A VPN tunnel is an encrypted public network tunnel used to transmit data packets in a VPN connection. The VPN tunnel on Tencent Cloud uses the IKE (Internet Key Exchange) protocol to establish a session when implementing IPsec. Featuring a self-protection mechanism, IKE can securely verify identities, distribute keys, and establish IPSec sessions on insecure networks. This document describes how to create a VPN tunnel on the VPC console.
The following configuration information is required to create a VPN tunnel:
Parameter Name | Notes |
---|---|
Tunnel Name | A custom tunnel name with up to 60 characters |
Region | It is the same as the region of VPN gateway. |
VPN Gateway Type | VPC or CCN |
VPC | Select the VPC of the VPN gateway only when the VPN Gateway Type is VPC. This parameter is not available for CCN-based VPN gateways. |
VPN Gateway | Select a VPN gateway from the list. |
Customer Gateway | Select an existing customer gateway. Or you can create a new one. |
Customer Gateway IP | The public IP address of the customer gateway. |
Pre-shared Key | Used for identity authentication between the VPN gateway and customer gateway. The two peers must use the same pre-shared key. |
Enable Health Check | Used to enable/disable health check and check the health status of the linkage. Disabled by default. |
VPN Gateway IP Address for Health Check | It’s only required when the health check is enabled. It should be an available IP outside the VPC IP range. |
Customer Gateway IP Address for Health Check | It’s only required when the health check is enabled. It should be an available IP within the IDC IP range. Note that the following IP addresses are not allowed: 169.254.0.0/16, 224.0.0.0-239.255.255.255, and 0.0.0.0. |
Tag | (Optional) Attach a tag to the network resource as you need for easy management. |
Click Next to go to the SPD Policy configuration page.
Note:
- An SPD policy consists of a series of SPD rules to specify the IP ranges in a VPC or CCN and an IDC that can communicate with each other. Each SPD rule contains one VPN gateway CIDR block and at least one customer gateway CIDR block. A CIDR block and a customer gateway CIDR block form a mapping. An SPD rule may involve multiple mappings.
- The rules for all tunnels of the same VPN gateway cannot contain overlapped mappings. In other words, the VPN gateway IP range and customer gateway IP range in a mapping cannot have a duplicate address range.
Example:
As shown in the figure below, a VPN gateway has the following SPD rules:
7.Click Next to go to the IKE Configuration (Optional) page. If no advanced configuration is required, click Next directly.
Configuration Item | Notes |
---|---|
Version | IKE V1, IKE V2 |
Identity Verification Method | Default pre-shared key |
Encryption Algorithm | The encryption algorithm supports AES-128, AES-192, AES-256, 3DES, and DES |
Verification Algorithm | The identity verification algorithm. MD5 and SHA1 supported. |
Negotiation Mode | Main mode and Aggressive mode supported In aggressive mode, more information can be sent with fewer packets so that a connection can be established quickly, but the identity of a security gateway is sent in plain text. The configuration parameters such as Diffie-Hellman and PFS cannot be negotiated and they must have compatible configurations. |
VPN Gateway Identifier | IP Address and FQDN (full domain name) supported. IP Address by default |
Customer Gateway Identifier | IP Address and FQDN supported. IP Address by default |
DH group | Specifies the DH group used during IKE. The security of key exchange increases as the DH group expands, but the exchange may take a longer period. DH1: DH group that uses the 768-bit modular exponential (MODP) algorithm DH 2: DH group that uses the 1,024-bit MODP algorithm DH5: DH group that uses the 1,536-bit MODP algorithm DH14: DH group that uses the 2,048-bit MODP algorithm. Dynamic VPN is not supported for this option DH 24: DH group that uses the 2,048-bit MODP algorithm with a 256-bit prime order subgroup. |
IKE SA Lifetime | Unit: second SA lifetime proposed for IKE security. Before a preset lifetime expires, another SA is negotiated in advance to replace the old one. The old SA is used before a new one is negotiated. The new SA is used immediately after establishment, and the old one is automatically cleared after its lifetime expires. |
8.Go to the IPsec configuration (Optional) page. Directly click Finish if no advanced configuration is required.
Configuration Item | Notes |
---|---|
Encryption Algorithm | 3DES, AES-128, AES-192, and AES-256 supported |
Verification Algorithm | MD5 and SHA1 supported |
Packet Encapsulation Mode | Tunnel |
Security Protocol | ESP |
PFS | disable, DH-GROUP1, DH-GROUP2, DH-GROUP5, DH-GROUP14, and DH-GROUP24 supported |
IPsec SA lifetime(s) | Unit: s |
IPsec SA lifetime(KB | Unit: KB |
Was this page helpful?