Professional Documents
Culture Documents
VPN Faq
VPN Faq
FAQ
Issue 01
Date 2020-11-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Contents
2 Product Consultation............................................................................................................18
2.1 What Are the Applicable Scenarios of IPsec VPN?.................................................................................................... 18
2.2 What Is a VPC, VPN Gateway, and a VPN Connection?.......................................................................................... 19
2.3 What Are the Relationships Between a VPC, a VPN Gateway, and a VPN Connection?............................. 19
2.4 What Is VPN Connection? How Do I Set the Number of VPN Connections When Buying a VPN
Gateway?........................................................................................................................................................................................ 20
2.5 What Is a Remote Gateway and Remote Subnet in a VPN Connection?..........................................................21
2.6 Will an IPsec VPN Connect Automatically?................................................................................................................. 21
2.7 What Devices Can Be Connected to HUAWEI CLOUD Through a VPN?........................................................... 21
2.8 What Are VPN Negotiation Parameters? What Are Their Default Values?......................................................22
2.9 What Are the Categories of VPN Service Tickets? How Do I Create a VPN Service Ticket?.......................23
2.10 Are a Username and Password Required for Creating an IPsec VPN Connection?..................................... 24
2.11 How Do I Allow Specific Servers to Access a Subnet on the Cloud Through a Created VPN
Connection?................................................................................................................................................................................... 25
2.12 Which of the Following Resources of a VPN Can Be Monitored?..................................................................... 25
2.13 Can an EIP Be Used as a VPN Gateway IP Address?.............................................................................................. 25
2.14 Do I Need to Purchase an EIP for Servers That Communicate with Each Other Through a VPN?....... 25
2.15 Are SSL VPNs Supported?................................................................................................................................................ 26
2.16 How Long Does It Take for Delivered VPN Configurations to Take Effect?...................................................26
2.17 What Should I Do If I Cannot Create Connections for a VPN Gateway That Has No Bandwidth
Information?.................................................................................................................................................................................. 26
2.18 Does HUAWEI CLOUD VPN Support IPv6 Addresses?........................................................................................... 26
2.19 How Do I Determine My VPN Bandwidth Size?...................................................................................................... 26
2.20 Does a VPN Connection Support Chinese Encryption Algorithms?.................................................................. 27
2.21 Can I Visit Websites Across International Borders Using a VPN?...................................................................... 27
2.22 Can I Deploy Applications on the Cloud, Databases in a Local IDC, and Then Connect Them Through
a VPN?............................................................................................................................................................................................. 27
2.23 What Are the Differences Between the Application Scenarios and Connection Modes of IPsec and
SSL VPNs?....................................................................................................................................................................................... 28
2.24 What Fees Will Be Incurred for Creating a VPN? Will I Be Billed for VPN Gateway IP Addresses?...... 28
2.25 What Is the Difference Between Billing a VPN Gateway by Bandwidth or by Traffic?............................. 29
2.26 Can a VPN Billed by Traffic Use a Shared Data Package?................................................................................... 29
2.27 Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted? ....................................29
2.28 Do I Need to Purchase an EIP for Servers That Communicate with Each Other Through a VPN?....... 30
2.29 Where Can I Add a Route to Reach the Remote Subnet on the VPN Console?...........................................30
2.30 Will I Be Notified If a VPN Connection Is Interrupted?......................................................................................... 30
2.31 What Do I Do If VPN Connection Setup Fails?.........................................................................................................31
2.32 Which Is the Direction of the Bandwidth to Be Limited and What Is the Unit of the Bandwidth?...... 31
3.4 Do I Need to Install the IPsec Software on Each Server That Needs to Access an ECS to Establish a
VPN Connection?..........................................................................................................................................................................33
3.5 What Are the Differences Between the Application Scenarios and Connection Modes of IPsec and SSL
VPNs?............................................................................................................................................................................................... 33
3.6 Does a VPN Allow for Communication Between Two VPCs?................................................................................ 34
3.7 What Are the Impacts of a VPN on a Local Network? What Are the Changes to the Route for
Accessing an ECS?........................................................................................................................................................................ 34
3.8 What Configurations Are Required on Both Ends of a VPN to Implement the Communication Between
a Customer Data Center and a VPC?.................................................................................................................................... 35
3.9 Can I Use a Gateway with Two Egresses to Establish Two VPN Connections with the Same VPC?........35
3.10 Can Two VPCs in the Same Region Be Connected Through a VPN?................................................................ 35
3.11 How Can I Connect Two VPCs in the Same Region?............................................................................................. 35
3.12 How Do I Replace a Direct Connect Connection with a VPN?........................................................................... 36
3.13 How Can I Connect Two VPCs Created on the Cloud to the IDC Network?.................................................. 36
3.14 How Do I Connect Four Subnets?................................................................................................................................. 37
3.15 Do I Need Two VPN Connections to Connect Four Subnets of Two Regions (Each Region Has Two
Subnets)?........................................................................................................................................................................................ 37
