหนักเพื่อเพิ่มเวอร์ชันภาษาอื่น ๆ เพิ่มเติม ขอบคุณสำหรับการสนับสนุนเสมอมา
Virtual Private Network
Virtual Private Network
- What's New
- Function Overview
- Service Overview
-
Billing
- Overview of VPN Billing
- S2C Enterprise Edition VPN
- S2C Classic VPN
- P2C VPN
- Renewal
- Bills
- Arrears
- Billing Termination
-
Billing FAQs
-
S2C Enterprise Edition VPN
- How Will I Be Charged for My Use of a VPN? Will I Be Charged for VPN Gateway EIPs?
- What Are the Differences Between Billing the VPN Gateway EIP Bandwidth by Bandwidth and by Traffic?
- Can a VPN Billed by Traffic Use a Shared Data Package?
- For How Many VPN Connections Will I Be Charged to Connect VPCs in Different Regions of Huawei Cloud?
- How Do I Change the Billing Mode of a VPN Gateway from Pay-Per-Use to Yearly/Monthly?
- Will a Yearly/Monthly VPN Gateway Be Automatically Renewed?
- Can I Unsubscribe from a Yearly/Monthly VPN Gateway?
- When Will My VPN Resources Be Frozen? How Can I Unfreeze the VPN Resources?
-
S2C Classic VPN
- What Will I Be Charged for Creating a VPN? Will I Be Charged for VPN Gateway IP Addresses?
- What Is the Difference Between Billing a VPN Gateway by Bandwidth and by Traffic?
- Can a VPN Billed by Traffic Use a Shared Data Package?
- For How Many VPN Connections Will I Be Charged to Connect VPCs in Different Regions of Huawei Cloud?
- How Do I Change the Billing Mode of a VPN Gateway from Pay-Per-Use to Yearly/Monthly?
- Will a Yearly/Monthly VPN Gateway Be Automatically Renewed?
- Can I Unsubscribe from a Yearly/Monthly VPN Gateway?
- When Will My VPN Resources Be Frozen? How Can I Unfreeze the VPN Resources?
- How Are VPN Resources Billed and How Do I Use Coupons?
-
S2C Enterprise Edition VPN
- Getting Started
-
User Guide
-
S2C Enterprise Edition VPN
-
Enterprise Edition VPN Gateway Management
- Creating a VPN Gateway
- Viewing a VPN Gateway
- Modifying a VPN Gateway
- Modifying the Specification of a Yearly/Monthly VPN Gateway
- Modifying the Policy Template of a VPN Gateway
- Binding an EIP to a VPN Gateway
- Unbinding an EIP from a VPN Gateway
- Unsubscribing from a Yearly/Monthly VPN Gateway
- Renewing a Yearly/Monthly VPN Gateway
- Deleting a Pay-per-Use VPN Gateway
- Uploading Certificates for a VPN Gateway
- Replacing Certificates of a VPN Gateway
- Customer Gateway Management of Enterprise Edition VPN
- Enterprise Edition VPN Connection Management
- Enterprise Edition VPN Fee Management
-
Enterprise Edition VPN Gateway Management
- S2C Classic VPN
-
P2C VPN
- P2C VPN Gateway Management
-
P2C VPN Server Management
- Configuring a Server
- Checking Server Information
- Modifying a Server
- Uploading a Server Certificate
- Modifying a Server Certificate
- Uploading a Client CA Certificate
- Deleting a Client CA Certificate
- Creating a User and User Group
- Modifying a User or User Group
- Deleting a User or User Group
- Creating an Access Policy
- Modifying an Access Policy
- Deleting an Access Policy
- Resetting the Password of a User
- Importing Users in Batches
- Deleting Users in Batches
- Viewing a VPN connection
- Tearing Down a VPN Connection
- Viewing VPN Connection Logs
- Updating the VPN Connection Log Configuration
- Deleting the VPN Connection Log Configuration
- P2C VPN Client Management
- P2C VPN Fee Management
- Monitoring
- Audit
- Permissions Management
- Tag Management
- Quotas
-
S2C Enterprise Edition VPN
-
Administrator Guide
- S2C Enterprise Edition VPN
-
S2C Classic VPN
- Overview
- Huawei USG6600 Series
- Configuring VPN When Fortinet FortiGate Firewall Is Used
- Configuring VPN When Sangfor Firewall Is Used
- Using TheGreenBow IPsec VPN Client to Configure On- and Off-Cloud Communication
- Using Openswan to Configure On- and Off-Cloud Communication
- Using strongSwan to Configure On- and Off-Cloud Communication
- P2C VPN
-
Best Practices
-
S2C Enterprise Edition VPN
- Connecting an On-premises Data Center to a VPC on the Cloud Through VPN (Active-Active Mode)
- Connecting an On-premises Data Center to a VPC on the Cloud Through VPN (Active/Standby Mode)
- Connecting an On-premises Data Center to a VPC on the Cloud Through VPN (Access via Non-fixed IP Addresses)
- Connecting Multiple On-premises Branch Networks Through a VPN Hub
- Allowing Direct Connect and VPN to Work in Active and Standby Mode to Link Data Center to Cloud
- Using VPN to Connect to the Cloud Through Two Internet Lines
- Using VPN to Encrypt Data over Direct Connect Lines
- Configuring VPN Load Balancing to Provide High Bandwidth for Cloud and On-Premises Interconnection
- S2C Classic VPN
- P2C VPN
-
S2C Enterprise Edition VPN
-
Troubleshooting
- The State of a VPN Connection Is Not connected
- Ping Tests Between Cloud and On-premises Networks Fail
- Packet Loss Occurs
-
Client Connection Failures
- The Client Log Contains "Connection failed to establish within given time"
- The Client Log Contains "Cannot load CA certificate file [[INLINE]](no entries were read)"
- The Client Log Contains "error:068000A8:asn1 encoding routines:wrong tag"
- The Client Log Contains "OpenSSL: error:0A000086:SSL routines::certificate verify failed"
- The Client Log Contains "TLS Error: TLS handshake failed"
- The Client Log Contains "Options error: Unrecognized option or missing or extra parameter(s) in XXX: disable-dco"
- The Client Log Contains "TCP: connect to [AF_INET] *.*.*.*:**** failed: Unknown error"
- The Client Log Contains "AUTH: Received control message: AUTH_FAILED"
- The Client Log Contains "AUTH_FAILED"
- Successful Client Connection but Unavailable Services
- S2C Classic VPN
-
FAQs
-
FAQs - S2C Enterprise Edition VPN
-
Popular Questions
- What Devices Can Be Connected to Huawei Cloud Through a VPN?
