tencent cloud


Creating VPN Tunnel

Last updated: 2022-03-24 10:07:43

    A VPN tunnel is an encrypted public network tunnel used to transmit data packets in a VPN connection. The VPN tunnel on Tencent Cloud uses the IKE (Internet Key Exchange) protocol to establish a session when implementing IPsec. Featuring a self-protection mechanism, IKE can securely verify identities, distribute keys, and establish IPSec sessions on insecure networks. This document describes how to create a VPN tunnel on the VPC console.

    The following configuration information is required to create a VPN tunnel:


    • The VPN gateway and customer gateway have been configured.
    • The VPN gateway IP range and customer IP range cannot overlap.
    • The customer IDC must be configure with a static public IP.


    1. Log in to the VPC console.
    2. Click VPN Connection > VPN Tunnel on the left sidebar to go to the management page.
    3. Click Create on the VPN Tunnel management page.
    4. Configure the basic information of the VPN tunnel in the pop-up dialog box.
    Parameter Name Notes
    Tunnel Name A custom tunnel name with up to 60 characters
    Region It is the same as the region of VPN gateway.
    VPN Gateway Type VPC or CCN
    VPC Select the VPC of the VPN gateway only when the VPN Gateway Type is VPC. This parameter is not available for CCN-based VPN gateways.
    VPN Gateway Select a VPN gateway from the list.
    Customer Gateway Select an existing customer gateway. Or you can create a new one.
    Customer Gateway IP The public IP address of the customer gateway.
    Pre-shared Key Used for identity authentication between the VPN gateway and customer gateway. The two peers must use the same pre-shared key.
    Enable Health Check Used to enable/disable health check and check the health status of the linkage. Disabled by default.
    VPN Gateway IP Address for Health Check It’s only required when the health check is enabled. It should be an available IP outside the VPC IP range.
    Customer Gateway IP Address for Health Check It’s only required when the health check is enabled. It should be an available IP within the IDC IP range. Note that the following IP addresses are not allowed:,, and
    Tag (Optional) Attach a tag to the network resource as you need for easy management.
    1. Click Next to go to the SPD Policy configuration page.

    2. Configure the SPD policy.


      • An SPD policy consists of a series of SPD rules to specify the IP ranges in a VPC or CCN and an IDC that can communicate with each other. Each SPD rule contains one VPN gateway CIDR block and at least one customer gateway CIDR block. A CIDR block and a customer gateway CIDR block form a mapping. An SPD rule may involve multiple mappings.
      • The rules for all tunnels of the same VPN gateway cannot contain overlapped mappings. In other words, the VPN gateway IP range and customer gateway IP range in a mapping cannot have a duplicate address range.

    As shown in the figure below, a VPN gateway has the following SPD rules:

    • SPD rule 1: the VPN gateway IP range is, and the customer gateway IP ranges are and Two mappings are formed.
    • SPD rule 2: the VPN gateway IP range is, and the customer gateway IP range is One mapping is formed.
    • SPD rule 3: the VPN gateway IP range is, and the customer gateway IP range is One mapping is formed.
      There are four mappings as follows:
      Note that the mapping rules cannot overlap with each other, which means that the VPN and customer gateway IP range of a rule cannot be both overlapped with the two corresponding IP ranges of another rule.
    • Suppose that you want to add a new mapping between The operation fails as the combination of VPN gateway IP and customer gateway IP already exists.
    • You can add a new mapping between and as it does not overlap with any of the existing mappings.

    7.Click Next to go to the IKE Configuration (Optional) page. If no advanced configuration is required, click Next directly.

    Configuration Item Notes
    Version IKE V1, IKE V2
    Identity Verification Method Default pre-shared key
    Encryption Algorithm The encryption algorithm supports AES-128, AES-192, AES-256, 3DES, and DES
    Verification Algorithm The identity verification algorithm. MD5 and SHA1 supported.
    Negotiation Mode Main mode and Aggressive mode supported
    In aggressive mode, more information can be sent with fewer packets so that a connection can be established quickly, but the identity of a security gateway is sent in plain text. The configuration parameters such as Diffie-Hellman and PFS cannot be negotiated and they must have compatible configurations.
    VPN Gateway Identifier IP Address and FQDN (full domain name) supported. IP Address by default
    Customer Gateway Identifier IP Address and FQDN supported. IP Address by default
    DH group Specifies the DH group used during IKE. The security of key exchange increases as the DH group expands, but the exchange may take a longer period.
    DH1: DH group that uses the 768-bit modular exponential (MODP) algorithm
    DH 2: DH group that uses the 1,024-bit MODP algorithm
    DH5: DH group that uses the 1,536-bit MODP algorithm
    DH14: DH group that uses the 2,048-bit MODP algorithm. Dynamic VPN is not supported for this option
    DH 24: DH group that uses the 2,048-bit MODP algorithm with a 256-bit prime order subgroup.
    IKE SA Lifetime Unit: second
    SA lifetime proposed for IKE security. Before a preset lifetime expires, another SA is negotiated in advance to replace the old one. The old SA is used before a new one is negotiated. The new SA is used immediately after establishment, and the old one is automatically cleared after its lifetime expires.

    8.Go to the IPsec configuration (Optional) page. Directly click Finish if no advanced configuration is required.

    Configuration Item Notes
    Encryption Algorithm 3DES, AES-128, AES-192, and AES-256 supported
    Verification Algorithm MD5 and SHA1 supported
    Packet Encapsulation Mode Tunnel
    Security Protocol ESP
    PFS disable, DH-GROUP1, DH-GROUP2, DH-GROUP5, DH-GROUP14, and DH-GROUP24 supported
    IPsec SA lifetime(s) Unit: s
    IPsec SA lifetime(KB Unit: KB
    1. After the VPN tunnel is successfully created, return to the VPN tunnel list page and click More. Choose Download config file to complete the download.
    2. Other operations:
      1. Clicking Reset will clear existing tunnel configurations. This operation will interrupt data transmission over the existing VPN tunnel and reestablish the connection. Please get ready for network change in advance.
      2. Click More > Log to view the tunnel log.
      3. Click More > Delete to delete the tunnel. Unconnected tunnels can be deleted.
      4. Click More > Download config file to download the tunnel configuration file. This file can be uploaded to the customer VPN device.
      5. Click More > Edit Tag to modify tags.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support