3.16 Can I Access OBS Through a VPN?.............................................................................................................................. 37
3.17 How Do I Interconnect My Personnel Computer with a VPN?...........................................................................38
3.18 How Do I Access HUAWEI CLOUD ECSs From Home After My Enterprise Network Is Connected to
HUAWEI CLOUD Through a VPN?......................................................................................................................................... 38
3.19 How Do I Create a VPN Connection Temporarily If No Device That Supports IPsec Is Available off the
Cloud After I Purchase HUAWEI CLOUD VPN Gateway and Connections?.............................................................38
3.20 How Do I Select a Proper Region on the Cloud When Creating a VPN Gateway?..................................... 39
8 EIPs............................................................................................................................................67
8.1 Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted?....................................... 67
8.2 Can an EIP Be Used as a VPN Gateway IP Address?................................................................................................ 67
8.3 Do I Need to Purchase an EIP for Servers That Communicate with Each Other Through a VPN?..........67
8.4 Why Does an ECS Have EIP Access Information After I Enable a VPN?............................................................ 68
8.5 Can the Gateway of a Customer Data Center Have No Fixed Public IP Address?.........................................68
9 Route Configurations........................................................................................................... 69
9.1 Where Can I Add a Route to Reach the Remote Subnet on the VPN Console?............................................. 69
9.2 Do I Need to Add a Route to Reach the Customer Data Center Network for an ECS with Multiple
NICs?................................................................................................................................................................................................. 69
10 Subnet Setting..................................................................................................................... 70
10.1 What Is a Remote Gateway and Remote Subnet in a VPN Connection?....................................................... 70
10.2 Can the Local Subnet Be Within the Remote Subnet of a VPN?....................................................................... 70
10.3 What Is the Limitation on the Number of Local and Remote Subnets of a VPN? Why Is an Error
Message Displayed When I Update the Local Subnet by Specifying a CIDR Block?............................................ 70
10.4 What Do I Do If an Exception Occurs When I Add a Remote Subnet During VPN Connection
Creation?......................................................................................................................................................................................... 71
10.5 Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted?..................................... 71
13 Monitoring............................................................................................................................ 75
13.1 Which Resources of a VPN Can Be Monitored?....................................................................................................... 75
15 Quotas................................................................................................................................... 85
15.1 What Is the VPN Quota?................................................................................................................................................. 85
15.2 How Many VPN Gateways and VPN Connections Can I Create By Default?................................................ 86
15.3 How Do I Change My VPN Gateway and Connection Quotas?......................................................................... 86
15.4 How Many IPsec VPNs Can I Have?.............................................................................................................................87
16 Account Permissions........................................................................................................... 88
16.1 Are a Username and Password Required for Creating an IPsec VPN Connection?..................................... 88
16.2 What Should I Do If the System Displays a Message Indicating That I Do Not Have the Permissions
to Create a VPN?.......................................................................................................................................................................... 88
16.3 How Do I Determine that My Account Cannot Create a VPN Due to Insufficient Permissions?........... 88
NOTE
● Common home broadband routers, personal mobile terminals, and VPN services (such
as L2TP) provided by Windows hosts cannot interconnect with HUAWEI CLOUD VPN.
● Vendors that have performed the interconnection test with the HUAWEI CLOUD VPN
service include but are not limited to Huawei (routers and firewalls), H3C (routers and
firewalls), Cisco (routers and firewalls), Ruijie (routers and firewalls), ZTE, Sangfor,
Fortinet, 360, Topsec, Hillstone, NetentSec, NSFOCUS, DELL, ZyXEL, and Juniper.
● Cloud service providers include but are not limited to Alibaba Cloud, Tencent Cloud, and
Amazon.
● Software vendors include but are not limited to openSwan, Strongswan, and GreenBow.
● The IPsec protocol is a standard IETF protocol. All vendors that support IPsec can
interconnect with HUAWEI CLOUD and you do not need to pay attention to the device
model.
Currently, most enterprise-level routers and firewalls support IPsec protocol.
● The feature specifications of some hardware vendors list that the products support IPsec
VPN, but in fact software licenses are required to be purchased to activate related
functions, such as Cisco ISR series routers.
Contact the data center administrator to confirm the device model with the vendor.
NOTE
3. Click More Products and then Virtual Private Network under Network.
NOTE
When submitting a service ticket, select a ticket type to facilitate problem handling.
After the VPN is set up successfully, the two subnets can communicate with each
other. In this case, the application server accessing the database is logically the
same as accessing other servers in the same LAN.
This is a typical IPsec VPN scenario.
In addition, after the VPN is set up, services on the cloud and in the customer data
center can access each other.
NOTICE
● After a VPN is set up, pay attention to the network latency and packet loss to
ensure normal service running.
● It is recommended to run the ping command to check the packet loss and
network latency details.
NOTE
For example, if CIDR blocks a1 and a2 on the HUAWEI CLOUD side need to communicate
with CIDR blocks b1 and b2 on the customer side, one VPN connection is enough. You only
need to enter the CIDR blocks both on the HUAWEI CLOUD side and the customer side
when creating a VPN connection. The following figure shows an example.
NOTE
IPsec XAUTH is an extended technology of IPsec VPN. It prompts users to enter their
usernames and passwords during VPN negotiation.
Currently, HUAWEI CLOUD VPN does not support IPsec XAUTH.
SSL VPN connects a client to a LAN. For example, the portable computer of an
employee on a business trip accesses the internal network of the company.
