VPN Faq

Virtual Private Network
FAQ
Issue 01
Date 2020-11-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. i

FAQ Contents
Contents
1 Most Frequently Asked Questions.......................................................................................1

1.1 What Devices Can Be Connected to HUAWEI CLOUD Through a VPN?............................................................. 1
1.2 What Are VPN Negotiation Parameters? What Are Their Default Values?........................................................ 2
1.3 What Are the Categories of VPN Service Tickets? How Do I Create a VPN Service Ticket?......................... 3
1.4 Can I Deploy Applications on the Cloud, Databases in a Local IDC, and Then Connect Them Through a
VPN?.................................................................................................................................................................................................... 4
1.5 Can I Visit Websites Across International Borders Using a VPN?........................................................................... 5
1.6 What Is VPN Connection? How Do I Set the Number of VPN Connections When Buying a VPN
Gateway?........................................................................................................................................................................................... 5
1.7 Will I Be Notified If a VPN Connection Is Interrupted?..............................................................................................6
1.8 Are a Username and Password Required for Creating an IPsec VPN Connection?.......................................... 7
1.9 What Are the Differences Between the Application Scenarios and Connection Modes of IPsec and SSL
VPNs?.................................................................................................................................................................................................. 7
1.10 Will an IPsec VPN Connect Automatically?................................................................................................................. 8
1.11 What Fees Will Be Incurred for Creating a VPN? Will I Be Billed for VPN Gateway IP Addresses?.........8
1.12 Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted? ...................................... 9
1.13 Which Resources of a VPN Can Be Monitored?......................................................................................................... 9
1.14 Which Is the Direction of the Bandwidth to Be Limited and What Is the Unit of the Bandwidth?.........9
1.15 What Is the Actual VPN Connection Network Speed?.......................................................................................... 10
1.16 Can a VPN Billed by Traffic Use a Shared Data Package?................................................................................... 12
1.17 What Are the Relationships Between a VPC, a VPN Gateway, and a VPN Connection?...........................12
1.18 What Is a Remote Gateway and Remote Subnet in a VPN Connection?....................................................... 12
1.19 How Many VPN Connections Do I Need to Connect to Multiple Servers in a Data Center?.................. 13
1.20 Does a VPN Allow for Communication Between Two VPCs?..............................................................................13
1.21 What Are the Impacts of a VPN on a Local Network? What Are the Changes to the Route for
Accessing an ECS?........................................................................................................................................................................ 13
1.22 Can I Use a Gateway with Two Egresses to Establish Two VPN Connections with the Same VPC?..... 14
1.23 How Can I Prevent VPN Connection Interruption?.................................................................................................14
1.24 Why Is Not Connected Displayed as the Status for a Successfully Created VPN?.......................................15
1.25 What Do I Do If VPN Connection Setup Fails?.........................................................................................................16
1.26 Can an EIP Be Used as a VPN Gateway IP Address?.............................................................................................. 16
1.27 Why Is the VPN Connection Always in the Not Connected State Even After Its Configuration Is
Complete?....................................................................................................................................................................................... 16
1.28 Do I Need to Configure ACL Rules on the HUAWEI CLOUD Management Console After I Configured
ACL Rules on the Gateway Device of the On-premises Data Center?...................................................................... 17
Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. ii

FAQ Contents
2 Product Consultation............................................................................................................18
2.1 What Are the Applicable Scenarios of IPsec VPN?.................................................................................................... 18
2.2 What Is a VPC, VPN Gateway, and a VPN Connection?.......................................................................................... 19
2.3 What Are the Relationships Between a VPC, a VPN Gateway, and a VPN Connection?............................. 19
2.4 What Is VPN Connection? How Do I Set the Number of VPN Connections When Buying a VPN
Gateway?........................................................................................................................................................................................ 20
2.5 What Is a Remote Gateway and Remote Subnet in a VPN Connection?..........................................................21
2.7 What Devices Can Be Connected to HUAWEI CLOUD Through a VPN?........................................................... 21
2.8 What Are VPN Negotiation Parameters? What Are Their Default Values?......................................................22
2.9 What Are the Categories of VPN Service Tickets? How Do I Create a VPN Service Ticket?.......................23
2.10 Are a Username and Password Required for Creating an IPsec VPN Connection?..................................... 24
2.11 How Do I Allow Specific Servers to Access a Subnet on the Cloud Through a Created VPN
Connection?................................................................................................................................................................................... 25
2.12 Which of the Following Resources of a VPN Can Be Monitored?..................................................................... 25
2.13 Can an EIP Be Used as a VPN Gateway IP Address?.............................................................................................. 25
2.14 Do I Need to Purchase an EIP for Servers That Communicate with Each Other Through a VPN?....... 25
2.15 Are SSL VPNs Supported?................................................................................................................................................ 26
2.16 How Long Does It Take for Delivered VPN Configurations to Take Effect?...................................................26
2.17 What Should I Do If I Cannot Create Connections for a VPN Gateway That Has No Bandwidth
Information?.................................................................................................................................................................................. 26
2.18 Does HUAWEI CLOUD VPN Support IPv6 Addresses?........................................................................................... 26
2.19 How Do I Determine My VPN Bandwidth Size?...................................................................................................... 26
2.20 Does a VPN Connection Support Chinese Encryption Algorithms?.................................................................. 27
2.21 Can I Visit Websites Across International Borders Using a VPN?...................................................................... 27
2.22 Can I Deploy Applications on the Cloud, Databases in a Local IDC, and Then Connect Them Through
a VPN?............................................................................................................................................................................................. 27
2.23 What Are the Differences Between the Application Scenarios and Connection Modes of IPsec and
SSL VPNs?....................................................................................................................................................................................... 28
2.24 What Fees Will Be Incurred for Creating a VPN? Will I Be Billed for VPN Gateway IP Addresses?...... 28
2.25 What Is the Difference Between Billing a VPN Gateway by Bandwidth or by Traffic?............................. 29
2.26 Can a VPN Billed by Traffic Use a Shared Data Package?................................................................................... 29
2.27 Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted? ....................................29
2.28 Do I Need to Purchase an EIP for Servers That Communicate with Each Other Through a VPN?....... 30
2.29 Where Can I Add a Route to Reach the Remote Subnet on the VPN Console?...........................................30
2.30 Will I Be Notified If a VPN Connection Is Interrupted?......................................................................................... 30
2.32 Which Is the Direction of the Bandwidth to Be Limited and What Is the Unit of the Bandwidth?...... 31
3 Networking and Application Scenarios........................................................................... 32

3.1 Can I Visit Websites Across International Borders Using a VPN?........................................................................ 32
3.2 Can I Deploy Applications on the Cloud, Databases in a Local IDC, and Then Connect Them Through a
VPN?................................................................................................................................................................................................. 32
3.3 How Many VPN Connections Do I Need to Connect to Multiple Servers in a Data Center?.....................33
Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. iii

FAQ Contents
3.4 Do I Need to Install the IPsec Software on Each Server That Needs to Access an ECS to Establish a
VPN Connection?..........................................................................................................................................................................33
3.5 What Are the Differences Between the Application Scenarios and Connection Modes of IPsec and SSL
VPNs?............................................................................................................................................................................................... 33
3.6 Does a VPN Allow for Communication Between Two VPCs?................................................................................ 34
3.7 What Are the Impacts of a VPN on a Local Network? What Are the Changes to the Route for
Accessing an ECS?........................................................................................................................................................................ 34
3.8 What Configurations Are Required on Both Ends of a VPN to Implement the Communication Between
a Customer Data Center and a VPC?.................................................................................................................................... 35
3.9 Can I Use a Gateway with Two Egresses to Establish Two VPN Connections with the Same VPC?........35
3.10 Can Two VPCs in the Same Region Be Connected Through a VPN?................................................................ 35
3.11 How Can I Connect Two VPCs in the Same Region?............................................................................................. 35
3.12 How Do I Replace a Direct Connect Connection with a VPN?........................................................................... 36
3.13 How Can I Connect Two VPCs Created on the Cloud to the IDC Network?.................................................. 36
3.14 How Do I Connect Four Subnets?................................................................................................................................. 37
3.15 Do I Need Two VPN Connections to Connect Four Subnets of Two Regions (Each Region Has Two
Subnets)?........................................................................................................................................................................................ 37
3.16 Can I Access OBS Through a VPN?.............................................................................................................................. 37
3.17 How Do I Interconnect My Personnel Computer with a VPN?...........................................................................38
3.18 How Do I Access HUAWEI CLOUD ECSs From Home After My Enterprise Network Is Connected to
HUAWEI CLOUD Through a VPN?......................................................................................................................................... 38
3.19 How Do I Create a VPN Connection Temporarily If No Device That Supports IPsec Is Available off the
Cloud After I Purchase HUAWEI CLOUD VPN Gateway and Connections?.............................................................38
3.20 How Do I Select a Proper Region on the Cloud When Creating a VPN Gateway?..................................... 39
4 Billing and Payments............................................................................................................40

4.1 What Fees Will Be Incurred for Creating a VPN? Will I Be Billed for VPN Gateway IP Addresses?......... 40
4.2 What Is the Difference Between Billing a VPN Gateway by Bandwidth or by Traffic?................................40
4.3 Can a VPN Billed by Traffic Use a Shared Data Package?..................................................................................... 41
4.4 How Many VPN Connections Do I Need to Connect VPCs in Different Regions?..........................................41
4.5 When Will VPN Resources Be Frozen? How Can I Unfreeze VPN Resources?.................................................41
5 Related Operations on the Console.................................................................................. 43

5.1 What Are the Relationships Between a VPC, a VPN Gateway, and a VPN Connection?............................. 43
5.2 How Long Does It Take for Delivered VPN Configurations to Take Effect?..................................................... 43
Complete?....................................................................................................................................................................................... 44
5.4 Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted? ...................................... 44
5.5 Do I Need to Create a VPN Gateway or a VPN Connection for Creating a VPN? Which Information
About a Created VPN Can Be Modified?............................................................................................................................. 44
5.7 What Do I Do If an Exception Occurs When I Add a Remote Subnet During VPN Connection Creation?
............................................................................................................................................................................................................ 45
5.8 Where Can I Add a Route to Reach the Remote Subnet on the VPN Console?............................................. 45
5.9 Does HUAWEI CLOUD support APIs?............................................................................................................................ 45
Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. iv

FAQ Contents

5.11 How Do I Disable the PFS Function When Creating a VPN Connection?.......................................................46
5.12 What Is the Limitation on the Number of Local and Remote Subnets of a VPN? Why Is an Error
Message Displayed When I Update the Local Subnet by Specifying a CIDR Block?............................................ 46
5.13 Can the Local Subnet Be Within the Remote Subnet of a VPN?....................................................................... 47
5.14 Why the Status of a VPN Connection Is Not Connected on the Management Console But It Is
Already Available?....................................................................................................................................................................... 47
5.15 What Do I Do If a Message Is Displayed Indicating That the VPN Connection Does Not Exist After
Negotiation Policies Are Modified?........................................................................................................................................47
5.16 What Should I Do If I Cannot Create Connections for a VPN Gateway That Has No Bandwidth
Information?.................................................................................................................................................................................. 47
5.17 How Do I Reset a VPN Connection?............................................................................................................................ 48
5.18 What Is the Maximum Bandwidth Supported by a VPN Gateway?................................................................. 48
5.19 What Are the Categories of VPN Service Tickets? How Do I Create a VPN Service Ticket?.................... 48
5.21 Which Resources of a VPN Can Be Monitored?....................................................................................................... 50
6 VPN Negotiation and Interconnection.............................................................................51

