tencent cloud

Feedback

Creating a VPN Tunnel

Last updated: 2024-01-09 14:29:29
    A VPN tunnel is an encrypted public network tunnel used to transmit data packets in a VPN connection. The VPN tunnel on Tencent Cloud uses the Internet Key Exchange (IKE) protocol to establish a session during IPsec implementation. IKE provides a self-protection mechanism that can securely verify identities, distribute keys, and establish IPsec sessions in insecure networks. This topic describes how to create a VPN tunnel in the console. You can also manage VPN tunnels by using APIs and SDKs. For more information, see API documentation.
    The following configuration information is required to create a VPN tunnel:

    Background

    Destination route A routing policy specifies the IP ranges in the IDC that the network to which the VPN gateway belongs can communicate with. After you create a tunnel, you need to configure a routing policy in the route table of the VPN gateway. For more information, see Configuring The Routing Policies From The User To Tencent Cloud.
    SPD policies
    Note:
    An SPD policy consists of a series of SPD rules that are used to specify the IP ranges in a VPC or CCN and the IP ranges in an IDC that can communicate with each other. Each SPD rule contains at least one CIDR block for the local IP range and at least one CIDR block for the peer IP range. A CIDR block for the local IP range and a CIDR block for the peer IP range form a mapping. An SPD rule may involve multiple mappings.
    VPN Gateway will negotiate with the customer gateway according to the mappings in sequence. Make sure that your customer gateway device supports mapping-based negotiation; for example, it is supported if the also keyword is used in StrongSwan configuration.
    All SPD rules under the same VPN gateway can form up to 200 mappings. If you need more, we recommend you use Route-Based VPN Connections.
    The rules for all tunnels of the same VPN gateway cannot contain overlapped mappings. In other words, the local IP range and customer IP range in a mapping cannot have a duplicate address range.
    We recommend you configure a matching rule in the SPD policies in Tencent Cloud and customer gateway. For example, if the local IP range 10.11.12.0/24 and peer IP range 192.168.1.0/24 are configured in the SPD policy in Tencent Cloud, set the local and peer IP ranges also to 192.168.1.0/24 and 10.11.12.0/24 respectively in the SPD policy in your customer gateway.
    After an SPD policy is configured, the VPN gateway will automatically distribute the routes, eliminating your need to add routes in the VPN gateway.
    Example: As shown in the figure below, a VPN gateway has the following SPD rules:
    
    
    SPD rule 1: The local IP range is 10.0.0.0/24, and the peer IP ranges are 192.168.0.0/24 and 192.168.1.0/24. In this rule, two mappings are available.
    SPD rule 2: The local IP range is 10.0.1.0/24, and the peer IP range is 192.168.2.0/24. In this rule, one mapping is available.
    SPD rule 3: The local IP range is 10.0.1.0/24, and the peer IP range is 192.168.2.0/24. In this rule, one mapping is available. The mappings are as follows:
    10.0.0.0/24-----192.168.0.0/24
    10.0.0.0/24-----192.168.1.0/24
    10.0.1.0/24-----192.168.2.0/24
    10.0.2.0/24-----192.168.2.0/24 The four mappings cannot overlap. In other words, the local IP range and peer IP range in a mapping cannot have a duplicate address range.
    A new mapping 10.0.0.0/24-----192.168.1.0/24 cannot be added to SPD rules because it overlaps with an existing mapping.
    A new mapping 10.0.1.0/24-----192.168.1.0/24 can be added to SPD rules because it does not overlap with existing mappings.

    Prerequisites

    You have created a VPN gateway on Tencent Cloud as instructed in VPN Connections and created a customer gateway as instructed in Creating Customer Gateways.
    Make sure that the number of created VPN tunnels doesn't exceed the quota. You can adjust the quota as instructed in Use Limits.