- What Are VPN Negotiation Parameters? What Are Their Default Values?
- Can I Deploy an Application on the Cloud and a Database in an On-premises Data Center and Connect Them Through a VPN Gateway?
- Can I Visit Websites Across International Borders Using a VPN?
- What Is a VPN Connection? How Do I Set the Number of VPN Connections When Buying a VPN Gateway?
- Will I Be Notified If a VPN Connection Is Interrupted?
- Are a Username and Password Required for Creating an IPsec VPN Connection?
- What Are the Differences Between IPsec VPN and SSL VPN in Application Scenarios and Connection Modes?
- Is an IPsec VPN Connection Automatically Established?
- How Will I Be Charged for My Use of a VPN? Will I Be Charged for VPN Gateway EIPs?
- Can the EIP of a VPN Gateway Be Retained After the VPN Gateway Is Deleted?
- What VPN Resources Can Be Monitored?
- In Which Direction Is the VPN Bandwidth Limited? What Is the Unit of Bandwidth?
- How Is the Network Speed of a VPN Connection Tested?
- Can a VPN Billed by Traffic Use a Shared Data Package?
- How Do I Change the Billing Mode of a VPN Gateway from Pay-Per-Use to Yearly/Monthly?
- What Are the Relationships Between a VPC, a VPN Gateway, and a VPN Connection?
- What Are a Customer Gateway and a Customer Subnet in a VPN Connection?
- How Many VPN Connections Do I Need to Connect Multiple On-premises Servers to the Cloud?
- Does a VPN Allow for Communications Between Two VPCs?
- What Are the Impacts of a VPN on an On-premises Network? What Are the Changes to the Route for Accessing an ECS?
- Can I Connect a Network with Two Egresses to a VPC Through Two VPN Connections?
- How Can I Prevent VPN Disconnections?
- What Do I Do If a VPN Connection Fails to Be Established?
- Can EIPs Be Used as VPN Gateway IP Addresses?
- Why Is a VPN Connection Always in Not Connected State After Its Configuration Is Complete?
- Do I Need to Configure ACL Rules on the Console After I Configure ACL Rules on the On-premises Gateway Device?
- How Do I Determine Which EIP Is Used for Transmitting Service Traffic That Leaves the Cloud?
-
General Consulting
- What Are the Typical Scenarios of IPsec VPN?
- What Are a VPC, a VPN Gateway, and a VPN Connection?
- What Are the Relationships Between a VPC, a VPN Gateway, and a VPN Connection?
- What Is a VPN Connection? How Do I Set the Number of VPN Connections When Buying a VPN Gateway?
- What Are a Customer Gateway and a Customer Subnet in a VPN Connection?
- How Do I Plan CIDR Blocks for Access to a VPC Through a VPN Connection?
- Is an IPsec VPN Connection Automatically Established?
- What Types of VPN Service Tickets Are There? How Do I Create a VPN Service Ticket?
- What Devices Can Be Connected to Huawei Cloud Through a VPN?
- What Are VPN Negotiation Parameters? What Are Their Default Values?
- Are a Username and Password Required for Creating an IPsec VPN Connection?
- How Do I Allow Specific Hosts to Access a VPC Subnet Through a Created VPN Connection?
- What VPN Resources Can Be Monitored?
- Can EIPs Be Used as VPN Gateway IP Addresses?
- Do I Need to Purchase EIPs for Hosts to Communicate with Each Other Through a VPN?
- Are SSL VPNs Supported?
- How Long Does It Take for Delivered VPN Configurations to Take Effect?
- Does VPN Support IPv6?
- How Do I Determine My VPN Bandwidth?
- Does a VPN Connection Support SM Series Cryptographic Algorithms?
- Which IKE Version Should I Select When I Create a VPN Connection?
- How Many Bits Do the DH Groups Used by VPN Have?
- Can I Visit Websites Across International Borders Using a VPN?
- Can I Deploy an Application on the Cloud and a Database in an On-premises Data Center and Connect Them Through a VPN?
- What Are the Differences Between IPsec VPN and SSL VPN in Application Scenarios and Connection Modes?
- How Will I Be Charged for My Use of a VPN? Will I Be Charged for VPN Gateway EIPs?
- What Are the Differences Between Billing the VPN Gateway EIP Bandwidth by Bandwidth and by Traffic?
- Can a VPN Billed by Traffic Use a Shared Data Package?
- Can the EIP of a VPN Gateway Be Retained After the VPN Gateway Is Deleted?
- Where Can I Add Routes to Customer Subnets on the VPN Console?
- Will I Be Notified If a VPN Connection Is Interrupted?
- What Do I Do If a VPN Connection Fails to Be Established?
- In Which Direction Is the VPN Bandwidth Limited? What Is the Unit of Bandwidth?
- Can I Restore a VPN Gateway or VPN Connection That Is Incorrectly Deleted?
- Can the Specification of a VPN Gateway Be Changed (for Example, from Professional 1 to Professional 2)?