6.1 What Devices Can Be Connected to HUAWEI CLOUD Through a VPN?........................................................... 51
6.2 What Are VPN Negotiation Parameters? What Are Their Default Values?......................................................52
6.4 How Do I Configure a VPN for a Device in a Data Center? (Configuring the VPN on a Huawei
USG6600 Series Firewall).......................................................................................................................................................... 53
6.5 How Should I Configure Gateway Device of the Customer Data Center When I Use a VPN to Connect
to the Cloud?................................................................................................................................................................................. 55
6.6 Can HUAWEI CLOUD VPN Connect to a Remote Gateway Through a Domain Name?............................. 55
6.7 How Many Tunnels Does My VPN Connection Have?............................................................................................. 56
6.8 How Do I Allow Specific Servers to Access a Subnet on the Cloud Through a Created VPN
Connection?................................................................................................................................................................................... 56
6.9 Do HUAWEI CLOUD VPNs Have the DPD Mechanism Enabled?........................................................................ 56
6.10 How Can I Use Security Groups to Prevent ECSs in a VPC From Being Accessed Through a VPN to
Implement Security Isolation?................................................................................................................................................. 57
6.11 Will a VPN Connection Be Reestablished After Its Configuration Is Modified?............................................57
6.12 Why Cannot I Initiate Negotiation from Amazon Web Services to HUAWEI CLOUD After They Are
Interconnected?............................................................................................................................................................................ 58
6.13 How Do I Configure DPD for Interconnecting with HUAWEI CLOUD?........................................................... 58
6.14 What Should I Do If My Firewall Cannot Receive Response Packets of IKE Phase 1 from the HUAWEI
CLOUD VPN Gateway?............................................................................................................................................................... 58
6.15 What Should I Do If My Firewall Cannot Receive Response Packets from the HUAWEI CLOUD VPN
Subnet?............................................................................................................................................................................................ 59
7 Connection or Ping Failure..................................................................................................60

Complete?....................................................................................................................................................................................... 60
7.2 How Can I Prevent VPN Connection Interruption?................................................................................................... 60
7.3 What Is the Impact When the Bandwidth of a VPN Gateway Reaches the Limit?....................................... 62
Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. v

FAQ Contents

7.5 Why Cannot a Peer ECS Be Pinged Even the Status of the VPN Connection Created Between the Two
Regions Is Normal?......................................................................................................................................................................62
7.6 Why Subnets Cannot Access Each Other When the IDC and the Cloud Are Interconnected and the
VPN Connection Is Normal?..................................................................................................................................................... 63
7.7 What Do I Do If a VPN Connection Is Interrupted and a Message Is Displayed Indicating That Data
Flows Do Not Match?................................................................................................................................................................. 63
7.8 What Do I Do If a VPN Connection Is Interrupted and a Message Is Displayed Indicating That the DPD
Times Out?..................................................................................................................................................................................... 63
7.9 Why the Status of a VPN Connection Is Not Connected on the Management Console But It Is Already
Available?........................................................................................................................................................................................ 64
7.12 What Should I Do If I Cannot Access the ECSs on the Cloud from My Data Center or LAN Even If the
VPN Connection Has Been Set Up?....................................................................................................................................... 65
7.13 Why Is Not Connected Displayed as the Status for a Successfully Created VPN?.......................................65
7.14 Do HUAWEI CLOUD VPNs Have the DPD Mechanism Enabled?...................................................................... 65
8 EIPs............................................................................................................................................67
8.1 Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted?....................................... 67
8.2 Can an EIP Be Used as a VPN Gateway IP Address?................................................................................................ 67
8.3 Do I Need to Purchase an EIP for Servers That Communicate with Each Other Through a VPN?..........67
8.4 Why Does an ECS Have EIP Access Information After I Enable a VPN?............................................................ 68
8.5 Can the Gateway of a Customer Data Center Have No Fixed Public IP Address?.........................................68
9 Route Configurations........................................................................................................... 69
9.1 Where Can I Add a Route to Reach the Remote Subnet on the VPN Console?............................................. 69
9.2 Do I Need to Add a Route to Reach the Customer Data Center Network for an ECS with Multiple
NICs?................................................................................................................................................................................................. 69
10 Subnet Setting..................................................................................................................... 70
10.2 Can the Local Subnet Be Within the Remote Subnet of a VPN?....................................................................... 70
10.3 What Is the Limitation on the Number of Local and Remote Subnets of a VPN? Why Is an Error
Message Displayed When I Update the Local Subnet by Specifying a CIDR Block?............................................ 70
10.4 What Do I Do If an Exception Occurs When I Add a Remote Subnet During VPN Connection
Creation?......................................................................................................................................................................................... 71
10.5 Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted?..................................... 71
11 VPN Interesting Traffic...................................................................................................... 72

11.2 How Do I Modify the Interesting Traffic of a VPN on the Cloud?.................................................................... 72
12 Keeping VPN Connection Alive........................................................................................ 73

12.1 How Can I Prevent VPN Connection Interruption?.................................................................................................73
13 Monitoring............................................................................................................................ 75
13.1 Which Resources of a VPN Can Be Monitored?....................................................................................................... 75
Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. vi

FAQ Contents

13.3 Can I View the Traffic of Each VPN Connection?.................................................................................................... 76
13.4 Will I Be Notified When the VPN Monitoring Result Is Abnormal?..................................................................76
14 Bandwidth and Network Speed...................................................................................... 80

14.1 What Is the Actual VPN Connection Network Speed?.......................................................................................... 80
14.2 Which Is the Direction of the Bandwidth to Be Limited and What Is the Unit of the Bandwidth?...... 82
14.3 How Do I Change the VPN Bandwidth Size?............................................................................................................ 82
14.4 What Is the Impact When the Bandwidth of a VPN Gateway Reaches the Limit?..................................... 83
14.5 Why Does the VPN Bandwidth Change Not Take Effect?.................................................................................... 83
14.6 Can a VPN Share Bandwidth with an EIP?................................................................................................................ 83
14.7 What Are the Differences Between the Bandwidth of a VPN Connection and that of a Direct Connect
Connection?................................................................................................................................................................................... 83
14.8 How Do I Determine My VPN Bandwidth Size?...................................................................................................... 84
15 Quotas................................................................................................................................... 85
15.1 What Is the VPN Quota?................................................................................................................................................. 85
15.2 How Many VPN Gateways and VPN Connections Can I Create By Default?................................................ 86
15.3 How Do I Change My VPN Gateway and Connection Quotas?......................................................................... 86
15.4 How Many IPsec VPNs Can I Have?.............................................................................................................................87
16 Account Permissions........................................................................................................... 88
16.2 What Should I Do If the System Displays a Message Indicating That I Do Not Have the Permissions
to Create a VPN?.......................................................................................................................................................................... 88
16.3 How Do I Determine that My Account Cannot Create a VPN Due to Insufficient Permissions?........... 88
Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. vii

FAQ 1 Most Frequently Asked Questions
1 Most Frequently Asked Questions
1.1 What Devices Can Be Connected to HUAWEI

CLOUD Through a VPN?
HUAWEI CLOUD VPN supports the standard IPsec protocol. If devices in your data
center meet the following requirements, they can interconnect with HUAWEI
CLOUD.
1. Devices support IPsec VPN.
2. Your data center has a fixed public IP address or an IP address obtained after
performing NAT mapping on a fixed public IP address.
Devices usually are routers and firewalls. For details, see Administrator Guide.
NOTE
● Common home broadband routers, personal mobile terminals, and VPN services (such
as L2TP) provided by Windows hosts cannot interconnect with HUAWEI CLOUD VPN.
● Vendors that have performed the interconnection test with the HUAWEI CLOUD VPN
service include but are not limited to Huawei (routers and firewalls), H3C (routers and
firewalls), Cisco (routers and firewalls), Ruijie (routers and firewalls), ZTE, Sangfor,
Fortinet, 360, Topsec, Hillstone, NetentSec, NSFOCUS, DELL, ZyXEL, and Juniper.
● Cloud service providers include but are not limited to Alibaba Cloud, Tencent Cloud, and
Amazon.
● Software vendors include but are not limited to openSwan, Strongswan, and GreenBow.
● The IPsec protocol is a standard IETF protocol. All vendors that support IPsec can
interconnect with HUAWEI CLOUD and you do not need to pay attention to the device
model.
Currently, most enterprise-level routers and firewalls support IPsec protocol.
● The feature specifications of some hardware vendors list that the products support IPsec
VPN, but in fact software licenses are required to be purchased to activate related
functions, such as Cisco ISR series routers.
Contact the data center administrator to confirm the device model with the vendor.
Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 1

1.2 What Are VPN Negotiation Parameters? What Are

Their Default Values?
Table 1-1 VPN negotiation parameters
Protocol Parameter Value
IKE Authentication SHA2-256 (default), SHA1, MD5,

Algorithm SHA2-384, and SHA2-512
Encryption AES-128 (default), AES-192, AES-256,

Algorithm and 3DES
DH Algorithm Group 14 (default), Group 1, Group 2,

Group 5, Group 15, Group 16, Group
19, Group 20, and Group 21
NOTE
In some regions, only Group 14, Group 2,
and Group 5 are available.
Version v2 (default) and v1
Lifecycle (s) 86400 (default)

Unit: Second
Value range: 60 to 604800
Negotiation Mode Main (default) and Aggressive

This parameter is mandatory when
Version is set to v1.
IPsec Authentication SHA2-256 (default), SHA1, MD5,

Algorithm SHA2-384, and SHA2-512
Encryption AES-128 (default), AES-192, AES-256,

Algorithm and 3DES
PFS DH group 14 (default), DH group 1,

DH group 2, DH group 5, DH group
15, DH group 16, DH group 19, DH
group 20, DH group 21, or Disable
NOTE
In some regions, only DH group 14, DH
group 2, and DH group 5 are available.
Transfer Protocol ESP (default), AH, and AH-ESP
Transfer Mode Only the tunnel mode is supported,

and the transport mode is not
supported.

Lifecycle (s) 3600 (default)

Unit: Second
Value range: 480 to 604800
NOTE
● Perfect Forward Secrecy (PFS) is a security feature.

IKE negotiation has two phases, phase one and phase two. The key of phase two (IPsec
SA) is derived from the key generated in phase one. Once the key in phase one is
disclosed, the security of the IPsec VPN may be adversely affected. To improve the key
security, IKE provides the PFS function. After PFS is turned on, an additional DH
exchange will be performed during IPsec SA negotiation, and a new set of IPsec SA keys
will be generated, improving IPsec SA.
● To add an extra layer of protection, PFS is enabled on HUAWEI CLOUD by default.
Ensure that this function is also enabled when you configure the gateway in your data
center. Otherwise, the negotiation fails.
● To enable PFS, ensure that the configurations on both ends are the same.
● The lifetime of IPsec SA is not configurable for the HUAWEI CLOUD VPN service. The
default value is 1843200 KB. This parameter is not a negotiation parameter and does
not affect the establishment of an IPsec SA.
1.3 What Are the Categories of VPN Service Tickets?

How Do I Create a VPN Service Ticket?
1. Log in to the management console.
2. In the upper right corner of the management console, choose Service Tickets
> Create Service Ticket.
Figure 1-1 Creating a service ticket
3. Click More Products and then Virtual Private Network under Network.

Figure 1-2 Selecting Virtual Private Network
4. Select the service ticket type.
Figure 1-3 Selecting the service ticket type
NOTE
When submitting a service ticket, select a ticket type to facilitate problem handling.
Figure 1-4 Ticket category and classification basis
1.4 Can I Deploy Applications on the Cloud, Databases

in a Local IDC, and Then Connect Them Through a
VPN?
VPN connects to two subnets, that is, a VPC and a customer data center network.

