A VPN tunnel is an encrypted public network tunnel used to transmit data packets in a VPN connection. The VPN tunnel on Tencent Cloud uses the Internet Key Exchange (IKE) protocol to establish a session during IPsec implementation. IKE provides a self-protection mechanism that can securely verify identities, distribute keys, and establish IPsec sessions in insecure networks. This topic describes how to create a VPN tunnel in the console. You can also manage VPN tunnels by using APIs and SDKs. For more information, see API documentation.
The following configuration information is required to create a VPN tunnel:
Destination route
A routing policy specifies the IP ranges in the IDC that the network to which the VPN gateway belongs can communicate with. After you create a tunnel, you need to configure a routing policy in the route table of the VPN gateway. For more information, see Configuring The Routing Policies From The User To Tencent Cloud.
SPD policies
Note:
An SPD policy consists of a series of SPD rules that are used to specify the IP ranges in a VPC or CCN and the IP ranges in an IDC that can communicate with each other. Each SPD rule contains at least one CIDR block for the local IP range and at least one CIDR block for the peer IP range. A CIDR block for the local IP range and a CIDR block for the peer IP range form a mapping. An SPD rule may involve multiple mappings.
VPN Gateway will negotiate with the customer gateway according to the mappings in sequence. Make sure that your customer gateway device supports mapping-based negotiation; for example, it is supported if the also keyword is used in StrongSwan configuration.
All SPD rules under the same VPN gateway can form up to 200 mappings. If you need more, we recommend you use Route-Based VPN Connections.
The rules for all tunnels of the same VPN gateway cannot contain overlapped mappings. In other words, the local IP range and customer IP range in a mapping cannot have a duplicate address range.
We recommend you configure a matching rule in the SPD policies in Tencent Cloud and customer gateway. For example, if the local IP range 10.11.12.0/24 and peer IP range 192.168.1.0/24 are configured in the SPD policy in Tencent Cloud, set the local and peer IP ranges also to 192.168.1.0/24 and 10.11.12.0/24 respectively in the SPD policy in your customer gateway.
After an SPD policy is configured, the VPN gateway will automatically distribute the routes, eliminating your need to add routes in the VPN gateway.
Example:
As shown in the figure below, a VPN gateway has the following SPD rules:
SPD rule 1: The local IP range is 10.0.0.0/24, and the peer IP ranges are 192.168.0.0/24 and 192.168.1.0/24. In this rule, two mappings are available.
SPD rule 2: The local IP range is 10.0.1.0/24, and the peer IP range is 192.168.2.0/24. In this rule, one mapping is available.
SPD rule 3: The local IP range is 10.0.1.0/24, and the peer IP range is 192.168.2.0/24. In this rule, one mapping is available.
The mappings are as follows:
10.0.0.0/24-----192.168.0.0/24
10.0.0.0/24-----192.168.1.0/24
10.0.1.0/24-----192.168.2.0/24
10.0.2.0/24-----192.168.2.0/24
The four mappings cannot overlap. In other words, the local IP range and peer IP range in a mapping cannot have a duplicate address range.
A new mapping 10.0.0.0/24-----192.168.1.0/24 cannot be added to SPD rules because it overlaps with an existing mapping.
A new mapping 10.0.1.0/24-----192.168.1.0/24 can be added to SPD rules because it does not overlap with existing mappings.
2. Choose VPN Connection > VPN Tunnel in the left sidebar.
3. On the VPN Connections page, click Create.
4. Configure the basic information of the VPN tunnel in the pop-up dialog box.
4.1 Configure basic settings
In this step, configure the basic information of the tunnel, including the name, network, associated VPN gateway, customer gateway, shared key, negotiation type, and communication mode.
Parameter
Description
Tunnel name
Custom tunnel name with 60 characters at most.
Region
The region of the VPN gateway that is associated with the VPN tunnel to be created.
VPN gateway type
Two types of VPN gateways are available: VPN gateway for VPC and VPN gateway for CCN. For more information about the two types of VPN gateways, see Overview.
VPC
Select the VPC of the VPN gateway only when the VPN gateway type is VPC. The VPN for CCN doesn't have such a parameter.
VPN gateway
Select a VPN gateway from the list.
Customer gateway
Select a customer gateway that has been created. Otherwise, create one.
Customer gateway IP
The public IP address of the customer gateway
Pre-shared key
Used to verify the identities of local and customer gateways that must use the same pre-shared key.
Negotiation type
Traffic-triggered: After the VPN tunnel is created, the negotiation will start when the traffic flows to the local end.
Active: After the tunnel is created, the local end actively initiates negotiation with the peer end.
Passive: The negotiation is launched by the peer end.
Communication mode
Destination route and SPD policy are supported. We recommend that you use Destination route. For more information about SPD policies, see SPD policies.
4.2 Configure advanced settings
In this step, configure the DPD, health check, IKE, and IPsec options.
Parameter
Description
Enable DPD
DPD is enabled by default and used to check whether the peer is alive or not. If the response of the DPD request message actively sent by the local end is not received within the specified timeout period, it is considered that the peer is offline and timeout action is performed.
DPD timeout period
The overall DPD timeout period. Valid range: 30-60s. The default value is 30s.
DPD timeout action
Disconnect: The current SA is cleared and the current VPN tunnel is disconnected
Once you enable health check and create a VPN tunnel, the system immediately performs network quality analysis (NQA) to check the health of the tunnel. If the tunnel is not linked or your configured peer address doesn't respond to NQA detection, the system will consider the tunnel as unhealthy after multiple detection failures and interrupt the business traffic until the tunnel recovers.
