A VPN tunnel is an encrypted public network tunnel used to transmit data packets in a VPN connection. The VPN tunnel on Tencent Cloud uses the Internet Key Exchange (IKE) protocol to establish a session during IPsec implementation. IKE provides a self-protection mechanism that can securely verify identities, distribute keys, and establish IPsec sessions in insecure networks. This topic describes how to create a VPN tunnel in the console. You can also manage VPN tunnels by using APIs and SDKs. For more information, see API documentation.
The following configuration information is required to create a VPN tunnel:
Basic information
Communication mode
IKE configuration (optional)
IPsec configuration (optional)
Background
Destination routeA routing policy specifies the IP ranges in the IDC that the network to which the VPN gateway belongs can communicate with. After you create a tunnel, you need to configure a routing policy in the route table of the VPN gateway. For more information, see Configuring The Routing Policies From The User To Tencent Cloud.
SPD policies
Note:
An SPD policy consists of a series of SPD rules that are used to specify the IP ranges in a VPC or CCN and the IP ranges in an IDC that can communicate with each other. Each SPD rule contains at least one CIDR block for the local IP range and at least one CIDR block for the peer IP range. A CIDR block for the local IP range and a CIDR block for the peer IP range form a mapping. An SPD rule may involve multiple mappings.
VPN Gateway will negotiate with the customer gateway according to the mappings in sequence. Make sure that your customer gateway device supports mapping-based negotiation; for example, it is supported if the also keyword is used in StrongSwan configuration.
All SPD rules under the same VPN gateway can form up to 200 mappings. If you need more, we recommend you use Route-Based VPN Connections.
The rules for all tunnels of the same VPN gateway cannot contain overlapped mappings. In other words, the local IP range and customer IP range in a mapping cannot have a duplicate address range.
We recommend you configure a matching rule in the SPD policies in Tencent Cloud and customer gateway. For example, if the local IP range 10.11.12.0/24 and peer IP range 192.168.1.0/24 are configured in the SPD policy in Tencent Cloud, set the local and peer IP ranges also to 192.168.1.0/24 and 10.11.12.0/24 respectively in the SPD policy in your customer gateway.
After an SPD policy is configured, the VPN gateway will automatically distribute the routes, eliminating your need to add routes in the VPN gateway.
Example:As shown in the figure below, a VPN gateway has the following SPD rules:
SPD rule 1: The local IP range is 10.0.0.0/24, and the peer IP ranges are 192.168.0.0/24 and 192.168.1.0/24. In this rule, two mappings are available.
SPD rule 2: The local IP range is 10.0.1.0/24, and the peer IP range is 192.168.2.0/24. In this rule, one mapping is available.
SPD rule 3: The local IP range is 10.0.1.0/24, and the peer IP range is 192.168.2.0/24. In this rule, one mapping is available. The mappings are as follows:
10.0.0.0/24-----192.168.0.0/24
10.0.0.0/24-----192.168.1.0/24
10.0.1.0/24-----192.168.2.0/24
10.0.2.0/24-----192.168.2.0/24The four mappings cannot overlap. In other words, the local IP range and peer IP range in a mapping cannot have a duplicate address range.
A new mapping 10.0.0.0/24-----192.168.1.0/24 cannot be added to SPD rules because it overlaps with an existing mapping.
A new mapping 10.0.1.0/24-----192.168.1.0/24 can be added to SPD rules because it does not overlap with existing mappings.
Prerequisites
You have created a VPN gateway on Tencent Cloud as instructed in VPN Connections and created a customer gateway as instructed in Creating Customer Gateways.
Make sure that the number of created VPN tunnels doesn't exceed the quota. You can adjust the quota as instructed in Use Limits.
Directions
1. Log in to the VPC console.
2. Choose VPN Connection > VPN Tunnel in the left sidebar.
3. On the VPN Connections page, click Create.
4. Configure the basic information of the VPN tunnel in the pop-up dialog box.
4.1 Configure basic settings
In this step, configure the basic information of the tunnel, including the name, network, associated VPN gateway, customer gateway, shared key, negotiation type, and communication mode.