After the VPN is set up successfully, the two subnets can communicate with each
other. In this case, the application server accessing the database is logically the
same as accessing other servers in the same LAN.
This is a typical IPsec VPN scenario.
In addition, after the VPN is set up, services on the cloud and in the customer data
center can access each other.
NOTICE
● After a VPN is set up, pay attention to the network latency and packet loss to
ensure normal service running.
● It is recommended to run the ping command to check the packet loss and
network latency details.
1.5 Can I Visit Websites Across International Borders

Using a VPN?
No.
VPN connects a VPC subnet and the network in a customer data center, that is,
site-to-site connection.
1.6 What Is VPN Connection? How Do I Set the

Number of VPN Connections When Buying a VPN
Gateway?
A HUAWEI CLOUD VPN connection is an IPsec connection established between a
VPN gateway on the cloud side and an independent public IP address on the
customer side. You can configure multiple local subnets (subnets in the VPC) and
remote subnets (subnets on the customer side) for one connection.
The number of VPN connections to be created is determined by the number of
local data centers. Each VPN connection can connect a VPC to one data center.
When purchasing a yearly/monthly VPN gateway, set the number of VPN
connections based on the number of data centers to be connected.

NOTE
For example, if CIDR blocks a1 and a2 on the HUAWEI CLOUD side need to communicate
with CIDR blocks b1 and b2 on the customer side, one VPN connection is enough. You only
need to enter the CIDR blocks both on the HUAWEI CLOUD side and the customer side
when creating a VPN connection. The following figure shows an example.
1.7 Will I Be Notified If a VPN Connection Is

Interrupted?
Monitoring the status of VPN connections is supported in regions such as CN
North-Beijing1, CN East-Shanghai2, and CN South-Guangzhou. All regions will
support the monitoring function in the future. After logging in to the
management console, select the region where the monitoring function is
supported, under Management & Deployment, click Cloud Eye to set alarm
rules.
After a VPN connection is created, the VPN connection status will be reported to
Cloud Eye, but alarm notifications will not be automatically sent to you. You need
to set alarm rules on Cloud Eye to receive notifications.
After a VPN connection is created, locate the row that contains the target VPN
connection and choose Operation > View Metric to switch to the monitoring
page.

Figure 1-5 Viewing metrics about VPN connections
1.8 Are a Username and Password Required for

Creating an IPsec VPN Connection?
HUAWEI CLOUD IPsec VPN uses a pre-shared key (PSK) for authentication. The
key is configured on a VPN gateway. A tunnel will be established after VPN
negotiation is complete. Therefore, usernames and passwords are not required.
Generally, SSL, PPTP, and L2TP VPNs use usernames and passwords for
authentication.
NOTE
IPsec XAUTH is an extended technology of IPsec VPN. It prompts users to enter their
usernames and passwords during VPN negotiation.
Currently, HUAWEI CLOUD VPN does not support IPsec XAUTH.
1.9 What Are the Differences Between the Application

Scenarios and Connection Modes of IPsec and SSL
VPNs?
Application Scenarios
IPsec VPN connects two LANs, such as a branch and its headquarter, or a local IDC
and a VPC.
SSL VPN connects a client to a LAN. For example, the portable computer of an
employee on a business trip accesses the internal network of the company.
Connection Modes
IPsec VPN requires fixed gateways, such as firewalls or routers, at both ends. The
administrator needs to configure gateways at both ends to complete IPsec VPN
negotiation.
SSL VPN needs to install a specified client software on the server to connect to the
SSL device through the username and password.

NOTE
Currently, HUAWEI CLOUD only supports IPsec VPN.
1.10 Will an IPsec VPN Connect Automatically?

After IPsec VPN is configured on both ends, a connection will not be automatically
established. Data flows between the two ends are required to trigger the
establishment of a tunnel. If no data flow is exchanged between the cloud and the
customer data center, the VPN connection will always be in the down state. The
data flow can be real service access data or ping data between servers.
Tunnel establishment can be triggered in two modes. One is the negotiation
automatically triggered through the gateway devices of the connection and the
other is triggered by the traffic between servers on the cloud and in the local data
center.
HUAWEI CLOUD does not support automatic negotiation triggered by a VPN
gateway on the cloud. It is recommended that you verify that the connection can
be triggered by the data flows exchanged between the two ends when you set up
the connection for the first time. That is, use a server in the customer data center
to ping a server on the cloud to establish a connection, then disconnect the
connection and check that the connection can also be established after using a
server on the cloud to ping a server in the customer data center.
NOTE
The source and destination addresses of the ping packets must be protected by the VPN.
Before the connection is set up, the gateway IP addresses of both ends can be pinged.
However, pinging the gateway IP address does not trigger the setup of the VPN connection.
1.11 What Fees Will Be Incurred for Creating a VPN?

Will I Be Billed for VPN Gateway IP Addresses?
The VPN billing modes include yearly/monthly and pay-per-use. Both the VPN
gateway bandwidth fee and VPN connection fee will be billed.
The gateway bandwidth can be billed by traffic or bandwidth.
1. If the billing mode of a VPN gateway is yearly/monthly, its bandwidth can
only be billed by bandwidth. If you create a yearly/monthly VPN gateway, the
price of the VPN gateway includes the price of the VPN connections created
for the gateway and the price of the bandwidth.

2. Pay-per-use is a postpaid billing mode, and the billing cycle is one hour. If you
create a pay-per-use VPN gateway, a VPN connection must be purchased
together with the VPN gateway. The total price includes the gateway
bandwidth price and the price of the VPN connection created with the VPN
gateway. When you create another connection for the gateway, only the price
of this created connection will be billed.
NOTE
● The IP address of the VPN gateway will not be billed. Only the bandwidth of the
VPN gateway will be billed.
● A VPN gateway cannot share a bandwidth with an EIP bound to an ECS.
1.12 Can a VPN Gateway IP Address Be Retained After

the VPN Gateway Is Deleted?
After a VPN gateway is deleted, its IP address will not be retained.
After a VPN gateway is deleted on the management console, the resources

associated with the VPN gateway, such as its IP address, will be released.
NOTICE
In the pay-per-use billing mode, deleting the last connection of a VPN gateway
will also delete the gateway. If you want to retain the IP address, do not delete the
last VPN connection.
1.13 Which Resources of a VPN Can Be Monitored?

VPN Gateway
Bandwidth information that can be monitored includes bandwidth usage, inbound

traffic, inbound bandwidth, outbound traffic, outbound bandwidth, and outbound
bandwidth usage. To query the VPN gateway monitoring status, locate the target
VPN gateway and click View Metric in the Operation column.
VPN Connection
The VPN connection status can be monitored. Value 1 indicates that the
connection is normal, and value 0 indicates that the connection is not connected.
To query VPN connection monitoring information, locate the target VPN
connection and click View Metric in the Operation column.
1.14 Which Is the Direction of the Bandwidth to Be

Limited and What Is the Unit of the Bandwidth?
Your purchased VPN gateway bandwidth is in the outbound direction. To balance
the traffic in the inbound and outbound directions, the bandwidth in the inbound
direction is limited.

● If the purchased bandwidth is less than or equal to 10 Mbit/s, the bandwidth

in the inbound direction is limited to 10 Mbit/s.
● If the purchased bandwidth is more than 10 Mbit/s, the bandwidth in the
inbound direction is the same as that of the purchased bandwidth.
The unit of bandwidth is Mbit/s and that of traffic is GB.
1.15 What Is the Actual VPN Connection Network

Speed?
A VPN connection has been created. Two ECSs have been created with one at the
local side and the other at the remote side. The two ECSs can be pinged from each
other.
Perform the following steps to test the VPN connection network speed if the
bandwidth of your VPN gateway is 200 Mbit/s:
1. If the ECSs at the two sides of the VPN run the Windows OSs, use iPerf3 and
FileZilla (a free FTP application for file uploading and downloading) to test
the network speed.
NOTE
The test shows that the average VPN network speed is 180 Mbit/s, and there is about
10% network speed deviation. The TCP and FTP protocols have the congestion control
mechanism, and the IPsec protocol adds a new IP header. Therefore, about 10%
network speed deviation is normal for the VPN network.
Figure 1-6 shows the displayed result for the test performed using the iPerf3
client.
Figure 1-6 Test result for 200 Mbit/s bandwidth (iPerf3 client)
server.

Figure 1-7 Test result for 200 Mbit/s bandwidth (iPerf3 server)
2. If the ECSs at the two sides of the VPN run the CentOS 7 OSs, use iPerf3 to
test the network speed. The network speed can reach 180 Mbit/s.
3. If the ECS functioning as the server runs the CentOS 7 OS, and the ECS
functioning as the client runs the Windows OS, use iPerf3 and FileZilla to test
the network speed.
The network speed is about 20 Mbit/s. The reason is that TCP
implementations on the Windows OS and that on the Linux OS are different,
which causes the slow network speed. Therefore, if the ECSs at the two sides
of the VPN use different OSs, the VPN network speed does not meet the
bandwidth requirements.
Figure 1-8 shows the displayed result of the test performed using iPerf3.
Figure 1-8 Test result when ECSs at the two sides run different OSs (iPerf3)
Perform the following steps to test the VPN gateway network speed if the
bandwidth of your VPN gateway is 1,000 Mbit/s:
The VPN gateway is shared by all created VPN connections, and the VPN gateway
bandwidth size is the total bandwidth sizes of all VPN connections. When the
bandwidth size is large, multiple ECSs are required to test the VPN gateway
bandwidth because the forwarding performance of each ECS is limited. In addition,
this scenario has high requirements on ECS specifications. The ECSs used for
testing must have NICs that support 2 Gbit/s or higher bandwidth.

The tests show that the actual VPN connection network speed on HUAWEI
CLOUD is within the normal range. However, the servers used at both side of
the VPN connections must run the OSs of the same type, and the server NICs
must meet the configuration requirements.
1.16 Can a VPN Billed by Traffic Use a Shared Data

Package?
No.
The VPN service is charged independently and cannot use the shared data
package.
1.17 What Are the Relationships Between a VPC, a VPN

Gateway, and a VPN Connection?
● A VPC is a private network on the cloud. Multiple VPCs can be created in the
same region but are isolated from each other. A VPC can be divided into
multiple subnets.
● A VPN gateway is created based on a VPC and is the access point of a VPN
connection. Only one VPN gateway can be purchased for a VPC, but multiple
VPN connections can be created for each gateway.
● A VPN connection is created based on a VPN gateway and is used to connect
a VPC subnet to the subnet of a customer data center (or a VPC in another
region). That is, each VPN connection connects to a gateway of a customer
data center.
NOTE
The number of VPN connections is irrelevant to the number of local subnets and
remote subnets. It is only related to the number of data centers (or VPCs in other
regions) to be connected to a VPC. The created VPN connections are displayed in the
VPN connection list. You can also view the number of created VPN connections on the
VPN gateway.
1.18 What Is a Remote Gateway and Remote Subnet in

a VPN Connection?
When creating a VPN connection, a subnet in HUAWEI CLOUD VPC is the local
subnet and the created VPN gateway is the local gateway. The connected subnet
in the on-premises data center is the remote subnet and the gateway in the on-
premises data center is the remote gateway.
A remote gateway IP address is a public network IP address. A remote subnet is a
subnet of the on-premises data center that needs to connect to a HUAWEI CLOUD
VPC through a VPN.

1.19 How Many VPN Connections Do I Need to Connect

to Multiple Servers in a Data Center?
HUAWEI CLOUD IPsec VPN connects a VPC on the cloud and a subnet in your
local data center. Therefore, the number of VPN connections is irrelevant to the
number of servers, but is related to the number of data centers where the servers
are located.
In most cases, a data center has a public network egress gateway. All servers
connect to the Internet through this gateway. Therefore, you only need to
configure one VPN connection to allow communications between HUAWEI CLOUD
VPC and your network.
1.20 Does a VPN Allow for Communication Between

Two VPCs?
● If the two VPCs are in the same region, you can use a VPC peering connection
to enable communication between them.
● If the two VPCs are in different regions:
a. Create VPN gateways for the two VPCs and create VPN connections for
the two VPN gateways.
b. Set the remote gateway address of each VPN connection to the gateway
IP address of the peer side.
c. Set the remote subnet of each VPN connection to the CIDR block of the
peer VPC.
d. The pre-shared keys and algorithm parameters of the two VPN
connections must be the same.
1.21 What Are the Impacts of a VPN on a Local

Network? What Are the Changes to the Route for
Accessing an ECS?
When configuring a VPN, you need to configure the following on the gateway of
the customer data center.
1. Configure IKE/IPsec policies.