Connection Modes
IPsec VPN requires fixed gateways, such as firewalls or routers, at both ends. The
administrator needs to configure gateways at both ends to complete IPsec VPN
negotiation.
SSL VPN needs to install a specified client software on the server to connect to the
SSL device through the username and password.
NOTE
NOTE
The source and destination addresses of the ping packets must be protected by the VPN.
Before the connection is set up, the gateway IP addresses of both ends can be pinged.
However, pinging the gateway IP address does not trigger the setup of the VPN connection.
2. Pay-per-use is a postpaid billing mode, and the billing cycle is one hour. If you
create a pay-per-use VPN gateway, a VPN connection must be purchased
together with the VPN gateway. The total price includes the gateway
bandwidth price and the price of the VPN connection created with the VPN
gateway. When you create another connection for the gateway, only the price
of this created connection will be billed.
NOTE
● The IP address of the VPN gateway will not be billed. Only the bandwidth of the
VPN gateway will be billed.
● A VPN gateway cannot share a bandwidth with an EIP bound to an ECS.
NOTICE
In the pay-per-use billing mode, deleting the last connection of a VPN gateway
will also delete the gateway. If you want to retain the IP address, do not delete the
last VPN connection.
VPN Connection
The VPN connection status can be monitored. Value 1 indicates that the
connection is normal, and value 0 indicates that the connection is not connected.
To query VPN connection monitoring information, locate the target VPN
connection and click View Metric in the Operation column.
The test shows that the average VPN network speed is 180 Mbit/s, and there is about
10% network speed deviation. The TCP and FTP protocols have the congestion control
mechanism, and the IPsec protocol adds a new IP header. Therefore, about 10%
network speed deviation is normal for the VPN network.
Figure 1-6 shows the displayed result for the test performed using the iPerf3
client.
Figure 1-6 Test result for 200 Mbit/s bandwidth (iPerf3 client)
Figure 1-7 shows the displayed result for the test performed using the iPerf3
server.
Figure 1-7 Test result for 200 Mbit/s bandwidth (iPerf3 server)
2. If the ECSs at the two sides of the VPN run the CentOS 7 OSs, use iPerf3 to
test the network speed. The network speed can reach 180 Mbit/s.
3. If the ECS functioning as the server runs the CentOS 7 OS, and the ECS
functioning as the client runs the Windows OS, use iPerf3 and FileZilla to test
the network speed.
The network speed is about 20 Mbit/s. The reason is that TCP
implementations on the Windows OS and that on the Linux OS are different,
which causes the slow network speed. Therefore, if the ECSs at the two sides
of the VPN use different OSs, the VPN network speed does not meet the
bandwidth requirements.
Figure 1-8 shows the displayed result of the test performed using iPerf3.
Figure 1-8 Test result when ECSs at the two sides run different OSs (iPerf3)
Perform the following steps to test the VPN gateway network speed if the
bandwidth of your VPN gateway is 1,000 Mbit/s:
The VPN gateway is shared by all created VPN connections, and the VPN gateway
bandwidth size is the total bandwidth sizes of all VPN connections. When the
bandwidth size is large, multiple ECSs are required to test the VPN gateway
bandwidth because the forwarding performance of each ECS is limited. In addition,
this scenario has high requirements on ECS specifications. The ECSs used for
testing must have NICs that support 2 Gbit/s or higher bandwidth.
The tests show that the actual VPN connection network speed on HUAWEI
CLOUD is within the normal range. However, the servers used at both side of
the VPN connections must run the OSs of the same type, and the server NICs
must meet the configuration requirements.
The number of VPN connections is irrelevant to the number of local subnets and
remote subnets. It is only related to the number of data centers (or VPCs in other
regions) to be connected to a VPC. The created VPN connections are displayed in the
VPN connection list. You can also view the number of created VPN connections on the
VPN gateway.
In most cases, a data center has a public network egress gateway. All servers
connect to the Internet through this gateway. Therefore, you only need to
configure one VPN connection to allow communications between HUAWEI CLOUD
VPC and your network.
After the VPN configuration is complete, only the traffic matching the ACL rules
enters the VPN tunnel.
For example, before a VPN is created, local users access the ECS through the EIP
bound to the ECS. After the VPN is created, data flows matching the ACL rules
access the private IP address of the ECS through the VPN tunnel.
#!/bin/sh
host=$1
if [ -z $host ]; then
echo "Usage: `basename $0` [HOST]"
exit 1
fi
log_name=$host".log"
while :; do
result=`ping -W 1 -c 1 $host | grep 'bytes from '`
if [ $? -gt 0 ]; then
echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is down"| tee -a $log_name
else
echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is ok -`echo $result | cut -d ':' -f 2`"| tee -
a $log_name
fi
sleep 5 # avoid ping rain
done
#./ping.sh x.x.x.x >>/dev/null &
NOTE
1. Use the vi editor to copy the preceding script to the ping.sh file.
2. Run the chmod 777 ping.sh command to grant permissions to the file.
3. Run the ping command:
./ping.sh x.x.x.x >>/dev/null &
x.x.x.x indicates the IP address to be pinged.