Parameter | Description |
Tunnel name | Custom tunnel name with 60 characters at most. |
Region | The region of the VPN gateway that is associated with the VPN tunnel to be created. |
VPN gateway type | Two types of VPN gateways are available: VPN gateway for VPC and VPN gateway for CCN. For more information about the two types of VPN gateways, see Overview. |
VPC | Select the VPC of the VPN gateway only when the VPN gateway type is VPC. The VPN for CCN doesn't have such a parameter. |
VPN gateway | Select a VPN gateway from the list. |
Customer gateway | Select a customer gateway that has been created. Otherwise, create one. |
Customer gateway IP | The public IP address of the customer gateway |
Pre-shared key | Used to verify the identities of local and customer gateways that must use the same pre-shared key. |
Negotiation type | Traffic-triggered: After the VPN tunnel is created, the negotiation will start when the traffic flows to the local end. Active: After the tunnel is created, the local end actively initiates negotiation with the peer end. Passive: The negotiation is launched by the peer end. |
Communication mode | Destination route and SPD policy are supported. We recommend that you use Destination route. For more information about SPD policies, see SPD policies. |
4.2 Configure advanced settings
In this step, configure the DPD, health check, IKE, and IPsec options.
Parameter | Description |
Enable DPD | DPD is enabled by default and used to check whether the peer is alive or not. If the response of the DPD request message actively sent by the local end is not received within the specified timeout period, it is considered that the peer is offline and timeout action is performed. |
DPD timeout period | The overall DPD timeout period. Valid range: 30-60s. The default value is 30s. |
DPD timeout action | Disconnect: The current SA is cleared and the current VPN tunnel is disconnected Retry: Reconnect to the peer |
4.3 Set health check options
Parameter | Description |
Enable health check | Health check is used for primary/secondary tunnels. For more information, see Connecting IDC to a Single Tencent Cloud VPC for Primary/Secondary Disaster Recovery. If your business does not involve primary/secondary tunnels, you do not need to enable this feature (which is disabled by default). Otherwise, complete the health check configuration on the local and peer addresses as instructed in Configuring Health Checks. Note: Once you enable health check and create a VPN tunnel, the system immediately performs network quality analysis (NQA) to check the health of the tunnel. If the tunnel is not linked or your configured peer address doesn't respond to NQA detection, the system will consider the tunnel as unhealthy after multiple detection failures and interrupt the business traffic until the tunnel recovers. |
VPN gateway IP for health check | This parameter is required only when health check is enabled. You can use the IP address assigned by the system or specify one. Note: The specified address cannot conflict with the private network address or IP range of the VPC, CCN, or IDC or the peer address in health check, and it cannot be a multicast, broadcast, or local loopback address. |
Customer gateway IP for health check | This parameter is required only when health check is enabled. You can use the IP address assigned by the system or specify one. Note:: The specified address cannot conflict with the private network address or IP range of the VPC, CCN, or IDC or the local address in health check, and it cannot be a multicast, broadcast, or local loopback address. |
4.4 Configure IKE options
Configuration Item | Description |
Version | IKE V1 or IKE V2 |
Identity verification method | AES-128, AES-192, AES-256, 3DES, DES, and SM4 are supported. We recommend that you use AES-128. |
Verification algorithm | The algorithm used to verify identities. MD5, SHA1, SHA256, ASE-383, SHA512, and SM3 are supported. We recommend that you use MD5. |
Negotiation mode | Main mode and aggressive mode are supported. In aggressive mode, more information can be sent with fewer packets so that a connection can be quickly established, but the identity of a security gateway is sent in plain text. The configuration parameters, such as Diffie-Hellman and PFS, cannot be negotiated and must have compatible configurations on both sides. |