- Can I Upgrade Classic VPN to Enterprise Edition VPN?
-
Networking and Application Scenarios
- Can I Visit Websites Across International Borders Using a VPN?
- Can I Deploy an Application on the Cloud and a Database in an On-premises Data Center and Connect Them Through a VPN?
- How Many VPN Connections Do I Need to Connect Multiple On-premises Servers to the Cloud?
- What Are the Differences Between IPsec VPN and SSL VPN in Application Scenarios and Connection Modes?
- Does a VPN Allow for Communications Between Two VPCs?
- What Are the Impacts of a VPN on an On-premises Network? What Are the Changes to the Route for Accessing an ECS?
- What Configurations Are Required at Both Ends of a VPN That Connects an On-premises Data Center to a VPC?
- Can I Connect a Network with Two Egresses to a VPC Through Two VPN Connections?
- Can I Connect Two VPCs in the Same Region Through a VPN?
- How Can I Connect Two VPCs in the Same Region?
- How Do I Enable Communications Between Two VPCs and an On-premises Network?
- How Do I Connect Four Subnets?
- Do I Need Two VPN Connections to Connect Four Subnets of Two Regions If Each Region Has Two Subnets?
- Can I Access OBS Through a VPN?
- How Do I Connect My Personal Computer to the Cloud Through a VPN?
- How Do I Access ECSs at Home When My Enterprise Network Has Been Connected to the Cloud Through a VPN?
- How Do I Establish a VPN Connection Temporarily If No IPsec-Capable On-Premises Device Is Available After I Purchase a VPN Gateway and VPN Connection?
- How Do I Select a Proper Region on the Cloud When I Buy a VPN Gateway?
-
Billing and Payments
- How Will I Be Charged for My Use of a VPN? Will I Be Charged for VPN Gateway EIPs?
- What Are the Differences Between Billing the VPN Gateway EIP Bandwidth by Bandwidth and by Traffic?
- Can a VPN Billed by Traffic Use a Shared Data Package?
- For How Many VPN Connections Will I Be Charged to Connect VPCs in Different Regions of Huawei Cloud?
- How Do I Change the Billing Mode of a VPN Gateway from Pay-Per-Use to Yearly/Monthly?
- Will a Yearly/Monthly VPN Gateway Be Automatically Renewed?
- Can I Unsubscribe from a Yearly/Monthly VPN Gateway?
- When Will My VPN Resources Be Frozen? How Can I Unfreeze the VPN Resources?
-
Operations on the Console
- What Are the Relationships Between a VPC, a VPN Gateway, and a VPN Connection?
- How Long Does It Take for Delivered VPN Configurations to Take Effect?
- Why Is a VPN Connection Always in Not Connected State After Its Configuration Is Complete?
- Can the EIP of a VPN Gateway Be Retained After the VPN Gateway Is Deleted?
- What Information About a Created VPN Can Be Modified and What Information Cannot Be Modified?
- Do I Need to Configure ACL Rules on the Console After I Configure ACL Rules on the On-premises Gateway Device?
- What Do I Do If an Exception Occurs When I Add a Customer Subnet During VPN Connection Creation?
- Where Can I Configure Routes to Customer Subnets on the VPN Console?
- Can I Call APIs to Manage Huawei Cloud VPN Resources?
- What Are a Customer Gateway and a Customer Subnet in a VPN Connection?
- How Do I Disable PFS When Creating a VPN Connection?
- How Many Local and Customer Subnets Can I Add to a VPN?
- What Are the Precautions for Configuring the Local and Customer Subnets for a VPN Connection?
- Why Is a VPN Connection in Not Connected State on the Management Console When It Is Already Available?
- What Can I Do If a Message Is Displayed Indicating That the VPN Connection Does Not Exist After Negotiation Policies Are Modified?
- What Is the Maximum Bandwidth Supported by a VPN Gateway?
- Which IKE Version Should I Select When I Create a VPN Connection?
- Are a Username and Password Required for Creating an IPsec VPN Connection?
- What VPN Resources Can Be Monitored?
- Will I Be Notified If a VPN Connection Is Interrupted?
-
VPN Negotiation and Interconnection
- What Devices Can Be Connected to Huawei Cloud Through a VPN?
- What Are VPN Negotiation Parameters? What Are Their Default Values?
- Is an IPsec VPN Connection Automatically Established?
- How Do I Configure a VPN on an On-premises Device? (Example of Configuring VPN on a Huawei USG6600 Series Firewall)
- Does VPN Support Interconnection with a Customer Gateway Through a Domain Name?
- How Many Tunnels Does My VPN Connection Have?
- How Do I Allow Specific Hosts to Access a VPC Subnet Through a Created VPN Connection?
- Do VPNs Have the DPD Function Enabled?
- How Can I Use Security Groups to Prevent VPN Access to Some ECSs in a VPC to Implement Security Isolation?
- Will a VPN Connection Be Re-established After Its Configuration Is Modified?
- Why Cannot I Initiate Negotiation from Amazon Web Services to Huawei Cloud After They Are Interconnected?
- How Do I Configure DPD for Interconnection with the Cloud?
- What Should I Do If My Firewall Cannot Receive Response Packets from the VPN Gateway in IKE Phase 1?
- What Should I Do If My Firewall Cannot Receive Response Packets from a VPN Subnet?
- How Many Bits Do the DH Groups Used by VPN Have?
-
Connection or Ping Failure
- Why Is a VPN Connection Always in Not Connected State After Its Configuration Is Complete?
- How Can I Prevent VPN Disconnections?
- How Do I Quickly Restore an Interrupted IPsec VPN Connection?
- What Will Happen If Traffic Exceeds the Bandwidth of a VPN Gateway?
- Is an IPsec VPN Connection Automatically Established?