4. After the ping command is executed, the x.x.x.x.log file is generated. Run the
following command:
tail -f x.x.x.x.log
You can view the long ping result in real time.
3. After the configuration is complete, ping the local and the remote side from
each other to check whether the VPN connection is normal.
NOTE
1. VPN is triggered based on data flows. After the configuration is complete, you need to
ping the servers in the peer subnet. Before running the ping command, the server
firewall should be disabled and the security group on the cloud should allow inbound
ICMP requests.
2. Pinging the IP address of the gateway cannot trigger VPN negotiation. You need to ping
the server in the subnet protected by the gateway.
2 Product Consultation
The number of VPN connections is irrelevant to the number of local subnets and
remote subnets. It is only related to the number of data centers (or VPCs in other
regions) to be connected to a VPC. The created VPN connections are displayed in the
VPN connection list. You can also view the number of created VPN connections on the
VPN gateway.
NOTE
For example, if CIDR blocks a1 and a2 on the HUAWEI CLOUD side need to communicate
with CIDR blocks b1 and b2 on the customer side, one VPN connection is enough. You only
need to enter the CIDR blocks both on the HUAWEI CLOUD side and the customer side
when creating a VPN connection. The following figure shows an example.
NOTE
The source and destination addresses of the ping packets must be protected by the VPN.
Before the connection is set up, the gateway IP addresses of both ends can be pinged.
However, pinging the gateway IP address does not trigger the setup of the VPN connection.
Devices usually are routers and firewalls. For details, see Administrator Guide.
NOTE
● Common home broadband routers, personal mobile terminals, and VPN services (such
as L2TP) provided by Windows hosts cannot interconnect with HUAWEI CLOUD VPN.
● Vendors that have performed the interconnection test with the HUAWEI CLOUD VPN
service include but are not limited to Huawei (routers and firewalls), H3C (routers and
firewalls), Cisco (routers and firewalls), Ruijie (routers and firewalls), ZTE, Sangfor,
Fortinet, 360, Topsec, Hillstone, NetentSec, NSFOCUS, DELL, ZyXEL, and Juniper.
● Cloud service providers include but are not limited to Alibaba Cloud, Tencent Cloud, and
Amazon.
● Software vendors include but are not limited to openSwan, Strongswan, and GreenBow.
● The IPsec protocol is a standard IETF protocol. All vendors that support IPsec can
interconnect with HUAWEI CLOUD and you do not need to pay attention to the device
model.
Currently, most enterprise-level routers and firewalls support IPsec protocol.
● The feature specifications of some hardware vendors list that the products support IPsec
VPN, but in fact software licenses are required to be purchased to activate related
functions, such as Cisco ISR series routers.
Contact the data center administrator to confirm the device model with the vendor.
DH Algorithm Group 14
Version v2
PFS DH Group 14
NOTE
3. Click More Products and then Virtual Private Network under Network.
NOTE
When submitting a service ticket, select a ticket type to facilitate problem handling.
NOTE
IPsec XAUTH is an extended technology of IPsec VPN. It prompts users to enter their
usernames and passwords during VPN negotiation.
Currently, HUAWEI CLOUD VPN does not support IPsec XAUTH.
All rules must be added to the device before the VPN tunnel is established. Do not change
the local subnet and the remote subnet to restrict the access.
If the ECS needs to provide services accessible from the Internet, an EIP is required.
NOTE
After the VPN configurations take effect, you need to configure the gateway on your side to
complete tunnel negotiation with the VPN gateway on HUAWEI CLOUD. Then, the VPN
connection is successfully established.
● The egress bandwidth at the end of the VPN connection on the cloud must be
less than that at the end of the VPN connection off the cloud.
NOTICE
● After a VPN is set up, pay attention to the network latency and packet loss to
ensure normal service running.
● It is recommended to run the ping command to check the packet loss and
network latency details.
Connection Modes
IPsec VPN requires fixed gateways, such as firewalls or routers, at both ends. The
administrator needs to configure gateways at both ends to complete IPsec VPN
negotiation.
SSL VPN needs to install a specified client software on the server to connect to the
SSL device through the username and password.
NOTE
together with the VPN gateway. The total price includes the gateway
bandwidth price and the price of the VPN connection created with the VPN
gateway. When you create another connection for the gateway, only the price
of this created connection will be billed.
NOTE
● The IP address of the VPN gateway will not be billed. Only the bandwidth of the
VPN gateway will be billed.
● A VPN gateway cannot share a bandwidth with an EIP bound to an ECS.
If you select the pay-per-use billing mode, both billing by bandwidth and by traffic
are supported.
● If billing by bandwidth is selected and the billing cycle is one hour, the
generated fee varies according to the bandwidth size.
● If billing by traffic is selected, the traffic fees generated each hour will be
collected. The bandwidth size does not affect the public traffic price per GB.
The billing is based on the generated traffic going out of a VPC.
The VPN service is charged independently and cannot use the shared data
package.
NOTICE
In the pay-per-use billing mode, deleting the last connection of a VPN gateway
will also delete the gateway. If you want to retain the IP address, do not delete the
last VPN connection.
3. After the configuration is complete, ping the local and the remote side from
each other to check whether the VPN connection is normal.