    Directions

    1. Log in to the VPC console.
    2. Choose VPN Connection > VPN Tunnel in the left sidebar.
    3. On the VPN Connections page, click Create.
    4. Configure the basic information of the VPN tunnel in the pop-up dialog box.
    4.1 Configure basic settings
    In this step, configure the basic information of the tunnel, including the name, network, associated VPN gateway, customer gateway, shared key, negotiation type, and communication mode.
    Parameter
    Description
    Tunnel name
    Custom tunnel name with 60 characters at most.
    Region
    The region of the VPN gateway that is associated with the VPN tunnel to be created.
    VPN gateway type
    Two types of VPN gateways are available: VPN gateway for VPC and VPN gateway for CCN. For more information about the two types of VPN gateways, see Overview.
    VPC
    Select the VPC of the VPN gateway only when the VPN gateway type is VPC. The VPN for CCN doesn't have such a parameter.
    VPN gateway
    Select a VPN gateway from the list.
    Customer gateway
    Select a customer gateway that has been created. Otherwise, create one.
    Customer gateway IP
    The public IP address of the customer gateway
    Pre-shared key
    Used to verify the identities of local and customer gateways that must use the same pre-shared key.
    Negotiation type
    Traffic-triggered: After the VPN tunnel is created, the negotiation will start when the traffic flows to the local end.
    Active: After the tunnel is created, the local end actively initiates negotiation with the peer end.
    Passive: The negotiation is launched by the peer end.
    Communication mode
    Destination route and SPD policy are supported. We recommend that you use Destination route. For more information about SPD policies, see SPD policies.
    4.2 Configure advanced settings
    In this step, configure the DPD, health check, IKE, and IPsec options.
    Parameter
    Description
    Enable DPD
    DPD is enabled by default and used to check whether the peer is alive or not. If the response of the DPD request message actively sent by the local end is not received within the specified timeout period, it is considered that the peer is offline and timeout action is performed.
    DPD timeout period
    The overall DPD timeout period. Valid range: 30-60s. The default value is 30s.
    DPD timeout action
    Disconnect: The current SA is cleared and the current VPN tunnel is disconnected
    Retry: Reconnect to the peer
    4.3 Set health check options
    Parameter
    Description
    Enable health check
    Health check is used for primary/secondary tunnels. For more information, see Connecting IDC to a Single Tencent Cloud VPC for Primary/Secondary Disaster Recovery. If your business does not involve primary/secondary tunnels, you do not need to enable this feature (which is disabled by default). Otherwise, complete the health check configuration on the local and peer addresses as instructed in Configuring Health Checks.
    Note:
    Once you enable health check and create a VPN tunnel, the system immediately performs network quality analysis (NQA) to check the health of the tunnel. If the tunnel is not linked or your configured peer address doesn't respond to NQA detection, the system will consider the tunnel as unhealthy after multiple detection failures and interrupt the business traffic until the tunnel recovers.
    
    VPN gateway IP for health check
    This parameter is required only when health check is enabled. You can use the IP address assigned by the system or specify one.
    Note:
    The specified address cannot conflict with the private network address or IP range of the VPC, CCN, or IDC or the peer address in health check, and it cannot be a multicast, broadcast, or local loopback address.
    
    Customer gateway IP for health check
    This parameter is required only when health check is enabled. You can use the IP address assigned by the system or specify one.
    Note::
    The specified address cannot conflict with the private network address or IP range of the VPC, CCN, or IDC or the local address in health check, and it cannot be a multicast, broadcast, or local loopback address.
    