- Why Cannot ECSs at the Two Ends of a Normal Cross-Region VPN Connection Ping Each Other?
- Why Cannot Subnets at the Two Ends of a Normal VPN Connection Access Each Other?
- What Do I Do If a VPN Connection Is Interrupted and a Message Indicating Data Flow Mismatch Is Displayed?
- What Do I Do If a VPN Connection Is Interrupted and a Message Indicating DPD Timeout Is Displayed?
- Why Is a VPN Connection in Not Connected State on the Management Console When It Is Already Available?
- Will I Be Notified If a VPN Connection Is Interrupted?
- What Do I Do If a VPN Connection Fails to Be Established?
- What Should I Do If I Cannot Access the ECSs on the Cloud from My On-premises Data Center or LAN After the VPN Connection Has Been Set Up?
- Why Is the State of a Successfully Created VPN Connection Displayed as Not Connected?
- Do VPNs Have the DPD Function Enabled?
-
Public Addresses
- Can the EIP of a VPN Gateway Be Retained After the VPN Gateway Is Deleted?
- Can EIPs Be Used as VPN Gateway IP Addresses?
- Do I Need to Purchase EIPs for Hosts to Communicate with Each Other Through a VPN?
- Why Does an ECS Have EIP Access Information After I Enable a VPN?
- Can My On-premises Gateway Have a Non-fixed Public IP Address?
- Route Configurations
-
Subnet Configurations
- What Are the Precautions for Configuring the Local and Customer Subnets for a VPN Connection?
- How Many Local and Customer Subnets Can I Add to a VPN?
- What Do I Do If an Exception Occurs When I Add a Customer Subnet During VPN Connection Creation?
- Can the EIP of a VPN Gateway Be Retained After the VPN Gateway Is Deleted?
- How Do I Plan CIDR Blocks for Access to a VPC Through a VPN Connection?
- How Is a VPN Gateway IP Address Allocated?
- VPN Interesting Traffic
- Keeping VPN Connections Alive
- Monitoring
-
Bandwidth and Network Speed
- How Is the Network Speed of a VPN Connection Tested?
- In Which Direction Is the VPN Bandwidth Limited? What Is the Unit of Bandwidth?
- How Do I Change the VPN Bandwidth?
- What Will Happen If Traffic Exceeds the Bandwidth of a VPN Gateway?
- Why Does the VPN Bandwidth Change Not Take Effect?
- What Are the Differences Between the Bandwidth of a VPN Connection and That of a Direct Connect Connection?
- How Do I Determine My VPN Bandwidth?
- Quotas
- Account Permissions
-
Popular Questions
-
FAQs - S2C Classic VPN
-
General Questions
- What Devices Can Be Connected to the Cloud Through a VPN?
- What Are VPN Negotiation Parameters? What Are Their Default Values?
- What Are the Categories of VPN Service Tickets? How Do I Create a VPN Service Ticket?
- Can I Deploy Applications on the Cloud, Databases in an On-premises Data Center, and Then Connect Them Through a VPN?
- Can I Visit Websites Across International Borders Using a VPN?
- What Is a VPN Connection? How Do I Set the Number of VPN Connections When Buying a VPN Gateway?
- Will I Be Notified If a VPN Connection Is Interrupted?
- Are a Username and Password Required for Creating an IPsec VPN Connection?
- What Are the Differences Between IPsec VPN and SSL VPN in Application Scenarios and Connection Modes?
- Will an IPsec VPN Connection Be Established Automatically?
- What Will I Be Charged for Creating a VPN? Will I Be Charged for VPN Gateway IP Addresses?
- Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted?
- Which VPN Resources Can Be Monitored?
- Which Direction of the Bandwidth Is Limited and What Is the Unit of the Bandwidth?
- What Is the Actual Network Speed of a VPN Connection?
- Can a VPN Billed by Traffic Use a Shared Data Package?
- How Do I Change the Billing Mode of a VPN Gateway from Pay-Per-Use to Yearly/Monthly?
- What Are the Relationships Between a VPC, a VPN Gateway, and a VPN Connection?
- What Is a Remote Gateway and Remote Subnet in a VPN Connection?
- How Many VPN Connections Do I Need to Connect to Multiple On-premises Servers?
- Does a VPN Allow for Communications Between Two VPCs?
- What Are the Impacts of a VPN on an On-premises Network? What Are the Changes to the Route for Accessing an ECS?
- Can I Use a Network with Two Egresses to Establish Two VPN Connections with the Same VPC?
- How Can I Prevent VPN Disconnections?
- Why Is Not Connected Displayed as the Status for a Successfully Created VPN Connection?
- What Can I Do If VPN Connection Setup Fails?
- Can an EIP Be Used as a VPN Gateway IP Address?
- Why Is the VPN Connection Always in the Not Connected State Even After Its Configuration Is Complete?
- Which Remote VPN Devices Are Supported?
- Do I Need to Configure ACL Rules on the Console After I Configure ACL Rules on the On-premises Gateway Device?
-
Product Consultation
- What Are the Typical Scenarios of IPsec VPN?
- What Are a VPC, a VPN Gateway, and a VPN Connection?
- What Are the Relationships Between a VPC, a VPN Gateway, and a VPN Connection?
- What Is a VPN Connection? How Do I Set the Number of VPN Connections When Buying a VPN Gateway?
- What Is a Remote Gateway and Remote Subnet in a VPN Connection?
- How Do I Plan the CIDR Block of a VPC Accessed over a VPN Connection?
- Will an IPsec VPN Connection Be Established Automatically?
- What Are VPN Negotiation Parameters? What Are Their Default Values?
- What Devices Can Be Connected to the Cloud Through a VPN?
- Are a Username and Password Required for Creating an IPsec VPN Connection?
- How Do I Allow Specific Servers to Access a VPC Subnet Through a Created VPN Connection?