VPN connects a VPC subnet and the network in a customer data center, that is,
site-to-site connection.
After the VPN is set up successfully, the two subnets can communicate with each
other. In this case, the application server accessing the database is logically the
same as accessing other servers in the same LAN.
In addition, after the VPN is set up, services on the cloud and in the customer data
center can access each other.
NOTICE
● After a VPN is set up, pay attention to the network latency and packet loss to
ensure normal service running.
● It is recommended to run the ping command to check the packet loss and
network latency details.
Connection Modes
IPsec VPN requires fixed gateways, such as firewalls or routers, at both ends. The
administrator needs to configure gateways at both ends to complete IPsec VPN
negotiation.
SSL VPN needs to install a specified client software on the server to connect to the
SSL device through the username and password.
NOTE
3. Check the route of the gateway in the customer data center to ensure that
traffic destined for the HUAWEI CLOUD VPC is routed to the correct egress
interface (the interface with IPsec policy bound).
After the VPN configuration is complete, only the traffic matching the ACL rules
enters the VPN tunnel.
For example, before a VPN is created, local users access the ECS through the EIP
bound to the ECS. After the VPN is created, data flows matching the ACL rules
access the private IP address of the ECS through the VPN tunnel.
NOTICE
NOTE
IDC indicates the customer data center. A VPN connection is established between VPC 1
and the IDC.
Procedure
1. Check whether the two VPCs are in the same region.
– If the two VPCs are in the same region, they can be connected through a
VPC peering or Cloud Connect connection (free of charge).
– If the two VPCs are in different regions, use a Cloud Connect connection
(you need to pay for the bandwidth fee).
2. Establish a VPN connection between the IDC and a VPC. Change the remote
subnet of the IDC to the subnets of VPC 1 and VPC 2. The local subnet of VPC
1 must contain the subnet connected through a VPC peering or Cloud
Connect connection. The subnet route of the VPC peering or Cloud Connect
connection should destine for the IDC subnet.
Only one VPN connection is required between two regions. The subnets can all be
added to the VPN connection.
With the help of the VPC Endpoint Service, you access OBS through a VPN. You
need to create two VPC endpoints for the private DNS server and OBS,
respectively.
Configure the private DNS server and route of HUAWEI CLOUD on the customer
side.
● The IP address of the VPN gateway will not be billed. Only the bandwidth of the
VPN gateway will be billed.
● A VPN gateway cannot share a bandwidth with an EIP bound to an ECS.
If you select the pay-per-use billing mode, both billing by bandwidth and by traffic
are supported.
● If billing by bandwidth is selected and the billing cycle is one hour, the
generated fee varies according to the bandwidth size.
● If billing by traffic is selected, the traffic fees generated each hour will be
collected. The bandwidth size does not affect the public traffic price per GB.
The billing is based on the generated traffic going out of a VPC.
The VPN service is charged independently and cannot use the shared data
package.
For example, if Region A needs to establish VPN connections with Region B and
Region C, respectively, the VPN gateway of Region A has two connections, which
are used to connect to Region B and Region C, respectively. The VPN gateway of
Region B has one connection, and the VPN gateway of Region C also has one
connection.
Therefore, you need four VPN connections and each connection belongs to its own
region.
V5 15
V4 15
V3 7
V2 7
V1 7
V0 1
The number of VPN connections is irrelevant to the number of local subnets and
remote subnets. It is only related to the number of data centers (or VPCs in other
regions) to be connected to a VPC. The created VPN connections are displayed in the
VPN connection list. You can also view the number of created VPN connections on the
VPN gateway.
NOTE
After the VPN configurations take effect, you need to configure the gateway on your side to
complete tunnel negotiation with the VPN gateway on HUAWEI CLOUD. Then, the VPN
connection is successfully established.
NOTE
1. VPN is triggered based on data flows. After the configuration is complete, you need to
ping the servers in the peer subnet. Before running the ping command, the server
firewall should be disabled and the security group on the cloud should allow inbound
ICMP requests.
2. Pinging the IP address of the gateway cannot trigger VPN negotiation. You need to ping
the server in the subnet protected by the gateway.
NOTICE
In the pay-per-use billing mode, deleting the last connection of a VPN gateway
will also delete the gateway. If you want to retain the IP address, do not delete the
last VPN connection.
● Create a VPN gateway. The gateway IP address and bandwidth have been
assigned, you need to set Region, Name, Billing Mode, VPC to be associated,
Billed By, and Bandwidth. Configurations for Region, Billing Mode, VPC to
be associated, and Billed By cannot be modified after the VPN gateway is
created.
● Create a VPN connection. You need to specify the connection name,
associated VPN gateway, local subnet, PSK, remote gateway, remote subnet,
and negotiation policies. The connection name, local subnet, PSK, remote
gateway, remote subnet, and negotiation policies can be modified after the
VPN connection is created.
By default, the PFS function is disabled on some vendors' devices. Check the device
configuration manual to ensure that the PFS function is enabled.
NOTE
3. The number of VPC subnet routes cannot exceed 200. That is, the total
number of remote subnets of the VPN connection, remote subnets of the
Direct Connect connection, subnets of the VPC peering connection, and
custom routes in a VPC cannot exceed 200.