2. Specify interesting traffic (ACL rules).
3. Check the route of the gateway in the customer data center to ensure that
traffic destined for the HUAWEI CLOUD VPC is routed to the correct egress
interface (the interface with IPsec policy bound).
After the VPN configuration is complete, only the traffic matching the ACL rules
enters the VPN tunnel.

For example, before a VPN is created, local users access the ECS through the EIP
bound to the ECS. After the VPN is created, data flows matching the ACL rules
access the private IP address of the ECS through the VPN tunnel.
1.22 Can I Use a Gateway with Two Egresses to

Establish Two VPN Connections with the Same VPC?
No.
When creating a VPN, a local subnet is a VPC subnet, and a remote subnet is the
subnet of a customer data center. If the two connections use the same local
subnet and remote subnet, the VPN cannot be created.
1.23 How Can I Prevent VPN Connection Interruption?

VPN connections may be renegotiated when the IPsec SA lifecycle is about to
expire or the data transferred through the VPN connection exceeds 20 GB. Usually,
renegotiation does not interrupt VPN connections.
Most disconnections are caused by incorrect configurations on both ends of the
VPN connection or renegotiation failures due to Internet exceptions.
The common causes of connection interruptions are as follows:
● ACLs of the devices at the two ends of the tunnel do not match.
● SA lifecycles at the two ends do not match.
● DPD is not configured in the customer data center.
● Configuration is modified when the VPN is used.
● Packets are fragmented because the data size exceeds the MTU.
● Jitter occurs on the carrier's network.
Therefore, ensure that the following configurations are performed to keep the
VPN connection alive:
● The local subnet of one side is the same as the remote subnet of the other
side and the remote subnet of one side is the same as the local subnet of the
other side.
● SA lifecycles at the two ends are consistent.
● DPD is enabled on the gateway device of the customer data center, and the
number of detection times is greater than or equal to 5.
● Parameters are modified at both ends during the use of the VPN connection.
● Set TCP MAX-MSS to 1300 for the gateway device in the customer data
center.
● The bandwidth of the egress gateway in the customer data center is large
enough to be used by VPN.
● VPN connection negotiation can be triggered by the two ends and the active
negotiation configuration of the gateway device in the customer data center
has been enabled.
● Run a long ping on the subnets at both ends. The script content is as follows:

#!/bin/sh
host=$1
if [ -z $host ]; then
echo "Usage: `basename $0` [HOST]"
exit 1
fi
log_name=$host".log"
while :; do
result=`ping -W 1 -c 1 $host | grep 'bytes from '`
if [ $? -gt 0 ]; then
echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is down"| tee -a $log_name
else
echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is ok -`echo $result | cut -d ':' -f 2`"| tee -
a $log_name
fi
sleep 5 # avoid ping rain
done
#./ping.sh x.x.x.x >>/dev/null &
NOTE
1. Use the vi editor to copy the preceding script to the ping.sh file.
2. Run the chmod 777 ping.sh command to grant permissions to the file.
3. Run the ping command:
./ping.sh x.x.x.x >>/dev/null &
x.x.x.x indicates the IP address to be pinged.
4. After the ping command is executed, the x.x.x.x.log file is generated. Run the
following command:
tail -f x.x.x.x.log
You can view the long ping result in real time.
1.24 Why Is Not Connected Displayed as the Status for

a Successfully Created VPN?
After a VPN is created, its status changes to Normal only after the VMs or
physical servers on the two sides of the VPN communicate with each other.
● IKE v1:
If no traffic goes through the VPN for a period of time, the VPN needs to be
renegotiated. The negotiation time depends on the value of Lifecycle (s) in
the IPsec policy. Generally, the value of Lifecycle (s) is 3600 (1 hour),
indicating that the negotiation will be initiated in the fifty-fourth minute. If
the negotiation succeeds, the connection remains to the next round of
negotiation. If the negotiation fails, the status is set to Not Connected within
one hour. The connection can be restored after the two sides of the VPN
communicates with each other. The disconnection can be avoided by using a
network monitoring tool, such as IP SLA, to generate packets.
● IKE v2: If no traffic goes through the VPN for a period of time, the VPN
remains in the connected status.

1.25 What Do I Do If VPN Connection Setup Fails?

1. Check the IKE and IPsec policies to see whether the negotiation modes and
encryption algorithms between the local and remote sides of the VPN are the
same.
a. If the IKE policy has been set up during phase one and the IPsec policy
has not been enabled in phase two, the IPsec policies between the local
and remote sides of the VPN may be inconsistent.
b. If a Cisco physical device is used at the customer side, it is recommended
that you use MD5. Then, you need to set Authentication Mode to MD5
in the IPsec policy for the VPN created on the cloud.
2. Check whether the ACL configurations are correct.
If the subnets of your data center are 192.168.3.0/24 and 192.168.4.0/24, and
the VPC subnets are 192.168.1.0/24 and 192.168.2.0/24, configure the ACL
rules for each data center subnet to allow the communication with the VPC
subnets. The following provides an example of ACL configurations:
rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
3. After the configuration is complete, ping the local and the remote side from
each other to check whether the VPN connection is normal.
1.26 Can an EIP Be Used as a VPN Gateway IP Address?

No.
The IP address of a VPN gateway is assigned when the VPN gateway is created
and must be used together with the related configurations. An EIP does not
support VPN interconnection.
1.27 Why Is the VPN Connection Always in the Not

Connected State Even After Its Configuration Is
Complete?
Ensure that the pre-shared keys and negotiation information at both ends are
consistent. The local subnet and gateway of one side is the same as the remote
subnet and gateway of the other side, respectively, and the remote subnet and
gateway of one side is the same as the local subnet and gateway of the other
side, respectively.
Ensure that the routing, NAT, and security rules are correctly configured on the
gateway device of the customer data center. Then, ping the servers in subnets at
both ends.

NOTE
1. VPN is triggered based on data flows. After the configuration is complete, you need to
ping the servers in the peer subnet. Before running the ping command, the server
firewall should be disabled and the security group on the cloud should allow inbound
ICMP requests.
2. Pinging the IP address of the gateway cannot trigger VPN negotiation. You need to ping
the server in the subnet protected by the gateway.
1.28 Do I Need to Configure ACL Rules on the HUAWEI

CLOUD Management Console After I Configured ACL
Rules on the Gateway Device of the On-premises Data
Center?
You need to create ACL rules dedicated for the gateway device of the on-premises
data center and the ACL rules will be referenced by IPsec policies.
When you configure the VPN on the cloud, the ACL rules will be automatically
generated based on the local and remote subnets entered on the management
console and then delivered to the VPN gateway. The number of ACL rules is
obtained by multiplying the number of local subnets and that of remote subnets.

FAQ 2 Product Consultation
2 Product Consultation
2.1 What Are the Applicable Scenarios of IPsec VPN?

A VPN is a point-to-point network that implements private network access
between two points.
● Applicable scenarios:
– Create a VPN between different regions of HUAWEI CLOUD to implement
communications between VPCs across regions.
– Create a VPN between HUAWEI CLOUD and a third-party cloud, for
example, Alibaba Cloud.
– Create a VPN between HUAWEI CLOUD and the equipment room of your
data center to implement mutual access between a HUAWEI CLOUD VPC
and an on-premises data center network.
– The VPN HUB function works together with VPC peering connections and
Cloud Connect connections to implement mutual access between an on-
premises data center and multiple VPCs on the cloud.
– VPN works with SNAT to access specific IP addresses across clouds.
● Not applicable scenarios:
– Two VPCs in the same region of HUAWEI CLOUD cannot use VPNs. It is
recommended that you use a VPC peering connection to enable
communications between the two VPCs in the same region.
– HUAWEI CLOUD cannot establish VPN connections with your home
network using PPPoE dial-up.
– HUAWEI CLOUD cannot establish VPN connections with routers (4G or
5G).
– HUAWEI CLOUD cannot establish VPN connections with personal
terminals.

2.2 What Is a VPC, VPN Gateway, and a VPN

Connection?
VPC enables you to create private, isolated virtual networks. You can use VPN to
securely access ECSs in VPCs.
A VPN gateway is an egress gateway of a VPC. With a VPN gateway, you can
create a secure, reliable, and encrypted connection between a VPC and a
corporate data center or between two VPCs in different regions.
A VPN connection uses the Internet-based IPsec encryption technology to establish
a secure and reliable communications tunnel between a VPN gateway and the
remote gateway in a local data center.
To establish a VPN on the cloud, perform the following steps:
1. Create a VPN gateway. The gateway specifies the VPC to be connected using
VPN and the bandwidth and gateway IP address will be available together
with the gateway.
2. Create a VPN connection. The VPN connection specifies the gateway IP
address, subnet, and negotiation policies for interconnecting with the
customer side.

multiple subnets.
data center.
NOTE
VPN gateway.

2.4 What Is VPN Connection? How Do I Set the

Number of VPN Connections When Buying a VPN
Gateway?
A HUAWEI CLOUD VPN connection is an IPsec connection established between a
VPN gateway on the cloud side and an independent public IP address on the
customer side. You can configure multiple local subnets (subnets in the VPC) and
remote subnets (subnets on the customer side) for one connection.
The number of VPN connections to be created is determined by the number of
local data centers. Each VPN connection can connect a VPC to one data center.
NOTE
For example, if CIDR blocks a1 and a2 on the HUAWEI CLOUD side need to communicate
with CIDR blocks b1 and b2 on the customer side, one VPN connection is enough. You only
need to enter the CIDR blocks both on the HUAWEI CLOUD side and the customer side
when creating a VPN connection. The following figure shows an example.


a VPN Connection?

VPC through a VPN.


center.

NOTE

CLOUD.


NOTE
Amazon.
model.

IKE Authentication Algorithm SHA2-256
Encryption Algorithm AES-128
DH Algorithm Group 14
Version v2
Lifecycle (s) 86400
IPsec Authentication Algorithm SHA2-256
PFS DH Group 14
Transfer Protocol ESP
Transfer Mode Only the tunnel mode is

supported, and the transport mode
is not supported.
Lifecycle (s) 3600

NOTE



NOTE

authentication.
NOTE

2.11 How Do I Allow Specific Servers to Access a

Subnet on the Cloud Through a Created VPN
Connection?
Configurations off the cloud
● Configure deny rules on VPN devices.
● Configure ACLs on routers or switches.
Configurations on the cloud
● Configure security group rules to deny access from specific IP addresses.
● Configure network ACL rules.
NOTE
All rules must be added to the device before the VPN tunnel is established. Do not change
the local subnet and the remote subnet to restrict the access.
2.12 Which of the Following Resources of a VPN Can

Be Monitored?
VPN Gateway
VPN Connection

No.
2.14 Do I Need to Purchase an EIP for Servers That

Communicate with Each Other Through a VPN?
If a server in your data center needs to access an ECS on the cloud through a VPN,
you do not need to purchase an EIP.

If the ECS needs to provide services accessible from the Internet, an EIP is required.
2.15 Are SSL VPNs Supported?