- Which VPN Resources Can Be Monitored?
- Can an EIP Be Used as a VPN Gateway IP Address?
- Do I Need to Purchase EIPs for Servers That Communicate with Each Other Through a VPN?
- Are SSL VPNs Supported?
- How Long Does It Take for Delivered VPN Configurations to Take Effect?
- What Should I Do If I Cannot Create Connections for a VPN Gateway That Has No Bandwidth Information?
- Does VPN Support IPv6?
- How Do I Determine My VPN Bandwidth Size?
- Which IKE Version Should I Select When I Create a VPN Connection?
- How Many Bits Do the DH Groups Used by VPN Have?
- Can I Visit Websites Across International Borders Using a VPN?
- Can I Deploy Applications on the Cloud, Databases in an On-premises Data Center, and Then Connect Them Through a VPN?
- What Are the Differences Between the Application Scenarios and Connection Modes of IPsec and SSL VPNs?
- What Will I Be Charged for Creating a VPN? Will I Be Charged for VPN Gateway IP Addresses?
- What Is the Difference Between Billing a VPN Gateway by Bandwidth and by Traffic?
- Can a VPN Billed by Traffic Use a Shared Data Package?
- Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted?
- Do I Need to Purchase EIPs for Servers That Communicate with Each Other Through a VPN?
- Where Can I Add Routes on the VPN Console to Reach the Remote Subnets?
- Will I Be Notified If a VPN Connection Is Interrupted?
- What Can I Do If VPN Connection Setup Fails?
- Which Direction of the Bandwidth Is Limited and What Is the Unit of the Bandwidth?
-
Networking and Application Scenarios
- Can I Visit Websites Across International Borders Using a VPN?
- Can I Deploy Applications on the Cloud, Databases in an On-premises Data Center, and Then Connect Them Through a VPN?
- How Many VPN Connections Do I Need to Connect to Multiple On-premises Servers?
- Do I Need to Install IPsec Software on Each Server That Needs to Access an ECS to Establish a VPN Connection?
- What Are the Differences Between the Application Scenarios and Connection Modes of IPsec and SSL VPNs?
- Does a VPN Allow for Communications Between Two VPCs?
- What Are the Impacts of a VPN on an On-premises Network? What Are the Changes to the Route for Accessing an ECS?
- What Configurations Are Required at Both Ends of a VPN that Connects an On-premises Data Center to a VPC?
- Can I Use a Network with Two Egresses to Establish Two VPN Connections with the Same VPC?
- Can I Connect Two VPCs in the Same Region Through a VPN?
- How Can I Connect Two VPCs in the Same Region?
- How Do I Replace a Direct Connect Connection with a VPN?
- How Do I Enable Communications Between Two VPCs and an On-premises Network?
- How Do I Connect Four Subnets?
- Do I Need Two VPN Connections to Connect Four Subnets of Two Regions If Each Region Has Two Subnets?
- Can I Access OBS Through a VPN?
- How Do I Connect My Personal Computer to the Cloud Through a VPN?
- How Do I Access ECSs at Home When My Enterprise Network Has Been Connected to the Cloud Through a VPN?
- How Do I Establish a VPN Connection Temporarily If No IPsec-Capable On-Premises Device Is Available After I Purchase a VPN Gateway and VPN Connection?
- How Do I Select a Proper Region on the Cloud When I Am Buying a VPN Gateway?
-
Billing and Payments
- What Is the Difference Between Billing a VPN Gateway by Bandwidth and by Traffic?
- Can a VPN Billed by Traffic Use a Shared Data Package?
- For How Many VPN Connections Will I Be Charged to Connect VPCs in Different Regions of Huawei Cloud?
- How Do I Change the Billing Mode of a VPN Gateway from Pay-Per-Use to Yearly/Monthly?
- Will a Yearly/Monthly VPN Gateway Be Automatically Renewed?
- Can I Unsubscribe from a Yearly/Monthly VPN Gateway?
- When Will My VPN Resources Be Frozen? How Can I Unfreeze the VPN Resources?
-
Related Operations on the Console
- What Are the Relationships Between a VPC, a VPN Gateway, and a VPN Connection?
- How Long Does It Take for Delivered VPN Configurations to Take Effect?
- Why Is the VPN Connection Always in the Not Connected State Even After Its Configuration Is Complete?
- Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted?
- Do I Need to Create a VPN Gateway or a VPN Connection for Creating a VPN? Which Information About a Created VPN Can Be Modified?
- Do I Need to Configure ACL Rules on the Console After I Configure ACL Rules on the On-premises Gateway Device?
- What Do I Do If an Exception Occurs When I Add a Remote Subnet During VPN Connection Creation?
- Where Can I Add Routes on the VPN Console to Reach the Remote Subnets?
- Can I Call APIs to Manage Huawei Cloud VPN Resources?
- What Is a Remote Gateway and Remote Subnet in a VPN Connection?
- How Do I Disable PFS When Creating a VPN Connection?
- How Many Local and Remote Subnets Can I Add to a VPN? Why Is an Error Message Displayed When I Update the Local Subnet by Specifying a CIDR Block?
- What Are the Precautions for Configuring the Local and Remote Subnets of a VPN Connection?
- Why the Status of a VPN Connection Is Not Connected on the Management Console When It Is Already Available?
- What Can I Do If a Message Is Displayed Indicating That the VPN Connection Does Not Exist After Negotiation Policies Are Modified?
- What Should I Do If I Cannot Create Connections for a VPN Gateway That Has No Bandwidth Information?
- How Do I Reset a VPN Connection?
- What Is the Maximum Bandwidth Supported by a VPN Gateway?
- Which IKE Version Should I Select When I Create a VPN Connection?
- Are a Username and Password Required for Creating an IPsec VPN Connection?