● You can also submit a service ticket to change the gateway to one of the
new edition (service running will not be affected).
By default, the bandwidth of a VPN gateway changed to the new edition is 10
Mbit/s. You can adjust the bandwidth as required. The bandwidth of a VPN
gateway that is billed on a yearly/monthly basis cannot be decreased.
3. Click More Products and then Virtual Private Network under Network.
NOTE
When submitting a service ticket, select a ticket type to facilitate problem handling.
NOTE
IPsec XAUTH is an extended technology of IPsec VPN. It prompts users to enter their
usernames and passwords during VPN negotiation.
Currently, HUAWEI CLOUD VPN does not support IPsec XAUTH.
VPN Connection
The VPN connection status can be monitored. Value 1 indicates that the
connection is normal, and value 0 indicates that the connection is not connected.
To query VPN connection monitoring information, locate the target VPN
connection and click View Metric in the Operation column.
After a VPN connection is created, the VPN connection status will be reported to
Cloud Eye, but alarm notifications will not be automatically sent to you. You need
to set alarm rules on Cloud Eye to receive notifications.
After a VPN connection is created, locate the row that contains the target VPN
connection and choose Operation > View Metric to switch to the monitoring
page.
NOTE
● Common home broadband routers, personal mobile terminals, and VPN services (such
as L2TP) provided by Windows hosts cannot interconnect with HUAWEI CLOUD VPN.
● Vendors that have performed the interconnection test with the HUAWEI CLOUD VPN
service include but are not limited to Huawei (routers and firewalls), H3C (routers and
firewalls), Cisco (routers and firewalls), Ruijie (routers and firewalls), ZTE, Sangfor,
Fortinet, 360, Topsec, Hillstone, NetentSec, NSFOCUS, DELL, ZyXEL, and Juniper.
● Cloud service providers include but are not limited to Alibaba Cloud, Tencent Cloud, and
Amazon.
● Software vendors include but are not limited to openSwan, Strongswan, and GreenBow.
● The IPsec protocol is a standard IETF protocol. All vendors that support IPsec can
interconnect with HUAWEI CLOUD and you do not need to pay attention to the device
model.
Currently, most enterprise-level routers and firewalls support IPsec protocol.
● The feature specifications of some hardware vendors list that the products support IPsec
VPN, but in fact software licenses are required to be purchased to activate related
functions, such as Cisco ISR series routers.
Contact the data center administrator to confirm the device model with the vendor.
DH Algorithm Group 14
Version v2
PFS DH Group 14
NOTE
establishment of a tunnel. If no data flow is exchanged between the cloud and the
customer data center, the VPN connection will always be in the down state. The
data flow can be real service access data or ping data between servers.
NOTE
The source and destination addresses of the ping packets must be protected by the VPN.
Before the connection is set up, the gateway IP addresses of both ends can be pinged.
However, pinging the gateway IP address does not trigger the setup of the VPN connection.
To set up a VPN, you also need to configure the IPsec VPN on the router or
firewall in your own data center. The configuration method may vary depending
on your network device in use. For details, see the configuration guide of your
network device.
This section describes how to configure the IPsec VPN on a Huawei USG6600
series V100R001C30SPC300 firewall for your reference.
For example, the subnets of the data center are 192.168.3.0/24 and
192.168.4.0/24, the subnets of the VPC are 192.168.1.0/24 and 192.168.2.0/24, and
the public IP address of the IPsec tunnel egress in the VPC is XXX.XXX.XX.XX, which
can be obtained from the local gateway parameters of the IPsec VPN in the VPC.
Procedure
1. Log in to the CLI of the firewall.
2. Check firewall version information.
display version
17:20:502017/03/09
Huawei Versatile Security Platform Software
Software Version: USG6600 V100R001C30SPC300 (VRP (R) Software, Version 5.30)
3. Create an access control list (ACL) and bind it to the target VPN instance.
5. Create an IKE peer and reference the created IKE proposal. The peer IP
address is 93.188.242.110.
ike peer vpnikepeer_64
pre-shared-key ******** (******** specifies the pre-shared key.)
ike-proposal 64
undo version 2
remote-address vpn-instance vpn64 93.188.242.110
sa binding vpn-instance vpn64
q
7. Create an IPsec policy and reference the IKE policy and IPsec proposal.
ipsec policy vpnipsec64 1 isakmp
security acl 3065
pfs dh-group5
ike-peer vpnikepeer_64
proposal ipsecpro64
local-address xx.xx.xx.xx
q
All rules must be added to the device before the VPN tunnel is established. Do not change
the local subnet and the remote subnet to restrict the access.
NOTE
After DPD fails, the tunnel will be deleted without affecting service stability.
DPD can detect exceptions of the IKE process on the peer end in time and reset the tunnel
to ensure tunnel synchronization between the two ends. After a tunnel is deleted, if there is
user traffic transmitted over the tunnel, the tunnel can be re-established through
negotiation.
Configuration method:
● If the local and remote subnets are modified, the connection ID remains
unchanged, but the subnet information at both ends of the connection is
updated. If not all subnets are updated, the established tunnel between
subnets will not be re-established.
● If the IP address of the remote gateway is changed, the connection ID will not
be changed, but the peer end has changed. The connection needs to be re-
established.