    4.4 Configure IKE options
    Configuration Item
    Description
    Version
    IKE V1 or IKE V2
    Identity verification method
    AES-128, AES-192, AES-256, 3DES, DES, and SM4 are supported. We recommend that you use AES-128.
    Verification algorithm
    The algorithm used to verify identities. MD5, SHA1, SHA256, ASE-383, SHA512, and SM3 are supported. We recommend that you use MD5.
    Negotiation mode
    Main mode and aggressive mode are supported. In aggressive mode, more information can be sent with fewer packets so that a connection can be quickly established, but the identity of a security gateway is sent in plain text. The configuration parameters, such as Diffie-Hellman and PFS, cannot be negotiated and must have compatible configurations on both sides.
    Local ID
    IP Address (default) and FQDN (full domain name) are supported.
    Customer ID
    IP Address (default) and FQDN are supported. Default value: IP Address.
    DH group
    The DH group used for the IKE key. Key exchange security and the exchange duration increase with the DH group size.
    DH1: a DH group that uses the 768-bit modular exponential (MODP) algorithm.
    DH2: a DH group that uses the 1024-bit MODP algorithm.
    DH5: a DH group that uses the 1536-bit MODP algorithm.
    DH14: a DH group that uses the 2048-bit MODP algorithm. This option is not supported for dynamic VPNs.
    DH24: a DH group that uses the 2048-bit MODP algorithm with a 256-bit prime order subgroup.
    IKE SA lifetime
    Unit: s The SA lifetime proposed for IKE security. Before a preset lifetime expires, another SA is negotiated in advance to replace the old one. The old SA is used before a new one is determined through negotiation. The new SA is used immediately after establishment, and the old one is automatically cleared after its lifetime expires.
    4.5 (Optional) Configure IPsec options
    Configuration Item
    Description
    Encryption algorithm
    AES-128, AES-192, AES-256, 3DES, DES, and SM4 are supported.
    Verification algorithm
    The algorithm used to verify identities. MD5, SHA1, SHA256, SHA384, SHA512, and SM3 are supported.
    Packet encapsulation mode
    Tunnel
    Security protocol
    ESP
    PFS
    Disable, DH-GROUP1, DH-GROUP2, DH-GROUP5, DH-GROUP14, and DH-GROUP24 are supported.
    IPsec SA lifetime(s)
    Unit: s.
    IPsec SA lifetime (KB)
    Unit: KB.
    5. Click Next to enter the Communication mode configuration interface.
    Note:
    To enter multiple peer IP ranges, separate them with line breaks.
    6. Click Next to go to the IKE configuration (optional) page. Directly click Next if no advanced configuration is required.
    Configuration Item
    Description
    Version
    IKE V1, IKE V2
    Identity verification method
    Default pre-shared key
    Encryption algorithm
    AES-128, AES-192, AES-256, 3DES, DES, and SM4 are supported.
    Verification algorithm
    The algorithm used to verify identities. MD5, SHA1, SHA256, ASE-383, SHA512, and SM3 are supported.
    Negotiation mode
    Main mode and aggressive mode supported In aggressive mode, more information can be sent with fewer packets so that a connection can be established quickly, but the identity of a security gateway is sent in plain text. The configuration parameters such as Diffie-Hellman and PFS cannot be negotiated and they must have compatible configurations.
    Local ID
    IP Address (default) and FQDN (full domain name) are supported.
    Customer ID
    IP Address (default) and FQDN are supported.
    DH group
    Used when IKE is specified. The security of key exchange increases as the DH group expands, but the exchange time also becomes longer
    DH1: DH group that uses the 768-bit modular exponential (MODP) algorithm
    DH 2: DH group that uses the 1,024-bit MODP algorithm
    DH5: DH group that uses the 1,536-bit MODP algorithm
    DH14: DH group that uses the 2,048-bit MODP algorithm. Dynamic VPN is not supported for this option
    DH 24: DH group that uses the 2,048-bit MODP algorithm with a 256-bit prime order subgroup.
    IKE SA lifetime
    Unit: s The SA lifetime proposed for IKE security. Before a preset lifetime expires, another SA is negotiated in advance to replace the old one. The old SA is used before a new one is determined through negotiation. The new SA is used immediately after establishment, and the old one is automatically cleared after its lifetime expires.
    7. Enter the IPsec configuration (optional) interface. Click Complete if no advanced configuration is required.
    Configuration Item
    Description
    Encryption algorithm
    Supports AES-128, AES-192, AES-256, 3DES, DES, and SM4
    Verification algorithm
    Used to verify identities, and supports MD5, SHA1, SHA256, SHA384, SHA512, and SM3
    Packet encapsulation mode
    Tunnel
    Security protocol
    ESP
    PFS
    Supports disable, DH-GROUP1, DH-GROUP2, DH-GROUP5, DH-GROUP14, and DH-GROUP24
    IPsec SA lifetime(s)
    Unit: s
    IPsec SA lifetime (KB)
    Unit: KB
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support