- Which VPN Resources Can Be Monitored?
- Will I Be Notified If a VPN Connection Is Interrupted?
-
VPN Negotiation and Interconnection
- What Devices Can Be Connected to the Cloud Through a VPN?
- What Are VPN Negotiation Parameters? What Are Their Default Values?
- Will an IPsec VPN Connection Be Established Automatically?
- How Should I Configure an On-premises Gateway When I Use a VPN to Connect to the Cloud?
- Does VPN Support Interconnection with a Remote Gateway Through a Domain Name?
- How Many Tunnels Does My VPN Connection Have?
- How Do I Allow Specific Servers to Access a VPC Subnet Through a Created VPN Connection?
- Do VPNs Have the DPD Function Enabled?
- How Can I Use Security Groups to Prevent ECSs in a VPC From Being Accessed Through a VPN to Implement Security Isolation?
- Will a VPN Connection Be Reestablished After Its Configuration Is Modified?
- Why Cannot I Initiate Negotiation from Amazon Web Services to Huawei Cloud After They Are Interconnected Through a VPN?
- How Do I Configure DPD for Interconnection with the Cloud?
- What Should I Do If My Firewall Cannot Receive Response Packets from the VPN Gateway in IKE Phase 1?
- What Should I Do If My Firewall Cannot Receive Response Packets from a VPN Subnet?
- How Many Bits Do the DH Groups Used by VPN Have?
- Which Remote VPN Devices Are Supported?
-
Connection or Ping Failure
- Why Is the VPN Connection Always in the Not Connected State Even After Its Configuration Is Complete?
- How Can I Prevent VPN Disconnections?
- How Do I Quickly Restore an Interrupted IPsec VPN Connection?
- What Happens If the Bandwidth of a VPN Gateway Exceeds the Size I Specified When I Create the Gateway?
- Will an IPsec VPN Connection Be Established Automatically?
- Why ECSs at Both Ends of a Normal Cross-Region VPN Connection Cannot Access Each Other?
- Why Subnets at Both Ends of a Normal VPN Connection Cannot Access Each Other?
- What Do I Do If a VPN Connection In Use Is Interrupted and a Message Is Displayed Indicating That Traffic from IP Addresses Not Whitelisted Generates?
- What Do I Do If a VPN Connection Is Interrupted and a Message Is Displayed Indicating That the DPD Times Out?
- Why the Status of a VPN Connection Is Not Connected on the Management Console When It Is Already Available?
- Will I Be Notified If a VPN Connection Is Interrupted?
- What Can I Do If VPN Connection Setup Fails?
- What Should I Do If I Cannot Access the ECSs on the Cloud from My On-premises Data Center or LAN After the VPN Connection Has Been Set Up?
- Why Is Not Connected Displayed as the Status for a Successfully Created VPN Connection?
- Do VPNs Have the DPD Function Enabled?
-
EIPs
- Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted?
- Can an EIP Be Used as a VPN Gateway IP Address?
- Do I Need to Purchase EIPs for Servers That Communicate with Each Other Through a VPN?
- Why Does an ECS Have EIP Access Information After I Enable a VPN?
- Can My On-premises Gateway Have No Fixed Public IP Address?
- Route Configurations
-
Subnet Setting
- What Are the Precautions for Configuring the Local and Remote Subnets of a VPN Connection?
- How Many Local and Remote Subnets Can I Add to a VPN? Why Is an Error Message Displayed When I Update the Local Subnet by Specifying a CIDR Block?
- What Do I Do If an Exception Occurs When I Add a Remote Subnet During VPN Connection Creation?
- Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted?
- How Do I Plan the CIDR Block of a VPC Accessed over a VPN Connection?
- How Is a VPN Gateway IP Address Allocated?
- What Is the Limitation on the Number of Local and Remote Subnets of a VPN?
- VPN Interesting Traffic
- Keeping VPN Connection Alive
- Monitoring
-
Bandwidth and Network Speed
- What Is the Actual Network Speed of a VPN Connection?
- Which Direction of the Bandwidth Is Limited and What Is the Unit of the Bandwidth?
- How Do I Change the VPN Bandwidth Size?
- What Happens If the Bandwidth of a VPN Gateway Exceeds the Size I Specified?
- Why Does the VPN Bandwidth Change Not Take Effect?
- Can a VPN Share Bandwidth with an EIP?
- What Are the Differences Between the Bandwidth of a VPN Connection and that of a Direct Connect Connection?
- How Do I Determine My VPN Bandwidth Size?
- Quotas
- Account Permissions
-
General Questions
- FAQs - P2C VPN
-
FAQs - S2C Enterprise Edition VPN
-
API Reference
- Before You Start
- API Overview
- Calling APIs
-
API
-
S2C VPN APIs
-
S2C VPN Gateway
- Creating a VPN Gateway
- Querying a Specified VPN Gateway
- Querying the VPN Gateway List
- Updating a VPN Gateway
- Changing the Specification of a Gateway
- Deleting a VPN Gateway
- Querying the AZs of VPN Gateways (V5)
- Querying the AZs of VPN Gateways (V5.1)
- Uploading Certificates for a VPN Gateway
- Querying VPN Gateway Certificate Details
- Updating Certificate Information of a VPN Gateway
- Customer Gateway
- VPN Connection
- VPN Connection Monitoring
-
S2C VPN Gateway
-
P2C VPN APIs
- P2C VPN Gateway
-
Server
- Creating a VPN Server
- Querying a VPN Server Based on a Specified Gateway ID
- Modifying a VPN Server
- Exporting the Client Configuration Corresponding to a VPN Server
- Querying All VPN Servers of a Tenant
- Verifying a Client CA Certificate
- Uploading a Client CA Certificate
- Querying a Client CA Certificate
- Modifying a Client CA Certificate
- Deleting a Client CA Certificate
- Modifying the Connection Log Configuration of a P2C VPN Gateway
- Querying the Connection Log Configuration of a P2C VPN Gateway
- Deleting the Connection Log Configuration of a P2C VPN Gateway
-
User Management
- Creating a VPN User
- Creating VPN Users in Batches
- Querying a VPN User
- Querying the VPN User List
- Modifying a VPN User
- Deleting a VPN User
- Deleting VPN Users in Batches
- Changing the Password of a VPN User
- Resetting the Password of a VPN User
- Creating a VPN User Group
- Querying a VPN User Group
- Querying the VPN User Group List
- Modifying a VPN User Group
- Deleting a VPN User Group
- Adding a VPN User to a Group
- Removing a VPN User from a Group
- Querying VPN Users in a Group
- Access Policy
- Public Service APIs
-
S2C VPN APIs
- Application Examples
- Permissions and Supported Actions
- Appendixes
- Change History
-
More Documents
-
User Guide (ME-Abu Dhabi Region)
- Overview
- Getting Started
- Management
- Best Practice
-
FAQs
- Do IPsec VPNs Support Automatic Negotiation?
