also
keyword is used in StrongSwan
configuration.10.11.12.0/24
and peer IP range 192.168.1.0/24
are configured in the SPD policy in Tencent Cloud, set the local and peer IP ranges also to 192.168.1.0/24
and 10.11.12.0/24
respectively in the SPD policy in your customer gateway.10.0.0.0/24
, and the peer IP ranges are 192.168.0.0/24
and 192.168.1.0/24
. In this rule, two mappings are available.10.0.1.0/24
, and the peer IP range is 192.168.2.0/24
. In this rule, one mapping is available.10.0.1.0/24
, and the peer IP range is 192.168.2.0/24
. In this rule, one mapping is available.
The mappings are as follows:10.0.0.0/24
-----192.168.0.0/24
10.0.0.0/24
-----192.168.1.0/24
10.0.1.0/24
-----192.168.2.0/24
10.0.2.0/24
-----192.168.2.0/24
The four mappings cannot overlap. In other words, the local IP range and peer IP range in a mapping cannot have a duplicate address range.10.0.0.0/24
-----192.168.1.0/24
cannot be added to SPD rules because it overlaps with an existing mapping.10.0.1.0/24
-----192.168.1.0/24
can be added to SPD rules because it does not overlap with existing mappings.Parameter | Description |
Tunnel name | Custom tunnel name with 60 characters at most. |
Region | The region of the VPN gateway that is associated with the VPN tunnel to be created. |
VPN gateway type | Two types of VPN gateways are available: VPN gateway for VPC and VPN gateway for CCN. For more information about the two types of VPN gateways, see Overview. |
VPC | Select the VPC of the VPN gateway only when the VPN gateway type is VPC. The VPN for CCN doesn't have such a parameter. |
VPN gateway | Select a VPN gateway from the list. |
Customer gateway | Select a customer gateway that has been created. Otherwise, create one. |
Customer gateway IP | The public IP address of the customer gateway |
Pre-shared key | Used to verify the identities of local and customer gateways that must use the same pre-shared key. |
Negotiation type | Traffic-triggered: After the VPN tunnel is created, the negotiation will start when the traffic flows to the local end. Active: After the tunnel is created, the local end actively initiates negotiation with the peer end. Passive: The negotiation is launched by the peer end. |
Communication mode | Destination route and SPD policy are supported. We recommend that you use Destination route. For more information about SPD policies, see SPD policies. |
Parameter | Description |
Enable DPD | DPD is enabled by default and used to check whether the peer is alive or not. If the response of the DPD request message actively sent by the local end is not received within the specified timeout period, it is considered that the peer is offline and timeout action is performed. |
DPD timeout period | The overall DPD timeout period. Valid range: 30-60s. The default value is 30s. |
DPD timeout action | Disconnect: The current SA is cleared and the current VPN tunnel is disconnected Retry: Reconnect to the peer |
Parameter | Description |
Enable health check | Health check is used for primary/secondary tunnels. For more information, see Connecting IDC to a Single Tencent Cloud VPC for Primary/Secondary Disaster Recovery. If your business does not involve primary/secondary tunnels, you do not need to enable this feature (which is disabled by default). Otherwise, complete the health check configuration on the local and peer addresses as instructed in Configuring Health Checks. Note: Once you enable health check and create a VPN tunnel, the system immediately performs network quality analysis (NQA) to check the health of the tunnel. If the tunnel is not linked or your configured peer address doesn't respond to NQA detection, the system will consider the tunnel as unhealthy after multiple detection failures and interrupt the business traffic until the tunnel recovers. |
VPN gateway IP for health check | This parameter is required only when health check is enabled. You can use the IP address assigned by the system or specify one. Note: The specified address cannot conflict with the private network address or IP range of the VPC, CCN, or IDC or the peer address in health check, and it cannot be a multicast, broadcast, or local loopback address. |
Customer gateway IP for health check | This parameter is required only when health check is enabled. You can use the IP address assigned by the system or specify one. Note:: The specified address cannot conflict with the private network address or IP range of the VPC, CCN, or IDC or the local address in health check, and it cannot be a multicast, broadcast, or local loopback address. |
Configuration Item | Description |
Version | IKE V1 or IKE V2 |
Identity verification method | AES-128, AES-192, AES-256, 3DES, DES, and SM4 are supported. We recommend that you use AES-128. |
Verification algorithm | The algorithm used to verify identities. MD5, SHA1, SHA256, ASE-383, SHA512, and SM3 are supported. We recommend that you use MD5. |
Negotiation mode | Main mode and aggressive mode are supported. In aggressive mode, more information can be sent with fewer packets so that a connection can be quickly established, but the identity of a security gateway is sent in plain text. The configuration parameters, such as Diffie-Hellman and PFS, cannot be negotiated and must have compatible configurations on both sides.