● If only the pre-shared keys of the connection are changed, the connection ID
and status will not be changed. The keys will be checked again during
renegotiation. If the keys do not match, the renegotiation fails.
● If the negotiation policy is modified (pre-shared key authentication is
required), the connection ID will be changed and the connection needs to be
re-established.
Ensure that the routing, NAT, and security rules are correctly configured on the
gateway device of the customer data center. Then, ping the servers in subnets at
both ends.
NOTE
1. VPN is triggered based on data flows. After the configuration is complete, you need to
ping the servers in the peer subnet. Before running the ping command, the server
firewall should be disabled and the security group on the cloud should allow inbound
ICMP requests.
2. Pinging the IP address of the gateway cannot trigger VPN negotiation. You need to ping
the server in the subnet protected by the gateway.
● ACLs of the devices at the two ends of the tunnel do not match.
while :; do
result=`ping -W 1 -c 1 $host | grep 'bytes from '`
if [ $? -gt 0 ]; then
echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is down"| tee -a $log_name
else
echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is ok -`echo $result | cut -d ':' -f 2`"| tee -
a $log_name
fi
sleep 5 # avoid ping rain
done
#./ping.sh x.x.x.x >>/dev/null &
NOTE
1. Use the vi editor to copy the preceding script to the ping.sh file.
2. Run the chmod 777 ping.sh command to grant permissions to the file.
3. Run the ping command:
./ping.sh x.x.x.x >>/dev/null &
x.x.x.x indicates the IP address to be pinged.
4. After the ping command is executed, the x.x.x.x.log file is generated. Run the
following command:
tail -f x.x.x.x.log
You can view the long ping result in real time.
NOTE
The source and destination addresses of the ping packets must be protected by the VPN.
Before the connection is set up, the gateway IP addresses of both ends can be pinged.
However, pinging the gateway IP address does not trigger the setup of the VPN connection.
3. After the configuration is complete, ping the local and the remote side from
each other to check whether the VPN connection is normal.
● IKE v1:
If no traffic goes through the VPN for a period of time, the VPN needs to be
renegotiated. The negotiation time depends on the value of Lifecycle (s) in
the IPsec policy. Generally, the value of Lifecycle (s) is 3600 (1 hour),
indicating that the negotiation will be initiated in the fifty-fourth minute. If
the negotiation succeeds, the connection remains to the next round of
negotiation. If the negotiation fails, the status is set to Not Connected within
one hour. The connection can be restored after the two sides of the VPN
communicates with each other. The disconnection can be avoided by using a
network monitoring tool, such as IP SLA, to generate packets.
● IKE v2: If no traffic goes through the VPN for a period of time, the VPN
remains in the connected status.
HUAWEI CLOUD VPNs have the DPD mechanism enabled by default to detect the
status of the IKE process in the customer data center.
After three consecutive detection failures, HUAWEI CLOUD considers that the IKE
process of the customer data center is abnormal. In this case, HUAWEI CLOUD
deletes the local tunnel to ensure tunnel synchronization between the two ends.
The DPD protocol does not require that the peer end be configured synchronously,
but requires that the peer end can respond to DPD detections. To ensure that the
tunnel status of the two ends is consistent and avoid that one end has a tunnel
and the other not, it is recommended that you enable the DPD mechanism of the
gateway on your side to detect the IKE process status of the VPN service on the
HUAWEI CLOUD side.
NOTE
After DPD fails, the tunnel will be deleted without affecting service stability.
DPD can detect exceptions of the IKE process on the peer end in time and reset the tunnel
to ensure tunnel synchronization between the two ends. After a tunnel is deleted, if there is
user traffic transmitted over the tunnel, the tunnel can be re-established through
negotiation.
8 EIPs
NOTICE
In the pay-per-use billing mode, deleting the last connection of a VPN gateway
will also delete the gateway. If you want to retain the IP address, do not delete the
last VPN connection.
The IP address of a VPN gateway is assigned when the VPN gateway is created
and must be used together with the related configurations. An EIP does not
support VPN interconnection.
If the ECS needs to provide services accessible from the Internet, an EIP is required.
Whether a user needs to retain an EIP depends on the user's service. If an ECS is used to
obtain the data of the customer data center through a VPN, and also is used to provide
services accessible from the Internet users, its EIP needs to be retained.
NOTE
Common home broadband routers, personal mobile terminals, and VPN services (such as
L2TP) provided by Windows hosts cannot interconnect with HUAWEI CLOUD VPN.
9 Route Configurations
10 Subnet Setting
3. The number of VPC subnet routes cannot exceed 200. That is, the total
number of remote subnets of the VPN connection, remote subnets of the
Direct Connect connection, subnets of the VPC peering connection, and
custom routes in a VPC cannot exceed 200.
NOTICE
In the pay-per-use billing mode, deleting the last connection of a VPN gateway
will also delete the gateway. If you want to retain the IP address, do not delete the
last VPN connection.