Currently, the VPN service does not support SSL VPNs.
2.16 How Long Does It Take for Delivered VPN

Configurations to Take Effect?
After VPN resources are created on the console, the VPN configurations will take
effect within 1 to 5 minutes.
NOTE
After the VPN configurations take effect, you need to configure the gateway on your side to
complete tunnel negotiation with the VPN gateway on HUAWEI CLOUD. Then, the VPN
connection is successfully established.
2.17 What Should I Do If I Cannot Create Connections

for a VPN Gateway That Has No Bandwidth
Information?
If a VPN gateway has no bandwidth information, the VPN is of the old edition and
this type of VPN cannot be created on HUAWEI CLOUD anymore.
● Only one VPN connection can be created for each VPN gateway of the old
edition and its bandwidth is not guaranteed. You can delete the gateway and
create one of the new edition (service running will be affected).
● You can also submit a service ticket to change the gateway to one of the
new edition (service running will not be affected).
By default, the bandwidth of a VPN gateway changed to the new edition is 10
Mbit/s. You can adjust the bandwidth as required. The bandwidth of a VPN
gateway that is billed on a yearly/monthly basis cannot be decreased.
2.18 Does HUAWEI CLOUD VPN Support IPv6

Addresses?
No.
HUAWEI CLOUD VPN only supports IPv4 addresses.
2.19 How Do I Determine My VPN Bandwidth Size?

Consider the following when you determine the bandwidth:
● Amount of data transmitted over a VPN tunnel in a period of time (Reserve
enough bandwidth to prevent link congestion.)

● The egress bandwidth at the end of the VPN connection on the cloud must be
less than that at the end of the VPN connection off the cloud.
2.20 Does a VPN Connection Support Chinese

Encryption Algorithms?
No.
Use the algorithm provided on the HUAWEI CLOUD management console for
negotiation. Ensure that the algorithms used at both ends are the same.

Using a VPN?
No.

VPN?
NOTICE

2.23 What Are the Differences Between the

Application Scenarios and Connection Modes of IPsec
and SSL VPNs?
and a VPC.
Connection Modes
negotiation.
NOTE


NOTE
2.25 What Is the Difference Between Billing a VPN

Gateway by Bandwidth or by Traffic?
The details are as follows:
If you select the pay-per-use billing mode, both billing by bandwidth and by traffic
are supported.
● If billing by bandwidth is selected and the billing cycle is one hour, the
generated fee varies according to the bandwidth size.
● If billing by traffic is selected, the traffic fees generated each hour will be
collected. The bandwidth size does not affect the public traffic price per GB.
The billing is based on the generated traffic going out of a VPC.

Package?
No.
package.


NOTICE


2.29 Where Can I Add a Route to Reach the Remote

Subnet on the VPN Console?
When a VPN connection is created, a route is automatically delivered to reach the
remote subnet.

Interrupted?
rules.
page.


same.


FAQ 3 Networking and Application Scenarios
3 Networking and Application Scenarios

Using a VPN?
No.

VPN?
NOTICE


to Multiple Servers in a Data Center?
HUAWEI CLOUD IPsec VPN connects a VPC on the cloud and a subnet in your
local data center. Therefore, the number of VPN connections is irrelevant to the
number of servers, but is related to the number of data centers where the servers
are located.
In most cases, a data center has a public network egress gateway. All servers
connect to the Internet through this gateway. Therefore, you only need to
configure one VPN connection to allow communications between HUAWEI CLOUD
VPC and your network.
3.4 Do I Need to Install the IPsec Software on Each

Server That Needs to Access an ECS to Establish a VPN
Connection?
No.
HUAWEI CLOUD VPN connects two LANs. Multiple servers in the customer data
center use the same public IP address to access the cloud. If you install the IPsec
software for the servers, the VPN gateway on the cloud will receive negotiation
packets from different servers and then the system receives a large amount of
repeated negotiation information, which causes connection exceptions or even
connection unavailability.
It is recommended that you use the egress firewall to configure a VPN to connect
to the cloud. When creating a VPN, you can specify multiple CIDR blocks. You
should only allow servers of developers to access the ECS on the cloud based on
the security group on the cloud or the security rules of the customer data center.
3.5 What Are the Differences Between the Application

Scenarios and Connection Modes of IPsec and SSL
VPNs?
and a VPC.

Connection Modes
negotiation.
NOTE
3.6 Does a VPN Allow for Communication Between

Two VPCs?
● If the two VPCs are in the same region, you can use a VPC peering connection
to enable communication between them.
● If the two VPCs are in different regions:
a. Create VPN gateways for the two VPCs and create VPN connections for
the two VPN gateways.
b. Set the remote gateway address of each VPN connection to the gateway
IP address of the peer side.
c. Set the remote subnet of each VPN connection to the CIDR block of the
peer VPC.
d. The pre-shared keys and algorithm parameters of the two VPN
connections must be the same.
3.7 What Are the Impacts of a VPN on a Local

Network? What Are the Changes to the Route for
Accessing an ECS?
When configuring a VPN, you need to configure the following on the gateway of
the customer data center.
1. Configure IKE/IPsec policies.

2. Specify interesting traffic (ACL rules).

3. Check the route of the gateway in the customer data center to ensure that
traffic destined for the HUAWEI CLOUD VPC is routed to the correct egress
interface (the interface with IPsec policy bound).
After the VPN configuration is complete, only the traffic matching the ACL rules
enters the VPN tunnel.
For example, before a VPN is created, local users access the ECS through the EIP
bound to the ECS. After the VPN is created, data flows matching the ACL rules
access the private IP address of the ECS through the VPN tunnel.
3.8 What Configurations Are Required on Both Ends of

a VPN to Implement the Communication Between a
Customer Data Center and a VPC?
To implement the VPN interconnection, you need to create a VPN on the cloud
and configure the gateway device of the customer data center.
● Creating a VPN on the cloud: Buy a VPN gateway (select the billing mode,
bandwidth size, and the VPC to be associated). Buy a VPN connection (specify
the gateway IP addresses, subnets, and negotiation policies at both ends).
● Configuring the VPN device of the customer data center: Select the public IP
address of the customer data center, configure the first and second phases of
IPsec negotiation on the device that supports IPsec VPN, and then configure
network routes, NAT, and security rules.
3.9 Can I Use a Gateway with Two Egresses to Establish

Two VPN Connections with the Same VPC?
No.
When creating a VPN, a local subnet is a VPC subnet, and a remote subnet is the
subnet of a customer data center. If the two connections use the same local
subnet and remote subnet, the VPN cannot be created.
3.10 Can Two VPCs in the Same Region Be Connected

Through a VPN?
No.
For two VPCs in the same region, you can use a VPC peering or Cloud Connect
connection to connect them.
3.11 How Can I Connect Two VPCs in the Same Region?

Two VPCs in the same region can be connected using a VPC peering or Cloud
Connect connection. VPC Peering can only connect VPCs in the same region, and
Cloud Connect can also connect VPCs in different regions.

3.12 How Do I Replace a Direct Connect Connection

with a VPN?
1. Ensure that the customer data center gateway supports IPsec VPN.
2. Create a VPN gateway (select the VPC to which the Direct Connect
connection uses) and a VPN connection on HUAWEI CLOUD.
NOTICE
When creating a VPN connection, configure its remote subnet as follows to

avoid routing conflicts.
● Delete the virtual interface of the Direct Connect connection first and then
configure the VPN connection.
● Divide the remote subnet into two subnets and configure VPN connections.
After the Direct Connect connection is deleted, configure the VPN
connections again.
3.13 How Can I Connect Two VPCs Created on the

Cloud to the IDC Network?
Network Topology
IDC-VPC 1-VPC 2
NOTE
IDC indicates the customer data center. A VPN connection is established between VPC 1
and the IDC.
Procedure
1. Check whether the two VPCs are in the same region.
– If the two VPCs are in the same region, they can be connected through a
VPC peering or Cloud Connect connection (free of charge).
– If the two VPCs are in different regions, use a Cloud Connect connection
(you need to pay for the bandwidth fee).
2. Establish a VPN connection between the IDC and a VPC. Change the remote
subnet of the IDC to the subnets of VPC 1 and VPC 2. The local subnet of VPC
1 must contain the subnet connected through a VPC peering or Cloud
Connect connection. The subnet route of the VPC peering or Cloud Connect
connection should destine for the IDC subnet.

3.14 How Do I Connect Four Subnets?

Figure 3-1 shows the network topology.
Figure 3-1 Network Topology
1. Use a VPN or Direct Connect connection to connect IDC 1 to VPC 1.

2. Use a Cloud Connect connection to connect VPC 1 to VPC 2.
3. Use a VPN or Direct Connect connection to connect IDC 2 to VPC 2.
4. After the subnet routes of VPN, Cloud Connect, and Direct Connect
connections are updated, the four subnets can communicate with each other.
3.15 Do I Need Two VPN Connections to Connect Four

Subnets of Two Regions (Each Region Has Two
Subnets)?
No.
Only one VPN connection is required between two regions. The subnets can all be
added to the VPN connection.
In this scenario, if you attempt to create a second VPN connection, the

management console displays a message indicating that a conflict occurs because
the two connections have the same remote gateway address.
3.16 Can I Access OBS Through a VPN?

Yes.

With the help of the VPC Endpoint Service, you access OBS through a VPN. You
need to create two VPC endpoints for the private DNS server and OBS,
respectively.
Configure the private DNS server and route of HUAWEI CLOUD on the customer
side.
3.17 How Do I Interconnect My Personnel Computer

with a VPN?
Common home broadband routers, personal mobile terminals, and VPN services
(such as L2TP) provided by Windows hosts cannot interconnect with HUAWEI
CLOUD VPN.
To interconnect with HUAWEI CLOUD VPN, on-premises devices must support the
standard IPsec protocol.
3.18 How Do I Access HUAWEI CLOUD ECSs From

Home After My Enterprise Network Is Connected to
HUAWEI CLOUD Through a VPN?
HUAWEI CLOUD VPN connects the VPC on the cloud and the local area network
(LAN) off the cloud.
The home network is not a part of the LAN of your enterprise and cannot be
directly connected to the VPC on the cloud.
If your host at home needs to access VPC resources on the cloud, your host can
directly access the EIP of the cloud service or connect to the LAN of your
enterprise through SSL VPN (if your enterprise supports SSL access) and then
access VPC resources on the cloud through the LAN.
3.19 How Do I Create a VPN Connection Temporarily If

No Device That Supports IPsec Is Available off the
Cloud After I Purchase HUAWEI CLOUD VPN Gateway
and Connections?
To establish a VPN connection with HUAWEI CLOUD, a device that supports
standard IPsec and a fixed public IP address must be available off the cloud.
To temporarily connect to HUAWEI CLOUD, install third-party software on the
host.
Recommended third-party IPsec software: strongSwan, Openswan, and
TheGreenBow. For details, see Virtual Private Network Administrator Guide.

3.20 How Do I Select a Proper Region on the Cloud

When Creating a VPN Gateway?
It is recommended that you select the region where your on-premises data center
locates when you create a VPN gateway for lower network latency.
But you can select a VPC in any region when you create a VPN gateway.
● For multiple VPCs in the same region, you only need to create one VPN
gateway because the VPCs can be connected using VPC peering connections
(free of charge).
● For multiple VPCs across regions, you can use VPN and Cloud Connect
connections to connect them.

FAQ 4 Billing and Payments
4 Billing and Payments


NOTE
4.2 What Is the Difference Between Billing a VPN

Gateway by Bandwidth or by Traffic?
The details are as follows:
If you select the pay-per-use billing mode, both billing by bandwidth and by traffic
are supported.
● If billing by bandwidth is selected and the billing cycle is one hour, the
generated fee varies according to the bandwidth size.

● If billing by traffic is selected, the traffic fees generated each hour will be
collected. The bandwidth size does not affect the public traffic price per GB.
The billing is based on the generated traffic going out of a VPC.

Package?
No.
package.

