tencent cloud

Feedback

Creating a VPN Tunnel

Last updated: 2022-09-21 19:47:41

    A VPN tunnel is an encrypted public network tunnel used to transfer data packets in a VPN connection. The VPN tunnel in Tencent Cloud uses the IKE (Internet Key Exchange) protocol to establish a session when implementing IPsec. Featuring a self-protection mechanism, IKE can securely verify identities, distribute keys, and establish IPsec sessions over insecure networks. This document describes how to create a VPN tunnel in the console. You can also manage your VPN tunnels through APIs and SDKs. For more information, see API Documentation.

    The following configuration information is required to create a VPN tunnel:

    Prerequisites

    Directions

    1. Log in to the VPC console.
    2. Click VPN Connections > VPN tunnel to enter the management page.
    3. In the VPN Connections page, click Create.
    4. Configure the basic information of the VPN tunnel in the pop-up dialog box.
      Parameter Description
      Tunnel name Custom tunnel name with 60 characters at most.
      Region The region of the VPN gateway that is associated with the VPN tunnel to be created.
      VPN gateway type You can select VPC VPN or CCN VPN for the VPN gateway type. For more information on the two VPN gateway types, see Overview.
      VPC Select the VPC of the VPN gateway only when the VPN gateway type is VPC. The VPN for CCN doesn't have such a parameter.
      VPN gateway Select a VPN gateway from the list.
      Customer gateway Select a customer gateway that has been created. Otherwise, create one.
      Customer gateway IP The public IP address of the customer gateway
      Enable DPD DPD is enabled by default and used to check whether the peer is alive or not
      . If the response of the DPD request message actively sent by the local end is not received within the specified timeout period, it is considered that the peer is offline and timeout action is performed.
      DPD timeout period The overall DPD timeout period. Valid range: 30-60s. The default value is 30s.
      DPD timeout action
      • Disconnect: The current SA is cleared and the current VPN tunnel is disconnected
      • Retry: Reconnect to the peer
      Pre-shared key Used to verify the identities of local and customer gateways that must use the same pre-shared key.
      Negotiation type
      • Traffic-triggered: After the VPN tunnel is created, the negotiation will start when the traffic flows to the local end.
      • Active: After the tunnel is created, the local end actively initiates negotiation with the peer end.
      • Passive: The negotiation is launched by the peer end.
      Enable health check Health check is used for primary/secondary tunnels. For more information, see Connecting IDC to a Single Tencent Cloud VPC for Primary/Secondary Disaster Recovery. If your business doesn't involve primary/secondary tunnels, you don't need to enable this feature (disabled by default); otherwise, complete the health check configuration on the local and peer addresses as instructed in Configuring Health Checks.
      Note

      Once you enable health check and create a VPN tunnel, the system immediately performs network quality analysis (NQA) to check the health of the tunnel. If the tunnel is not linked or your configured peer address doesn't respond to NQA detection, the system will consider the tunnel as unhealthy after multiple detection failures and interrupt the business traffic until the tunnel recovers.

      VPN gateway IP for health check This parameter is required only when health check is enabled. You can use the IP address assigned by the system or specify one.
      Note

      The specified address cannot conflict with the private network address or IP range of the VPC, CCN, or IDC or the peer address in health check, and it cannot be a multicast, broadcast, or local loopback address.

      Customer gateway IP for health check This parameter is required only when health check is enabled. You can use the IP address assigned by the system or specify one.
      Note

      The specified address cannot conflict with the private network address or IP range of the VPC, CCN, or IDC or the local address in health check, and it cannot be a multicast, broadcast, or local loopback address.

      Tag Used to mark network resources to manage resources conveniently. Configure this optional parameter according to your need.
    5. Click Next to enter the Communication mode configuration interface.
    • Destination route
      The routing policy specifies which IP ranges in the IDC the network to which the VPN gateway belongs can communicate with. After creating a tunnel, you need to configure the routing policy in the route table of the VPN gateway. For more information, see Configuring Tencent Cloud Routing Policies.
    • SPD policy
      Note:

      • An SPD policy consists of a series of SPD rules to specify the IP ranges in a VPC or CCN and an IDC that can communicate with each other. Each SPD rule contains one CIDR block for the local IP range and at least one for the peer IP range. A CIDR block for the local IP range and a CIDR block for the peer IP range form a mapping. An SPD rule may involve multiple mappings.
      • VPN Gateway will negotiate with the customer gateway according to the mappings in sequence. Make sure that your customer gateway device supports mapping-based negotiation; for example, it is supported if the also keyword is used in StrongSwan configuration.
      • All SPD rules under the same VPN gateway can form up to 200 mappings. If you need more, we recommend you use Route-Based VPN Connections.
      • The rules for all tunnels of the same VPN gateway cannot contain overlapped mappings. In other words, the local IP range and customer IP range in a mapping cannot have a duplicate address range.
      • We recommend you configure a matching rule in the SPD policies in Tencent Cloud and customer gateway. For example, if the local IP range 10.11.12.0/24 and peer IP range 192.168.1.0/24 are configured in the SPD policy in Tencent Cloud, set the local and peer IP ranges also to 192.168.1.0/24 and 10.11.12.0/24 respectively in the SPD policy in your customer gateway.
      • After an SPD policy is configured, the VPN gateway will automatically distribute the routes, eliminating your need to add routes in the VPN gateway.

    Example:
    As shown in the figure below, a VPN gateway has the following SPD rules:

    • SPD rule 1: The local IP range is 10.0.0.0/24, and the peer IP ranges are 192.168.0.0/24 and 192.168.1.0/24. Two mappings are available.
    • SPD rule 2: The local IP range is 10.0.1.0/24, and the peer IP range is 192.168.2.0/24. One mapping is available.
    • SPD rule 3: The local IP range is 10.0.2.0/24, and the peer IP range is 192.168.2.0/24. One mapping is available.
      The mappings are as follows:
    • 10.0.0.0/24-----192.168.0.0/24
    • 10.0.0.0/24-----192.168.1.0/24
    • 10.0.1.0/24-----192.168.2.0/24
    • 10.0.2.0/24-----192.168.2.0/24
      The four mappings cannot overlap. In other words, the local IP range and customer IP range in a mapping cannot have a duplicate address range.
    • A new mapping 10.0.0.0/24-----192.168.1.0/24 cannot be added to SPD rules because it overlaps with an existing mapping.
    • A new mapping 10.0.1.0/24-----192.168.1.0/24 can be added to SPD rules because it does not overlap with any of the existing mappings.
    1. Click Next to enter the IKE Configuration (Optional) page. Directly click Next if no advanced configuration is required.
      Configuration Item Description
      Version IKE V1, IKE V2
      Identity verification method Default pre-shared key
      Encryption algorithm Supported encryption algorithms include AES-128, AES-192, AES-256, 3DES, DES, and SM4. We recommend you use AES-128.
      Verification algorithm Identity verification algorithm. Supported algorithms include MD5, SHA-1, SHA-256, AES-383, SHA-512, and SM3. We recommend you use MD5.
      Negotiation mode Main mode and aggressive mode supported
      In aggressive mode, more information can be sent with fewer packets so that a connection can be established quickly, but the identity of a security gateway is sent in plain text. The configuration parameters such as Diffie-Hellman and PFS cannot be negotiated and they must have compatible configurations.
      Local ID Supports IP Address (default) and FQDN (fully qualified domain name)
      Customer ID Supports IP Address (default) and FQDN
      DH group Used when IKE is specified. The security of key exchange increases as the DH group expands, but the exchange time also becomes longer
      DH1: DH group that uses the 768-bit modular exponential (MODP) algorithm
      DH 2: DH group that uses the 1,024-bit MODP algorithm
      DH5: DH group that uses the 1,536-bit MODP algorithm
      DH14: DH group that uses the 2,048-bit MODP algorithm. Dynamic VPN is not supported for this option
      DH 24: DH group that uses the 2,048-bit MODP algorithm with a 256-bit prime order subgroup.
      IKE SA lifetime Unit: s
      SA lifetime proposed for IKE security. Before a preset lifetime expires, another SA is negotiated in advance to replace the old one. The old SA is used before a new one is negotiated. The new SA is used immediately after establishment, and the old one is automatically cleared after its lifetime expires.
    2. Enter the IPsec configuration (optional) interface. Click Complete if no advanced configuration is required.
      Configuration Item Description
      Encryption algorithm Supports AES-128, AES-192, AES-256, 3DES, DES, and SM4
      Verification algorithm Used to verify identities, and supports MD5, SHA1, SHA256, SHA384, SHA512, and SM3
      Packet encapsulation mode Tunnel
      Security protocol ESP
      PFS Supports disable, DH-GROUP1, DH-GROUP2, DH-GROUP5, DH-GROUP14, and DH-GROUP24
      IPsec SA lifetime(s) Unit: s
      IPsec SA lifetime (KB) Unit: KB
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support