|
Local ID | IP Address (default) and FQDN (full domain name) are supported. |
Customer ID | IP Address (default) and FQDN are supported. Default value: IP Address. |
DH group | The DH group used for the IKE key. Key exchange security and the exchange duration increase with the DH group size. DH1: a DH group that uses the 768-bit modular exponential (MODP) algorithm. DH2: a DH group that uses the 1024-bit MODP algorithm. DH5: a DH group that uses the 1536-bit MODP algorithm. DH14: a DH group that uses the 2048-bit MODP algorithm. This option is not supported for dynamic VPNs. DH24: a DH group that uses the 2048-bit MODP algorithm with a 256-bit prime order subgroup. |
IKE SA lifetime | Unit: s
The SA lifetime proposed for IKE security. Before a preset lifetime expires, another SA is negotiated in advance to replace the old one. The old SA is used before a new one is determined through negotiation. The new SA is used immediately after establishment, and the old one is automatically cleared after its lifetime expires. |
Configuration Item | Description |
Encryption algorithm | AES-128, AES-192, AES-256, 3DES, DES, and SM4 are supported. |
Verification algorithm | The algorithm used to verify identities. MD5, SHA1, SHA256, SHA384, SHA512, and SM3 are supported. |
Packet encapsulation mode | Tunnel |
Security protocol | ESP |
PFS | Disable, DH-GROUP1, DH-GROUP2, DH-GROUP5, DH-GROUP14, and DH-GROUP24 are supported. |
IPsec SA lifetime(s) | Unit: s. |
IPsec SA lifetime (KB) | Unit: KB. |
Configuration Item | Description |
Version | IKE V1, IKE V2 |
Identity verification method | Default pre-shared key |
Encryption algorithm | AES-128, AES-192, AES-256, 3DES, DES, and SM4 are supported. |
Verification algorithm | The algorithm used to verify identities. MD5, SHA1, SHA256, ASE-383, SHA512, and SM3 are supported. |
Negotiation mode | Main mode and aggressive mode supported
In aggressive mode, more information can be sent with fewer packets so that a connection can be established quickly, but the identity of a security gateway is sent in plain text. The configuration parameters such as Diffie-Hellman and PFS cannot be negotiated and they must have compatible configurations. |
Local ID | IP Address (default) and FQDN (full domain name) are supported. |
Customer ID | IP Address (default) and FQDN are supported. |
DH group | Used when IKE is specified. The security of key exchange increases as the DH group expands, but the exchange time also becomes longer DH1: DH group that uses the 768-bit modular exponential (MODP) algorithm DH 2: DH group that uses the 1,024-bit MODP algorithm DH5: DH group that uses the 1,536-bit MODP algorithm DH14: DH group that uses the 2,048-bit MODP algorithm. Dynamic VPN is not supported for this option DH 24: DH group that uses the 2,048-bit MODP algorithm with a 256-bit prime order subgroup. |
IKE SA lifetime | Unit: s
The SA lifetime proposed for IKE security. Before a preset lifetime expires, another SA is negotiated in advance to replace the old one. The old SA is used before a new one is determined through negotiation. The new SA is used immediately after establishment, and the old one is automatically cleared after its lifetime expires. |
Configuration Item | Description |
Encryption algorithm | Supports AES-128, AES-192, AES-256, 3DES, DES, and SM4 |
Verification algorithm | Used to verify identities, and supports MD5, SHA1, SHA256, SHA384, SHA512, and SM3 |
Packet encapsulation mode | Tunnel |
Security protocol | ESP |
PFS | Supports disable, DH-GROUP1, DH-GROUP2, DH-GROUP5, DH-GROUP14, and DH-GROUP24 |
IPsec SA lifetime(s) | Unit: s |
IPsec SA lifetime (KB) | Unit: KB |
Was this page helpful?