VPCs in Different Regions?
VPNs can be used to connect VPCs in different regions. The VPN bandwidth and
connections of each region will be charged independently. Therefore, you need to
calculate the number of regions when estimating price.
For example, if Region A needs to establish VPN connections with Region B and
Region C, respectively, the VPN gateway of Region A has two connections, which
are used to connect to Region B and Region C, respectively. The VPN gateway of
Region B has one connection, and the VPN gateway of Region C also has one
connection.
Therefore, you need four VPN connections and each connection belongs to its own
region.
4.5 When Will VPN Resources Be Frozen? How Can I

Unfreeze VPN Resources?
● If pay-per-use VPN resources are in arrears, they will enter the retention
period and be frozen. Frozen resources are unavailable and cannot be
modified or deleted. If the retention period ends and you still have not topped
up and pay off the arrears, the resources will be released and cannot be
restored. To ensure that resources are available, top up your account and pay
off the arrears before the resources expire.
● Frozen VPN resources will become available after you renew them or top up
your account. If a VPN connection is in the not connected state, initiate data
flows (for example, ping hosts on different subnets) to trigger the VPN
connection to be in the normal state.
Table 4-1 Retention period of customers with different levels
Customer Level Retention Period (Days)
V5 15
V4 15

Customer Level Retention Period (Days)
V3 7
V2 7
V1 7
V0 1

FAQ 5 Related Operations on the Console
5 Related Operations on the Console

multiple subnets.
data center.
NOTE
VPN gateway.
5.2 How Long Does It Take for Delivered VPN

Configurations to Take Effect?
After VPN resources are created on the console, the VPN configurations will take
effect within 1 to 5 minutes.
NOTE
After the VPN configurations take effect, you need to configure the gateway on your side to
complete tunnel negotiation with the VPN gateway on HUAWEI CLOUD. Then, the VPN
connection is successfully established.


Complete?
side, respectively.
both ends.
NOTE
ICMP requests.

NOTICE
5.5 Do I Need to Create a VPN Gateway or a VPN

Connection for Creating a VPN? Which Information
About a Created VPN Can Be Modified?
Prerequisites for creating a VPN
Create a VPC and a VPC subnet. The VPC subnet cannot conflict with the subnet
of the customer data center.
To create a VPN, you need to create a VPN gateway and a VPN connection.

● Create a VPN gateway. The gateway IP address and bandwidth have been
assigned, you need to set Region, Name, Billing Mode, VPC to be associated,
Billed By, and Bandwidth. Configurations for Region, Billing Mode, VPC to
be associated, and Billed By cannot be modified after the VPN gateway is
created.
● Create a VPN connection. You need to specify the connection name,
associated VPN gateway, local subnet, PSK, remote gateway, remote subnet,
and negotiation policies. The connection name, local subnet, PSK, remote
gateway, remote subnet, and negotiation policies can be modified after the
VPN connection is created.

Center?
You need to create ACL rules dedicated for the gateway device of the on-premises
data center and the ACL rules will be referenced by IPsec policies.
When you configure the VPN on the cloud, the ACL rules will be automatically
generated based on the local and remote subnets entered on the management
console and then delivered to the VPN gateway. The number of ACL rules is
obtained by multiplying the number of local subnets and that of remote subnets.
5.7 What Do I Do If an Exception Occurs When I Add a

Remote Subnet During VPN Connection Creation?
Check whether this remote subnet has been used as the destination of a VPC
peering, Cloud Connect, or Direct Connect connection route, which causes routing
conflicts. If yes, delete the route and create a new one.

remote subnet.
5.9 Does HUAWEI CLOUD support APIs?

VPN requires complex configurations. Currently, VPN resources cannot be created,
queried, or modified through APIs. You only can perform these operations on the
management console.


a VPN Connection?

VPC through a VPN.
5.11 How Do I Disable the PFS Function When Creating

a VPN Connection?
You cannot disable the PFS function for some regions on HUAWEI CLOUD. You are
advised to enable the PFS function in the customer data center.
The PFS function improves the security of IKE negotiation in phase 2.
By default, the PFS function is disabled on some vendors' devices. Check the device
configuration manual to ensure that the PFS function is enabled.
NOTE

5.12 What Is the Limitation on the Number of Local

and Remote Subnets of a VPN? Why Is an Error
Message Displayed When I Update the Local Subnet by
Specifying a CIDR Block?
1. The maximum number of local subnets is 5. The maximum number obtained
by multiplying the number of local subnets and that of remote subnets
cannot exceed 225.
2. A VPC delivers VPC subnet routes based on the remote subnets of the VPN
connection, remote subnets of the Direct Connect connection, and subnets of
the VPC peering connection. Each subnet has one subnet route.

3. The number of VPC subnet routes cannot exceed 200. That is, the total
number of remote subnets of the VPN connection, remote subnets of the
Direct Connect connection, subnets of the VPC peering connection, and
custom routes in a VPC cannot exceed 200.
5.13 Can the Local Subnet Be Within the Remote

Subnet of a VPN?
No.
The remote subnet and local subnet cannot overlap.
5.14 Why the Status of a VPN Connection Is Not

Connected on the Management Console But It Is
Already Available?
There is a latency to display the latest VPN connection status on the management
console.
If the service access is normal, the VPN connection is established. After several
minutes, the VPN connection status will be Connected.
5.15 What Do I Do If a Message Is Displayed Indicating

That the VPN Connection Does Not Exist After
Negotiation Policies Are Modified?
This problem is caused by the page refresh interval.
When you modify the advanced settings, the system first deletes the VPN
connection and then creates one. If the page displays the message indicating that
the connection is being deleted or created for a short period of time, do not create
the same connection (with the same local subnet, remote subnet, and remote
gateway) again.
If the page remains in the connection deleting or creating state for a long time,
submit a service ticket.
5.16 What Should I Do If I Cannot Create Connections

for a VPN Gateway That Has No Bandwidth
Information?
If a VPN gateway has no bandwidth information, the VPN is of the old edition and
this type of VPN cannot be created on HUAWEI CLOUD any more.
● Only one VPN connection can be created for each VPN gateway of the old
edition and its bandwidth is not guaranteed. You can delete the gateway and
create one of the new edition (service running will be affected).

● You can also submit a service ticket to change the gateway to one of the
new edition (service running will not be affected).
By default, the bandwidth of a VPN gateway changed to the new edition is 10
Mbit/s. You can adjust the bandwidth as required. The bandwidth of a VPN
gateway that is billed on a yearly/monthly basis cannot be decreased.
5.17 How Do I Reset a VPN Connection?

● Disable the VPN connection on the device off the cloud. After the status of
the VPN connection on the cloud changes to Not connected, enable the VPN
connection on the device off the cloud.
● Change the remote gateway IP address of the VPN connection on the cloud to
any other IP address. After the status of the connection off the cloud changes
to inactive, change the remote gateway IP address on the cloud to the current
IP address.
5.18 What Is the Maximum Bandwidth Supported by a

VPN Gateway?
The maximum bandwidth that you can configure for a VPN gateway on the
console is 300 Mbit/s.
If you need a larger bandwidth temporarily to test the VPN function, contact the
VPN product manager. The maximum bandwidth can be expanded to 1 Gbit/s. If
the required bandwidth exceeds 1 Gbit/s, it is recommended to use Direct Connect.


NOTE

authentication.

NOTE

VPN Gateway

VPN Connection

Interrupted?
rules.
page.

FAQ 6 VPN Negotiation and Interconnection
6 VPN Negotiation and Interconnection

CLOUD.
NOTE
Amazon.
model.


IKE Authentication Algorithm SHA2-256
DH Algorithm Group 14
Version v2
Lifecycle (s) 86400
IPsec Authentication Algorithm SHA2-256
PFS DH Group 14
Transfer Protocol ESP
Transfer Mode Only the tunnel mode is

supported, and the transport mode
is not supported.
Lifecycle (s) 3600
NOTE




center.

NOTE
6.4 How Do I Configure a VPN for a Device in a Data

Center? (Configuring the VPN on a Huawei USG6600
Series Firewall)
Due to the symmetry of the tunnel, the VPN parameters configured on the cloud
must be the same as those configured in your own data center. If they are
different, a VPN cannot be established.
To set up a VPN, you also need to configure the IPsec VPN on the router or
firewall in your own data center. The configuration method may vary depending
on your network device in use. For details, see the configuration guide of your
network device.
This section describes how to configure the IPsec VPN on a Huawei USG6600
series V100R001C30SPC300 firewall for your reference.
For example, the subnets of the data center are 192.168.3.0/24 and
192.168.4.0/24, the subnets of the VPC are 192.168.1.0/24 and 192.168.2.0/24, and
the public IP address of the IPsec tunnel egress in the VPC is XXX.XXX.XX.XX, which
can be obtained from the local gateway parameters of the IPsec VPN in the VPC.
Procedure
1. Log in to the CLI of the firewall.
2. Check firewall version information.
display version
17:20:502017/03/09
Huawei Versatile Security Platform Software
Software Version: USG6600 V100R001C30SPC300 (VRP (R) Software, Version 5.30)
3. Create an access control list (ACL) and bind it to the target VPN instance.

acl number 3065 vpn-instance vpn64

q
4. Create an IKE proposal.

ike proposal 64
dh group5
authentication-algorithm sha1
integrity-algorithm hmac-sha2-256
sa duration 3600
q
5. Create an IKE peer and reference the created IKE proposal. The peer IP
address is 93.188.242.110.
ike peer vpnikepeer_64
pre-shared-key ******** (******** specifies the pre-shared key.)
ike-proposal 64
undo version 2
remote-address vpn-instance vpn64 93.188.242.110
sa binding vpn-instance vpn64
q
6. Create an IPsec protocol.

ipsec proposal ipsecpro64
encapsulation-mode tunnel
esp authentication-algorithm sha1
q
7. Create an IPsec policy and reference the IKE policy and IPsec proposal.
ipsec policy vpnipsec64 1 isakmp
security acl 3065
pfs dh-group5
ike-peer vpnikepeer_64
proposal ipsecpro64
local-address xx.xx.xx.xx
q
8. Apply the IPsec policy to the subinterface.

interface GigabitEthernet0/0/2.64
ipsec policy vpnipsec64
q
9. Test the connectivity.

After you perform the preceding operations, you can test the connectivity
between your ECSs in the cloud and the hosts in your data center. For details,
see the following figure.

Figure 6-1 Connectivity test
6.5 How Should I Configure Gateway Device of the

Customer Data Center When I Use a VPN to Connect to
the Cloud?
Determine the subnet of the customer data center, subnet on the cloud, and
gateway IP addresses at both ends.
Then, configure IPsec on the gateway of the customer data center according to
the VPN negotiation policies on the cloud, and add rules to the security group
associated with the VPC to allow ICMP packets in both the inbound and outbound
directions.
● Route setting: Add routes starting from the customer gateway and destining
for the VPN gateway egress. The next hop of the route on the VPN gateway is
the public gateway IP address in the outbound direction.
● NAT setting: On the VPN gateway device, disable NAT for the local subnet to
access the VPC subnet. Add security group rules to allow mutual access
between the local subnet and the VPC subnet, and allow the UDP 500, UDP
4500, ESP (IP protocol 50), and AH (IP protocol 51) packets both from and to
IP addresses of the VPN gateway on the cloud and the gateway of the
customer data center.
6.6 Can HUAWEI CLOUD VPN Connect to a Remote

Gateway Through a Domain Name?
No. A VPN connection can only connect to a remote gateway through the gateway
public IP address.