VPN gateway IP for health check
This parameter is required only when health check is enabled. You can use the IP address assigned by the system or specify one.
Note:
The specified address cannot conflict with the private network address or IP range of the VPC, CCN, or IDC or the peer address in health check, and it cannot be a multicast, broadcast, or local loopback address.
Customer gateway IP for health check
This parameter is required only when health check is enabled. You can use the IP address assigned by the system or specify one.
Note::
The specified address cannot conflict with the private network address or IP range of the VPC, CCN, or IDC or the local address in health check, and it cannot be a multicast, broadcast, or local loopback address.
4.4 Configure IKE options
Configuration Item
Description
Version
IKE V1 or IKE V2
Identity verification method
AES-128, AES-192, AES-256, 3DES, DES, and SM4 are supported. We recommend that you use AES-128.
Verification algorithm
The algorithm used to verify identities. MD5, SHA1, SHA256, ASE-383, SHA512, and SM3 are supported. We recommend that you use MD5.
Negotiation mode
Main mode and aggressive mode are supported. In aggressive mode, more information can be sent with fewer packets so that a connection can be quickly established, but the identity of a security gateway is sent in plain text. The configuration parameters, such as Diffie-Hellman and PFS, cannot be negotiated and must have compatible configurations on both sides.
Local ID
IP Address (default) and FQDN (full domain name) are supported.
Customer ID
IP Address (default) and FQDN are supported. Default value: IP Address.
DH group
The DH group used for the IKE key. Key exchange security and the exchange duration increase with the DH group size.
DH1: a DH group that uses the 768-bit modular exponential (MODP) algorithm.
DH2: a DH group that uses the 1024-bit MODP algorithm.
DH5: a DH group that uses the 1536-bit MODP algorithm.
DH14: a DH group that uses the 2048-bit MODP algorithm. This option is not supported for dynamic VPNs.
DH24: a DH group that uses the 2048-bit MODP algorithm with a 256-bit prime order subgroup.
IKE SA lifetime
Unit: s
The SA lifetime proposed for IKE security. Before a preset lifetime expires, another SA is negotiated in advance to replace the old one. The old SA is used before a new one is determined through negotiation. The new SA is used immediately after establishment, and the old one is automatically cleared after its lifetime expires.
4.5 (Optional) Configure IPsec options
Configuration Item
Description
Encryption algorithm
AES-128, AES-192, AES-256, 3DES, DES, and SM4 are supported.
Verification algorithm
The algorithm used to verify identities. MD5, SHA1, SHA256, SHA384, SHA512, and SM3 are supported.
Packet encapsulation mode
Tunnel
Security protocol
ESP
PFS
Disable, DH-GROUP1, DH-GROUP2, DH-GROUP5, DH-GROUP14, and DH-GROUP24 are supported.
IPsec SA lifetime(s)
Unit: s.
IPsec SA lifetime (KB)
Unit: KB.
5. Click Next to enter the Communication mode configuration interface.
Note:
To enter multiple peer IP ranges, separate them with line breaks.
6. Click Next to go to the IKE configuration (optional) page. Directly click Next if no advanced configuration is required.
Configuration Item
Description
Version
IKE V1, IKE V2
Identity verification method
Default pre-shared key
Encryption algorithm
AES-128, AES-192, AES-256, 3DES, DES, and SM4 are supported.
Verification algorithm
The algorithm used to verify identities. MD5, SHA1, SHA256, ASE-383, SHA512, and SM3 are supported.
Negotiation mode
Main mode and aggressive mode supported
In aggressive mode, more information can be sent with fewer packets so that a connection can be established quickly, but the identity of a security gateway is sent in plain text. The configuration parameters such as Diffie-Hellman and PFS cannot be negotiated and they must have compatible configurations.
Local ID
IP Address (default) and FQDN (full domain name) are supported.
Customer ID
IP Address (default) and FQDN are supported.
DH group
Used when IKE is specified. The security of key exchange increases as the DH group expands, but the exchange time also becomes longer
DH1: DH group that uses the 768-bit modular exponential (MODP) algorithm
DH 2: DH group that uses the 1,024-bit MODP algorithm
DH5: DH group that uses the 1,536-bit MODP algorithm
DH14: DH group that uses the 2,048-bit MODP algorithm. Dynamic VPN is not supported for this option
DH 24: DH group that uses the 2,048-bit MODP algorithm with a 256-bit prime order subgroup.
IKE SA lifetime
Unit: s
The SA lifetime proposed for IKE security. Before a preset lifetime expires, another SA is negotiated in advance to replace the old one. The old SA is used before a new one is determined through negotiation. The new SA is used immediately after establishment, and the old one is automatically cleared after its lifetime expires.
7. Enter the IPsec configuration (optional) interface. Click Complete if no advanced configuration is required.
Configuration Item
Description
Encryption algorithm
Supports AES-128, AES-192, AES-256, 3DES, DES, and SM4
Verification algorithm
Used to verify identities, and supports MD5, SHA1, SHA256, SHA384, SHA512, and SM3
Packet encapsulation mode
Tunnel
Security protocol
ESP
PFS
Supports disable, DH-GROUP1, DH-GROUP2, DH-GROUP5, DH-GROUP14, and DH-GROUP24