● Run a long ping on the subnets at both ends. The script content is as follows:
#!/bin/sh
host=$1
if [ -z $host ]; then
echo "Usage: `basename $0` [HOST]"
exit 1
fi
log_name=$host".log"
while :; do
result=`ping -W 1 -c 1 $host | grep 'bytes from '`
if [ $? -gt 0 ]; then
echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is down"| tee -a $log_name
else
echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is ok -`echo $result | cut -d ':' -f 2`"| tee -
a $log_name
fi
sleep 5 # avoid ping rain
done
#./ping.sh x.x.x.x >>/dev/null &
NOTE
1. Use the vi editor to copy the preceding script to the ping.sh file.
2. Run the chmod 777 ping.sh command to grant permissions to the file.
3. Run the ping command:
./ping.sh x.x.x.x >>/dev/null &
x.x.x.x indicates the IP address to be pinged.
4. After the ping command is executed, the x.x.x.x.log file is generated. Run the
following command:
tail -f x.x.x.x.log
You can view the long ping result in real time.
13 Monitoring
2. Choose Topic Management > Topics and click Create Topic to create a topic,
for example, VPN-huaweicloud.
Select a topic, set Protocol to Email, and enter the email address for receiving
the message in the Endpoint box.
NOTE
After the subscription is added, the system will send a confirmation email to your
email address. Confirm in your email.
2. Create an alarm rule for the bandwidth usage of the VPN gateway.
Enter the name, select Elastic IP and Bandwidth for Resource Type, set
Dimension to Bandwidths, Monitoring Scope to Specific resources and
select the target VPN gateway, set Method to Create manually, and Alarm
Policy to Outbound Bandwidth Usage, 5 consecutive periods, >, and 90. Set
Notification Object to an SMN topic and use the default values for other
parameters.
3. Create a VPN connection status alarm rule.
The creation process is similar to that of bandwidth. Select Virtual Private
Network for Resource Type, set Dimension to VPN connections,
Monitoring Scope to Specific resources and select the target VPN
connection, set Method to Create manually, and Alarm Policy to VPN
Connection Status, <, and 1. Set Notification Object to an SMN topic and
use the default values for other parameters.
4. Create an alarm rule for monitoring IDC links.
Create a website monitoring task, set Type to PING, URL to the gateway IP
address of the customer data center, and retain the default values for other
parameters. Create an alarm rule, select Website Monitoring for Resource
Type, set Monitoring Scope to Specific resources and select the target
website monitoring task, set Method to Create manually, and Alarm Policy
to Available Monitoring Location Count, and configure other parameter as
required. Set Notification Object to an SMN topic and use the default values
for other parameters.
The test shows that the average VPN network speed is 180 Mbit/s, and there is about
10% network speed deviation. The TCP and FTP protocols have the congestion control
mechanism, and the IPsec protocol adds a new IP header. Therefore, about 10%
network speed deviation is normal for the VPN network.
Figure 14-1 shows the displayed result for the test performed using the iPerf3
client.
Figure 14-1 Test result for 200 Mbit/s bandwidth (iPerf3 client)
Figure 14-2 shows the displayed result for the test performed using the iPerf3
server.
Figure 14-2 Test result for 200 Mbit/s bandwidth (iPerf3 server)
2. If the ECSs at the two sides of the VPN run the CentOS 7 OSs, use iPerf3 to
test the network speed. The network speed can reach 180 Mbit/s.
3. If the ECS functioning as the server runs the CentOS 7 OS, and the ECS
functioning as the client runs the Windows OS, use iPerf3 and FileZilla to test
the network speed.
The network speed is about 20 Mbit/s. The reason is that TCP
implementations on the Windows OS and that on the Linux OS are different,
which causes the slow network speed. Therefore, if the ECSs at the two sides
of the VPN use different OSs, the VPN network speed does not meet the
bandwidth requirements.
Figure 14-3 shows the displayed result of the test performed using iPerf3.
Figure 14-3 Test result when ECSs at the two sides run different OSs (iPerf3)
Perform the following steps to test the VPN gateway network speed if the
bandwidth of your VPN gateway is 1,000 Mbit/s:
The VPN gateway is shared by all created VPN connections, and the VPN gateway
bandwidth size is the total bandwidth sizes of all VPN connections. When the
bandwidth size is large, multiple ECSs are required to test the VPN gateway
bandwidth because the forwarding performance of each ECS is limited. In addition,
this scenario has high requirements on ECS specifications. The ECSs used for
testing must have NICs that support 2 Gbit/s or higher bandwidth.
The tests show that the actual VPN connection network speed on HUAWEI
CLOUD is within the normal range. However, the servers used at both side of
the VPN connections must run the OSs of the same type, and the server NICs
must meet the configuration requirements.
15 Quotas
2. Click in the upper left corner and select the desired region and project.
3. In the upper right corner of the page, choose Resources > My Quotas.
The Service Quota page is displayed.
4. View the used and total quota of each type of resources on the displayed
page.
If a quota cannot meet your service requirements, click Increase Quota to
adjust it.
16 Account Permissions
NOTE
IPsec XAUTH is an extended technology of IPsec VPN. It prompts users to enter their
usernames and passwords during VPN negotiation.
Currently, HUAWEI CLOUD VPN does not support IPsec XAUTH.
For details about the permissions required for creating a VPN connection, see
What Should I Do If the System Displays a Message Indicating That I Do Not
Have the Permissions to Create a VPN?