A VPN tunnel is an encrypted public network tunnel used to transmit data packets in a VPN connection. The VPN tunnel on Tencent Cloud uses the IKE (Internet Key Exchange) protocol to establish a session when implementing IPsec. Featuring a self-protection mechanism, IKE can securely verify identities, distribute keys, and establish IPSec sessions on insecure networks. This document describes how to create a VPN tunnel on the VPC console.
The following configuration information is required to create a VPN tunnel:
|Tunnel Name||A custom tunnel name with up to 60 characters|
|Region||It is the same as the region of VPN gateway.|
|VPN Gateway Type||VPC or CCN|
|VPC||Select the VPC of the VPN gateway only when the VPN Gateway Type is VPC. This parameter is not available for CCN-based VPN gateways.|
|VPN Gateway||Select a VPN gateway from the list.|
|Customer Gateway||Select an existing customer gateway. Or you can create a new one.|
|Customer Gateway IP||The public IP address of the customer gateway.|
|Pre-shared Key||Used for identity authentication between the VPN gateway and customer gateway. The two peers must use the same pre-shared key.|
|Enable Health Check||Used to enable/disable health check and check the health status of the linkage. Disabled by default.|
|VPN Gateway IP Address for Health Check||It’s only required when the health check is enabled. It should be an available IP outside the VPC IP range.|
|Customer Gateway IP Address for Health Check||It’s only required when the health check is enabled. It should be an available IP within the IDC IP range. Note that the following IP addresses are not allowed: 169.254.0.0/16, 184.108.40.206-220.127.116.11, and 0.0.0.0.|
|Tag||(Optional) Attach a tag to the network resource as you need for easy management.|
Click Next to go to the SPD Policy configuration page.
- An SPD policy consists of a series of SPD rules to specify the IP ranges in a VPC or CCN and an IDC that can communicate with each other. Each SPD rule contains one VPN gateway CIDR block and at least one customer gateway CIDR block. A CIDR block and a customer gateway CIDR block form a mapping. An SPD rule may involve multiple mappings.
- The rules for all tunnels of the same VPN gateway cannot contain overlapped mappings. In other words, the VPN gateway IP range and customer gateway IP range in a mapping cannot have a duplicate address range.
As shown in the figure below, a VPN gateway has the following SPD rules:
|Version||IKE V1, IKE V2|
|Identity Verification Method||Default pre-shared key|
|Encryption Algorithm||The encryption algorithm supports AES-128, AES-192, AES-256, 3DES, and DES|
|Verification Algorithm||The identity verification algorithm. MD5 and SHA1 supported.|
|Negotiation Mode||Main mode and Aggressive mode supported|
In aggressive mode, more information can be sent with fewer packets so that a connection can be established quickly, but the identity of a security gateway is sent in plain text. The configuration parameters such as Diffie-Hellman and PFS cannot be negotiated and they must have compatible configurations.
|VPN Gateway Identifier||IP Address and FQDN (full domain name) supported. IP Address by default|
|Customer Gateway Identifier||IP Address and FQDN supported. IP Address by default|
|DH group||Specifies the DH group used during IKE. The security of key exchange increases as the DH group expands, but the exchange may take a longer period.
DH1: DH group that uses the 768-bit modular exponential (MODP) algorithm
DH 2: DH group that uses the 1,024-bit MODP algorithm
DH5: DH group that uses the 1,536-bit MODP algorithm
DH14: DH group that uses the 2,048-bit MODP algorithm. Dynamic VPN is not supported for this option
DH 24: DH group that uses the 2,048-bit MODP algorithm with a 256-bit prime order subgroup.
|IKE SA Lifetime||Unit: second
SA lifetime proposed for IKE security. Before a preset lifetime expires, another SA is negotiated in advance to replace the old one. The old SA is used before a new one is negotiated. The new SA is used immediately after establishment, and the old one is automatically cleared after its lifetime expires.
|Encryption Algorithm||3DES, AES-128, AES-192, and AES-256 supported|
|Verification Algorithm||MD5 and SHA1 supported|
|Packet Encapsulation Mode||Tunnel|
|PFS||disable, DH-GROUP1, DH-GROUP2, DH-GROUP5, DH-GROUP14, and DH-GROUP24 supported|
|IPsec SA lifetime(s)||Unit: s|
|IPsec SA lifetime(KB||Unit: KB|