6.7 How Many Tunnels Does My VPN Connection

Have?
The number of tunnels in a VPN connection is related to the number of local
subnets and remote subnets. The total number of tunnels is equal to the number
obtained by multiplying the number of local subnets and that of remote subnets
of a VPN. The status of a VPN connection is normal as long as its one tunnel is in
the active state. If you need each tunnel to be in the active state, data flows need
to be triggered between every two subnets.
6.8 How Do I Allow Specific Servers to Access a Subnet

on the Cloud Through a Created VPN Connection?
Configurations off the cloud
● Configure deny rules on VPN devices.
● Configure ACLs on routers or switches.
Configurations on the cloud
● Configure security group rules to deny access from specific IP addresses.
● Configure network ACL rules.
NOTE
All rules must be added to the device before the VPN tunnel is established. Do not change
the local subnet and the remote subnet to restrict the access.
6.9 Do HUAWEI CLOUD VPNs Have the DPD

Mechanism Enabled?
Yes.
HUAWEI CLOUD VPNs have the DPD mechanism enabled by default to detect the
status of the IKE process in the customer data center.
After three consecutive detection failures, HUAWEI CLOUD considers that the IKE
process of the customer data center is abnormal. In this case, HUAWEI CLOUD
deletes the local tunnel to ensure tunnel synchronization between the two ends.
The DPD protocol does not require that the peer end be configured synchronously,
but requires that the peer end can respond to DPD detections. To ensure that the
tunnel status of the two ends is consistent and avoid that one end has a tunnel
and the other not, it is recommended that you enable the DPD mechanism of the
gateway on your side to detect the IKE process status of the VPN service on the
HUAWEI CLOUD side.

NOTE
After DPD fails, the tunnel will be deleted without affecting service stability.
DPD can detect exceptions of the IKE process on the peer end in time and reset the tunnel
to ensure tunnel synchronization between the two ends. After a tunnel is deleted, if there is
user traffic transmitted over the tunnel, the tunnel can be re-established through
negotiation.
6.10 How Can I Use Security Groups to Prevent ECSs in

a VPC From Being Accessed Through a VPN to
Implement Security Isolation?
You can configure security groups to allow access only to specific CIDR blocks or
ECSs in a VPC through a VPN.
Configuration example: Prevent ECSs in the subnet 10.1.0.0/24 in a VPC from

accessing the customer subnet 192.168.1.0/24.
Configuration method:
1. Create security groups 1 and 2.

2. Security group 1 denies access from the subnet 192.168.1.0/24.
3. Security group 2 allows access from the subnet 192.168.1.0/24.
4. Add ECSs in the subnet 10.1.0.0/24 to security group 1 and other ECSs to
security group 2.
6.11 Will a VPN Connection Be Reestablished After Its

Configuration Is Modified?
A VPN connection consists of the local subnet, remote subnet, remote gateway,
pre-shared key, IKE negotiation policy, and IPsec negotiation policy. A VPN
connection is modified if any of the following happens:
● If the local and remote subnets are modified, the connection ID remains
unchanged, but the subnet information at both ends of the connection is
updated. If not all subnets are updated, the established tunnel between
subnets will not be re-established.
● If the IP address of the remote gateway is changed, the connection ID will not
be changed, but the peer end has changed. The connection needs to be re-
established.
● If only the pre-shared keys of the connection are changed, the connection ID
and status will not be changed. The keys will be checked again during
renegotiation. If the keys do not match, the renegotiation fails.
● If the negotiation policy is modified (pre-shared key authentication is
required), the connection ID will be changed and the connection needs to be
re-established.

6.12 Why Cannot I Initiate Negotiation from Amazon

Web Services to HUAWEI CLOUD After They Are
Interconnected?
After the VPN connection is established, Amazon Web Services (AWS) works in
Response mode and does not initiate negotiation. When data flows are sent from
the AWS EC2 to the HUAWEI CLOUD ECS, the VPN connection will not be
triggered to establish an SA.
According to the AWS document, negotiation can be initiated only from the
HUAWEI CLOUD.
6.13 How Do I Configure DPD for Interconnecting with

HUAWEI CLOUD?
By default, Dead Peer Detection (DPD) is enabled on HUAWEI CLOUD and cannot
be disabled.
Configure DPD as follows:
● DPD-type: on-demand
● DPD idle-time: 30s
● DPD retransmit-interval: 15s
● DPD retry-limit: 3
● DPD msg: seq-hash-notify
The DPD msg format on the two ends of the connection must be the same, but
the DPD type, idle time, and retransmission interval can be different.
6.14 What Should I Do If My Firewall Cannot Receive

Response Packets of IKE Phase 1 from the HUAWEI
CLOUD VPN Gateway?
1. Check whether the public IP addresses of the two ends can communicate with
each other. You can run the ping command. By default, the gateway IP
address on HUAWEI CLOUD can be pinged.
2. The on-premises gateway and HUAWEI CLOUD VPN gateway can exchange
packets on UDP port 500 and 4500.
3. Ensure that the source port number is not translated when the on-premises
public IP address accesses the gateway IP address on HUAWEI CLOUD. If NAT
traversal exists, ensure that the port number will not be changed after NAT
traversal.
4. The IKE negotiation parameter settings at both ends must be the same. In the
NAT traversal scenario, set the ID type off the cloud to IP and the local ID on
the cloud to the public IP address after NAT.

6.15 What Should I Do If My Firewall Cannot Receive

Response Packets from the HUAWEI CLOUD VPN
Subnet?
1. Check the routes off the cloud, security policies, NAT configuration,
interesting traffic, and negotiation policies for the Phase 2 negotiation.
– Route configurations: Send the data for accessing the cloud subnet to the
tunnel.
– Security policies: Allow traffic from on-premises subnets to cloud subnets.
– NAT policies: Do not perform NAT when an on-premises subnet accesses
a cloud subnet.
– Interesting traffic: Interesting traffic at both ends are configured in the
mirrored way. The address object name cannot be used for the interesting
traffic configured using IKEv2.
– Negotiation policies: Ensure the negotiations policies, especially PFS, at
both ends are the same.
2. After confirming that both Phase 1 and Phase 2 negotiations are normal,
check the security group rules on the cloud to allow the on-premises subnet
to access the cloud subnet using the ICMP protocol.

FAQ 7 Connection or Ping Failure
7 Connection or Ping Failure

Complete?
side, respectively.
both ends.
NOTE
ICMP requests.




other side.
center.
has been enabled.
#!/bin/sh
host=$1
exit 1
fi
while :; do
if [ $? -gt 0 ]; then
else
a $log_name
fi
done
NOTE
following command:
tail -f x.x.x.x.log

7.3 What Is the Impact When the Bandwidth of a VPN

Gateway Reaches the Limit?
The bandwidth is used in the outbound direction of a VPC. If the bandwidth
exceeds the limit, the network will be congested, some subnets cannot be
accessed, or even the VPN connection will be interrupted (the VPN detection
packets cannot be received). In this case, you are advised to increase the VPN
gateway bandwidth size.

center.
NOTE
7.5 Why Cannot a Peer ECS Be Pinged Even the Status

of the VPN Connection Created Between the Two
Regions Is Normal?
By default, a security group allows all outbound traffic. To allow inbound traffic,
you need to add inbound rules to the security group of the ECS that needs to
receive ping packets and ensure that the security group allows inbound ICMP
requests.

7.6 Why Subnets Cannot Access Each Other When the

IDC and the Cloud Are Interconnected and the VPN
Connection Is Normal?
If the VPN connection status is normal, the negotiation parameters at both ends
are correct. Check whether there are routes starting from the customer gateway
and destining for the VPN gateway egress. The VPN gateway device has security
group rules that allow mutual access between subnets.
In addition, NAT is not required when the IDC subnet accesses the data on the
cloud. Ensure that the access between two gateway IP addresses will not be
blocked.
7.7 What Do I Do If a VPN Connection Is Interrupted

and a Message Is Displayed Indicating That Data Flows
Do Not Match?
This is usually caused by the mismatch between ACL rules configured on the
gateways of both the cloud and the customer data center.
1. Check whether the subnet information of the VPN connection at both ends is
consistent. Ensure that ACL rules on the cloud and that of the customer data
center do not conflict each other.
2. The subnet/mask format is recommended for configuring interesting traffic in
the customer data center. Do not use the address object mode, which may
cause incompatibility problems.
7.8 What Do I Do If a VPN Connection Is Interrupted

and a Message Is Displayed Indicating That the DPD
Times Out?
This happens because the VPN connection has no access data. After the SA
lifecycle ends, the VPN connection will be deleted because no response is received
from the peer end after DPD is sent.
Solution
1. Enable DPD on the gateway device of the customer data center and test
whether data flows at both ends can trigger connection establishment.
2. Deploy the ping shell script on the servers at both ends. You can also
configure data on the gateway of the customer data center to keep the
connection alive, for example, NQA on Huawei devices or IP SLA on Cisco
devices.

7.9 Why the Status of a VPN Connection Is Not

Connected on the Management Console But It Is
Already Available?
There is a latency to display the latest VPN connection status on the management
console.
If the service access is normal, the VPN connection is established.

Interrupted?
rules.
page.

same.


7.12 What Should I Do If I Cannot Access the ECSs on

the Cloud from My Data Center or LAN Even If the VPN
Connection Has Been Set Up?
The security group denies the access from all sources by default. If you want to
access your ECSs, modify the security group configuration and allow the access
from the remote subnets.
7.13 Why Is Not Connected Displayed as the Status for

a Successfully Created VPN?
After a VPN is created, its status changes to Normal only after the VMs or
physical servers on the two sides of the VPN communicate with each other.
● IKE v1:
If no traffic goes through the VPN for a period of time, the VPN needs to be
renegotiated. The negotiation time depends on the value of Lifecycle (s) in
the IPsec policy. Generally, the value of Lifecycle (s) is 3600 (1 hour),
indicating that the negotiation will be initiated in the fifty-fourth minute. If
the negotiation succeeds, the connection remains to the next round of
negotiation. If the negotiation fails, the status is set to Not Connected within
one hour. The connection can be restored after the two sides of the VPN
communicates with each other. The disconnection can be avoided by using a
network monitoring tool, such as IP SLA, to generate packets.
● IKE v2: If no traffic goes through the VPN for a period of time, the VPN
remains in the connected status.
7.14 Do HUAWEI CLOUD VPNs Have the DPD

Mechanism Enabled?
Yes.

HUAWEI CLOUD VPNs have the DPD mechanism enabled by default to detect the
status of the IKE process in the customer data center.
After three consecutive detection failures, HUAWEI CLOUD considers that the IKE
process of the customer data center is abnormal. In this case, HUAWEI CLOUD
deletes the local tunnel to ensure tunnel synchronization between the two ends.
The DPD protocol does not require that the peer end be configured synchronously,
but requires that the peer end can respond to DPD detections. To ensure that the
tunnel status of the two ends is consistent and avoid that one end has a tunnel
and the other not, it is recommended that you enable the DPD mechanism of the
gateway on your side to detect the IKE process status of the VPN service on the
HUAWEI CLOUD side.
NOTE
After DPD fails, the tunnel will be deleted without affecting service stability.
DPD can detect exceptions of the IKE process on the peer end in time and reset the tunnel
to ensure tunnel synchronization between the two ends. After a tunnel is deleted, if there is
user traffic transmitted over the tunnel, the tunnel can be re-established through
negotiation.

FAQ 8 EIPs
8 EIPs


NOTICE

No.


FAQ 8 EIPs
8.4 Why Does an ECS Have EIP Access Information

After I Enable a VPN?
This occurs because the ECS has an EIP bound before the VPN is used. That is, you
can access the ECS through the VPN or the EIP.
After the VPN is established, traffic from servers meeting ACL rules can enter the
tunnel to access ECSs.
● If an EIP is bound to an ECS, devices on a non-VPN network can access the
ECS using the EIP.
● If the ECS can be accessed only through a VPN, unbind the EIP from the ECS
after the VPN interconnection is complete. When an ECS needs an EIP bound,
you can use ACL rules to specify the traffic that can access the ECS through
the EIP.
NOTE
Whether a user needs to retain an EIP depends on the user's service. If an ECS is used to
obtain the data of the customer data center through a VPN, and also is used to provide
services accessible from the Internet users, its EIP needs to be retained.
8.5 Can the Gateway of a Customer Data Center Have

No Fixed Public IP Address?
No.
To connect a customer data center to HUAWEI CLOUD through a VPN, the
customer data center must have a fixed public IP address or a fixed public IP
address after NAT mapping.
NOTE
Common home broadband routers, personal mobile terminals, and VPN services (such as
L2TP) provided by Windows hosts cannot interconnect with HUAWEI CLOUD VPN.