Local ID | IP Address (default) and FQDN (full domain name) are supported. |
Customer ID | IP Address (default) and FQDN are supported. Default value: IP Address. |
DH group | The DH group used for the IKE key. Key exchange security and the exchange duration increase with the DH group size. DH1: a DH group that uses the 768-bit modular exponential (MODP) algorithm. DH2: a DH group that uses the 1024-bit MODP algorithm. DH5: a DH group that uses the 1536-bit MODP algorithm. DH14: a DH group that uses the 2048-bit MODP algorithm. This option is not supported for dynamic VPNs. DH24: a DH group that uses the 2048-bit MODP algorithm with a 256-bit prime order subgroup. |
IKE SA lifetime | Unit: sThe SA lifetime proposed for IKE security. Before a preset lifetime expires, another SA is negotiated in advance to replace the old one. The old SA is used before a new one is determined through negotiation. The new SA is used immediately after establishment, and the old one is automatically cleared after its lifetime expires. |
4.5 (Optional) Configure IPsec options
Configuration Item | Description |
Encryption algorithm | AES-128, AES-192, AES-256, 3DES, DES, and SM4 are supported. |
Verification algorithm | The algorithm used to verify identities. MD5, SHA1, SHA256, SHA384, SHA512, and SM3 are supported. |
Packet encapsulation mode | Tunnel |
Security protocol | ESP |
PFS | Disable, DH-GROUP1, DH-GROUP2, DH-GROUP5, DH-GROUP14, and DH-GROUP24 are supported. |
IPsec SA lifetime(s) | Unit: s. |
IPsec SA lifetime (KB) | Unit: KB. |
5. Click Next to enter the Communication mode configuration interface.
Note:
To enter multiple peer IP ranges, separate them with line breaks.
6. Click Next to go to the IKE configuration (optional) page. Directly click Next if no advanced configuration is required.
Configuration Item | Description |
Version | IKE V1, IKE V2 |
Identity verification method | Default pre-shared key |
Encryption algorithm | AES-128, AES-192, AES-256, 3DES, DES, and SM4 are supported. |
Verification algorithm | The algorithm used to verify identities. MD5, SHA1, SHA256, ASE-383, SHA512, and SM3 are supported. |
Negotiation mode | Main mode and aggressive mode supportedIn aggressive mode, more information can be sent with fewer packets so that a connection can be established quickly, but the identity of a security gateway is sent in plain text. The configuration parameters such as Diffie-Hellman and PFS cannot be negotiated and they must have compatible configurations. |
Local ID | IP Address (default) and FQDN (full domain name) are supported. |
Customer ID | IP Address (default) and FQDN are supported. |
DH group | Used when IKE is specified. The security of key exchange increases as the DH group expands, but the exchange time also becomes longer DH1: DH group that uses the 768-bit modular exponential (MODP) algorithm DH 2: DH group that uses the 1,024-bit MODP algorithm DH5: DH group that uses the 1,536-bit MODP algorithm DH14: DH group that uses the 2,048-bit MODP algorithm. Dynamic VPN is not supported for this option DH 24: DH group that uses the 2,048-bit MODP algorithm with a 256-bit prime order subgroup. |
IKE SA lifetime | Unit: sThe SA lifetime proposed for IKE security. Before a preset lifetime expires, another SA is negotiated in advance to replace the old one. The old SA is used before a new one is determined through negotiation. The new SA is used immediately after establishment, and the old one is automatically cleared after its lifetime expires. |
7. Enter the IPsec configuration (optional) interface. Click Complete if no advanced configuration is required.
Configuration Item | Description |
Encryption algorithm | Supports AES-128, AES-192, AES-256, 3DES, DES, and SM4 |
Verification algorithm | Used to verify identities, and supports MD5, SHA1, SHA256, SHA384, SHA512, and SM3 |
Packet encapsulation mode | Tunnel |
Security protocol | ESP |
PFS | Supports disable, DH-GROUP1, DH-GROUP2, DH-GROUP5, DH-GROUP14, and DH-GROUP24 |
IPsec SA lifetime(s) | Unit: s |
IPsec SA lifetime (KB) | Unit: KB |