- What Do I Do If VPN Connection Setup Fails?
- What Should I Do If I Cannot Access the ECSs on the Cloud from My Data Center or LAN Even If the VPN Has Been Set Up?
- What Should I Do If I Cannot Access My Data Center or LAN from the ECSs After a VPN Connection Has Been Set Up?
- Does a VPN Allow for Communication Between Two VPCs?
- What Is the Limitation on the Number of Local and Remote Subnets of a VPN?
- Why Is Not Connected Displayed as the Status for a Successfully Created VPN?
- How Long Is Required for Issued VPN Configurations to Take Effect?
- How Do I Configure a Remote Device for a VPN?
- Which Remote VPN Devices Are Supported?
- What Should I Do If the VPN Connection Fails or the Network Speed of the VPN Connection Is Slow?
- Are SSL VPNs Supported?
- Change History
-
User Guide (Paris Regions)
- Overview
- Getting Started
- Management
- Best Practice
-
FAQs
- Do IPsec VPNs Support Automatic Negotiation?
- What Do I Do If VPN Connection Setup Fails?
- What Should I Do If I Cannot Access the ECSs on the Cloud from My Data Center or LAN Even If the VPN Has Been Set Up?
- What Should I Do If I Cannot Access My Data Center or LAN from the ECSs After a VPN Connection Has Been Set Up?
- Does a VPN Allow for Communication Between Two VPCs?
- What Is the Limitation on the Number of Local and Remote Subnets of a VPN?
- Why Is Not Connected Displayed as the Status for a Successfully Created VPN?
- How Long Is Required for Issued VPN Configurations to Take Effect?
- How Do I Configure a Remote Device for a VPN?
- Which Remote VPN Devices Are Supported?
- What Should I Do If the VPN Connection Fails or the Network Speed of the VPN Connection Is Slow?
- Are SSL VPNs Supported?
- Change History
-
User Guide (Kuala Lumpur Region)
- Overview
- Getting Started
- Management
- Best Practice
-
FAQs
- Do IPsec VPNs Support Automatic Negotiation?
- What Do I Do If VPN Connection Setup Fails?
- What Should I Do If I Cannot Access the ECSs on the Cloud from My Data Center or LAN Even If the VPN Has Been Set Up?
- What Should I Do If I Cannot Access My Data Center or LAN from the ECSs After a VPN Connection Has Been Set Up?
- Does a VPN Allow for Communication Between Two VPCs?
- What Is the Limitation on the Number of Local and Remote Subnets of a VPN?
- Why Is Not Connected Displayed as the Status for a Successfully Created VPN?
- How Long Is Required for Issued VPN Configurations to Take Effect?
- How Do I Configure a Remote Device for a VPN?
- Which Remote VPN Devices Are Supported?
- What Should I Do If the VPN Connection Fails or the Network Speed of the VPN Connection Is Slow?
- Are SSL VPNs Supported?
- Change History
-
User Guide (Ankara Region)
- Overview
- Getting Started
- Management
- Best Practice
- Troubleshooting
-
FAQs
-
Enterprise Edition VPN
- What Are the Typical Scenarios of IPsec VPN?
- What Are a VPC, a VPN Gateway, and a VPN Connection?
- How Do I Plan CIDR Blocks for Access to a VPC Through a VPN Connection?
- Is an IPsec VPN Connection Automatically Established?
- Are a Username and Password Required for Creating an IPsec VPN Connection?
- What VPN Resources Can Be Monitored?
- Can EIPs Be Used as VPN Gateway IP Addresses?
- Which IKE Version Should I Select When I Create a VPN Connection?
- What Do I Do If a VPN Connection Fails to Be Established?
-
Classic VPN
- What Are the Differences Between the Application Scenarios and Connection Modes of IPsec and SSL VPNs?
- Where Can I Add Routes on the VPN Console to Reach the Remote Subnets?
- Will I Be Notified If a VPN Connection Is Interrupted?
- How Many VPN Connections Do I Need to Connect to Multiple On-premises Servers?
- What Are the Impacts of a VPN on an On-premises Network? What Are the Changes to the Route for Accessing an ECS?
- How Do I Replace a Direct Connect Connection with a VPN?
- How Do I Access ECSs at Home When My Enterprise Network Has Been Connected to the Cloud Through a VPN?
- How Do I Configure DPD for Interconnection with the Cloud?
- Why Is Not Connected Displayed as the Status for a Successfully Created VPN Connection?
-
Enterprise Edition VPN
- Change History
-
API Reference (Ankara Region)
- Before You Start
- API Overview
- Calling APIs
-
API
-
Enterprise Edition VPN API
-
VPN Gateway
- Creating a VPN Gateway
- Querying a Specified VPN Gateway
- Querying the VPN Gateway List
- Updating a VPN Gateway
- Changing the Specification of a Gateway
- Deleting a VPN Gateway
- Querying the AZs of VPN Gateways
- Uploading Certificates for a VPN Gateway
- Querying VPN Gateway Certificate Details
- Updating Certificate Information of a VPN Gateway
- Customer Gateway
- VPN Connection
- VPN Connection Monitoring
-
VPN Gateway
- Public Service APIs
-
Enterprise Edition VPN API
- Application Examples
- Permissions and Supported Actions
- Appendixes
- Change History
-
User Guide (ME-Abu Dhabi Region)
- General Reference
On this page
Help Center/
Virtual Private Network/
FAQs/
FAQs - S2C Enterprise Edition VPN/
General Consulting/
Which IKE Version Should I Select When I Create a VPN Connection?
Copied.
Which IKE Version Should I Select When I Create a VPN Connection?
IKEv2 is recommended because IKEv1 is not secure. In addition, IKEv2 outperforms IKEv1 in connection negotiation and establishment, authentication methods, dead peer detection (DPD) timeout processing, and security association (SA) timeout processing.
IKEv2 will be widely used, and IKEv1 will gradually phase out.
Introduction to IKEv1 and IKEv2
- As a hybrid protocol, IKEv1 brings some security and performance defects due to its complexity. As such, it has become a bottleneck in the IPsec system.
- IKEv2 addresses the issues of IKEv1 while retaining basic functions of IKEv1. IKEv2 is more simplified, efficient, secure, and robust than IKEv1. Additionally, IKEv2 is defined by RFC 4306 in a single document, whereas IKEv1 are defined in multiple documents. By minimizing core functions and default password algorithms, IKEv2 greatly improves interoperability between different IPsec VPNs.
Security Risks of IKEv1
- The cryptographic algorithms supported by IKEv1 have not been updated for more than 10 years. In addition, IKEv1 does not support strong cryptographic algorithms such as AES-GCM and ChaCha20-Poly1305. For IKEv1, the E (Encryption) bit in the ISALMP header specifies that the payloads following the ISALMP header are encrypted, but any data integrity verification of those payloads is handled by a separate hash payload. This separation of encryption from data integrity protection prevents the use of authenticated encryption (AES-GCM) with IKEv1.
- IKEv1 is vulnerable to DoS amplification attacks and half-open connection attacks. After responding to spoofed packets, the responder maintains initiator-responder relationships, consuming a large number of system resources.
- The aggressive mode of IKEv1 is not secure. In this mode, information packets are not encrypted, posing risks of information leakage. There are also brute-force attacks targeting at the aggressive mode, such as man-in-the-middle attacks.
Differences Between IKEv1 and IKEv2
- Negotiation process
- IKEv1 is complex and consumes a large amount of bandwidth. IKEv1 SA negotiation consists of two phases. In IKEv1 phase 1, an IKE SA is established in either main mode or aggressive mode. Main mode requires three exchanges between peers totaling six ISAKMP messages, whereas aggressive mode requires two exchanges totaling three ISAKMP messages. Aggressive mode is faster, but does not provide identity protection for peers as key exchange and identity authentication are performed simultaneously. In IKEv1 phase 2, IPsec SAs are established through three ISAKMP messages in quick mode.
- Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2 requires only two exchanges, totaling four messages, to establish an IKE SA and a pair of IPsec SAs. To create multiple pairs of IPsec SAs, only one additional exchange is needed for each additional pair of SAs.
NOTE:
For IKEv1 negotiation, its main mode involves nine (6+3) messages, and its aggressive mode involves six (3+3) messages. In contrast, IKEv2 negotiation requires only four (2+2) messages.
- Authentication methods
- Only IKEv1 (requiring an encryption card) supports digital envelope authentication (HSS-DE).
- IKEv2 supports Extensible Authentication Protocol (EAP) authentication. IKEv2 can use an AAA server to remotely authenticate mobile and PC users and assign private IP addresses to these users. IKEv1 does not provide this function and must use L2TP to assign private IP addresses.
- Only IKEv2 supports IKE SA integrity algorithms.
- DPD timeout processing
- Only IKEv1 supports the retry-interval parameter. If a device sends a DPD packet but receives no reply within the specified retry-interval, the device records a DPD failure event. When the number of DPD failure events reaches 5, both the IKE SA and IPsec SAs are deleted. IKE SA negotiation will start again only when there is traffic to be transmitted over the IPsec tunnel.
- In IKEv2, the retransmission interval increases from 1, 2, 4, 8, 16, 32 to 64, in seconds. If no reply is received within eight consecutive transmissions, the peer end is considered dead, and the IKE SA and IPsec SAs are deleted.
- IKE SA timeout processing and IPsec SA timeout processing
In IKEv2, the IKE SA soft lifetime is 9/10 of the IKE SA hard lifetime plus or minus a random number. This reduces the likelihood that two ends initiate renegotiation simultaneously. Therefore, you do not manually set the soft lifetime in IKEv2.
Advantages of IKEv2 over IKEv1
- Simplifies the SA negotiation process, improving efficiency.
- Fixes many cryptographic security vulnerabilities, improving security.
- Supports EAP authentication, improving authentication flexibility and scalability.
EAP is an authentication protocol that supports multiple authentication methods. The biggest advantage of EAP is its scalability. That is, new authentication methods can be added without changing the original authentication system. EAP authentication has been widely used in dial-up access networks.
- Employs an Encrypted Payload on basis of ESP. This payload contains both an encryption algorithm and a data integrity algorithm. AES-GCM ensures confidentiality, integrity, and authentication, and works well with IKEv2.
Parent topic: General Consulting
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