FAQ 9 Route Configurations
9 Route Configurations

remote subnet.
9.2 Do I Need to Add a Route to Reach the Customer

Data Center Network for an ECS with Multiple NICs?
● If a primary NIC is used to establish a VPN with the customer network, no
route needs to be added.
● If a non-primary NIC is used to establish a VPN with the customer network,
add a route to reach the gateway with a non-primary NIC of the customer
network.

FAQ 10 Subnet Setting
10 Subnet Setting

a VPN Connection?

VPC through a VPN.
10.2 Can the Local Subnet Be Within the Remote

Subnet of a VPN?
No.
The remote subnet and local subnet cannot overlap.
10.3 What Is the Limitation on the Number of Local

and Remote Subnets of a VPN? Why Is an Error
Message Displayed When I Update the Local Subnet by
Specifying a CIDR Block?
1. The maximum number of local subnets is 5. The maximum number obtained
by multiplying the number of local subnets and that of remote subnets
cannot exceed 225.
2. A VPC delivers VPC subnet routes based on the remote subnets of the VPN
connection, remote subnets of the Direct Connect connection, and subnets of
the VPC peering connection. Each subnet has one subnet route.

FAQ 10 Subnet Setting
3. The number of VPC subnet routes cannot exceed 200. That is, the total
number of remote subnets of the VPN connection, remote subnets of the
Direct Connect connection, subnets of the VPC peering connection, and
custom routes in a VPC cannot exceed 200.
10.4 What Do I Do If an Exception Occurs When I Add

a Remote Subnet During VPN Connection Creation?
Check whether this remote subnet has been used as the destination of a VPC
peering, Cloud Connect, or Direct Connect connection route, which causes routing
conflicts. If yes, delete the route and create a new one.

NOTICE

FAQ 11 VPN Interesting Traffic
11 VPN Interesting Traffic

Center?
● You need to create ACL rules dedicated for the gateway device of the on-
premises data center and the ACL rules will be referenced by IPsec policies.
● When you configure the VPN on the cloud, the ACL rules will be
automatically generated based on the local and remote subnets entered on
the management console and then delivered to the VPN gateway. The
number of ACL rules is obtained by multiplying the number of local subnets
and that of remote subnets.
11.2 How Do I Modify the Interesting Traffic of a VPN

on the Cloud?
If you modify the local subnet and remote subnet on the management console,
the interesting traffic of the VPN device is automatically updated. That is, the ACL
configuration on the cloud is modified.

FAQ 12 Keeping VPN Connection Alive
12 Keeping VPN Connection Alive

other side.
center.
has been enabled.

FAQ 12 Keeping VPN Connection Alive
#!/bin/sh
host=$1
exit 1
fi
while :; do
if [ $? -gt 0 ]; then
else
a $log_name
fi
done
NOTE
following command:
tail -f x.x.x.x.log

FAQ 13 Monitoring
13 Monitoring

VPN Gateway
VPN Connection

Interrupted?
rules.
page.

FAQ 13 Monitoring
13.3 Can I View the Traffic of Each VPN Connection?

No. VPN traffic monitoring is based on the VPN gateway. You can view the
inbound and outbound traffic and bandwidth of the VPN gateway, but cannot
view the traffic usage of a specific VPN connection.
13.4 Will I Be Notified When the VPN Monitoring

Result Is Abnormal?
Yes.
You can configure to receive notification messages if abnormal VPN monitoring
results occur on the Simple Message Notification (SMN) and Cloud Eye consoles.
Configuring on the SMN Console

Under Application, click Simple Message Notification.

FAQ 13 Monitoring
Figure 13-2 SMN
2. Choose Topic Management > Topics and click Create Topic to create a topic,
for example, VPN-huaweicloud.
Figure 13-3 Creating a topic
3. Choose Topic Management > Subscriptions and click Add Subscription.

FAQ 13 Monitoring
Select a topic, set Protocol to Email, and enter the email address for receiving
the message in the Endpoint box.
Figure 13-4 Adding a subscription
NOTE
After the subscription is added, the system will send a confirmation email to your
email address. Confirm in your email.
Configuring on the Cloud Eye Console

Under Management & Deployment, click Cloud Eye.
Figure 13-5 Cloud Eye
2. Create an alarm rule for the bandwidth usage of the VPN gateway.
Enter the name, select Elastic IP and Bandwidth for Resource Type, set
Dimension to Bandwidths, Monitoring Scope to Specific resources and
select the target VPN gateway, set Method to Create manually, and Alarm
Policy to Outbound Bandwidth Usage, 5 consecutive periods, >, and 90. Set

FAQ 13 Monitoring
Notification Object to an SMN topic and use the default values for other
parameters.
3. Create a VPN connection status alarm rule.
The creation process is similar to that of bandwidth. Select Virtual Private
Network for Resource Type, set Dimension to VPN connections,
Monitoring Scope to Specific resources and select the target VPN
connection, set Method to Create manually, and Alarm Policy to VPN
Connection Status, <, and 1. Set Notification Object to an SMN topic and
use the default values for other parameters.
4. Create an alarm rule for monitoring IDC links.
Create a website monitoring task, set Type to PING, URL to the gateway IP
address of the customer data center, and retain the default values for other
parameters. Create an alarm rule, select Website Monitoring for Resource
Type, set Monitoring Scope to Specific resources and select the target
website monitoring task, set Method to Create manually, and Alarm Policy
to Available Monitoring Location Count, and configure other parameter as
required. Set Notification Object to an SMN topic and use the default values
for other parameters.
Figure 13-6 Creating an alarm rule

FAQ 14 Bandwidth and Network Speed
14 Bandwidth and Network Speed
14.1 What Is the Actual VPN Connection Network

Speed?
A VPN connection has been created. Two ECSs have been created with one at the
local side and the other at the remote side. The two ECSs can be pinged from each
other.
Perform the following steps to test the VPN connection network speed if the
bandwidth of your VPN gateway is 200 Mbit/s:
1. If the ECSs at the two sides of the VPN run the Windows OSs, use iPerf3 and
FileZilla (a free FTP application for file uploading and downloading) to test
the network speed.
NOTE
The test shows that the average VPN network speed is 180 Mbit/s, and there is about
10% network speed deviation. The TCP and FTP protocols have the congestion control
mechanism, and the IPsec protocol adds a new IP header. Therefore, about 10%
network speed deviation is normal for the VPN network.
client.

Figure 14-1 Test result for 200 Mbit/s bandwidth (iPerf3 client)
server.
Figure 14-2 Test result for 200 Mbit/s bandwidth (iPerf3 server)
2. If the ECSs at the two sides of the VPN run the CentOS 7 OSs, use iPerf3 to
test the network speed. The network speed can reach 180 Mbit/s.
3. If the ECS functioning as the server runs the CentOS 7 OS, and the ECS
functioning as the client runs the Windows OS, use iPerf3 and FileZilla to test
the network speed.
The network speed is about 20 Mbit/s. The reason is that TCP
implementations on the Windows OS and that on the Linux OS are different,
which causes the slow network speed. Therefore, if the ECSs at the two sides
of the VPN use different OSs, the VPN network speed does not meet the
bandwidth requirements.
Figure 14-3 shows the displayed result of the test performed using iPerf3.

Figure 14-3 Test result when ECSs at the two sides run different OSs (iPerf3)
Perform the following steps to test the VPN gateway network speed if the
bandwidth of your VPN gateway is 1,000 Mbit/s:
The VPN gateway is shared by all created VPN connections, and the VPN gateway
bandwidth size is the total bandwidth sizes of all VPN connections. When the
bandwidth size is large, multiple ECSs are required to test the VPN gateway
bandwidth because the forwarding performance of each ECS is limited. In addition,
this scenario has high requirements on ECS specifications. The ECSs used for
testing must have NICs that support 2 Gbit/s or higher bandwidth.
The tests show that the actual VPN connection network speed on HUAWEI
CLOUD is within the normal range. However, the servers used at both side of
the VPN connections must run the OSs of the same type, and the server NICs
must meet the configuration requirements.


14.3 How Do I Change the VPN Bandwidth Size?

1. On the VPN Gateways page, locate the row that contains the target VPN
gateway and click Modify Bandwidth in the Operation column.
2. On the Modify Bandwidth page, select your required bandwidth size.
3. Click Submit.

14.4 What Is the Impact When the Bandwidth of a VPN

Gateway Reaches the Limit?
The bandwidth is used in the outbound direction of a VPC. If the bandwidth
exceeds the limit, the network will be congested, some subnets cannot be
accessed, or even the VPN connection will be interrupted (the VPN detection
packets cannot be received).
In this case, you are advised to increase the VPN gateway bandwidth size.
14.5 Why Does the VPN Bandwidth Change Not Take

Effect?
There is a latency for the VPN bandwidth change to take effect.
Test the bandwidth 5 minutes after the bandwidth is changed.
14.6 Can a VPN Share Bandwidth with an EIP?

No.
Currently, a public IP address is automatically generated and its bandwidth is set
when you create a VPN gateway. The VPN cannot share bandwidth with an EIP.
14.7 What Are the Differences Between the Bandwidth

of a VPN Connection and that of a Direct Connect
Connection?
1. Concepts
– The bandwidth of a Direct Connect connection is the bandwidth of the
physical connection created by a user.
– The VPN connection bandwidth refers to the bandwidth in the outbound
direction.
2. Bandwidth
– The default maximum bandwidth of a Direct Connect connection is 1000
Mbit/s. When you create a connection on the management console and
set Port Type to 10GE single-mode optical port, the maximum
bandwidth is 10 Gbit/s.
– The maximum bandwidth of a VPN connection is 300 Mbit/s.
3. Network Quality
– A Direct Connect user has a dedicated connection with high network
quality.
– VPN connections shared the bandwidth of their VPN gateway. The total
bandwidth of VPN connections cannot exceed the bandwidth of their
gateway. The network quality will be affected by the Internet quality.

14.8 How Do I Determine My VPN Bandwidth Size?

Consider the following when you determine the bandwidth:
● Amount of data transmitted over a VPN tunnel in a period of time (Reserve
enough bandwidth to prevent link congestion.)
● The egress bandwidth at the end of the VPN connection on the cloud must be
less than that at the end of the VPN connection off the cloud.

FAQ 15 Quotas
15 Quotas
15.1 What Is the VPN Quota?

What Is a Quota?
Quotas are enforced for service resources on the platform to prevent unforeseen
spikes in resource usage. Quotas can limit the number or amount of resources
available to users. You can also request more quota as required.
This section describes how to view the VPN resource usage and the total quotas in
a specified region.
How Do I View My Quota?

2. Click in the upper left corner and select the desired region and project.
3. In the upper right corner of the page, choose Resources > My Quotas.
The Service Quota page is displayed.
Figure 15-1 My Quotas

FAQ 15 Quotas
4. View the used and total quota of each type of resources on the displayed
page.
If a quota cannot meet your service requirements, click Increase Quota to
adjust it.
How Do I Apply for a Higher Quota?

2. In the upper right corner of the page, choose Resources > My Quotas.
The Service Quota page is displayed.
Figure 15-2 My Quotas
3. Click Increase Quota.

4. On the Create Service Ticket page, configure parameters as needed.
In the Problem Description area, enter the required quota and reason for the
adjustment.
5. Select the agreement and click Submit.
15.2 How Many VPN Gateways and VPN Connections

Can I Create By Default?
By default, each user can create two VPN gateways and 12 VPN connections.
Before purchasing VPN gateways, check your remaining quota. If the quota has
been reached, submit a service ticket to request for quota increase.
15.3 How Do I Change My VPN Gateway and

Connection Quotas?
1. Log in to the management console. In the upper right corner of the page,
choose Service Tickets > Create Service Ticket.
2. On the Create Service Ticket page, click Quotas in the Services area.

FAQ 15 Quotas
3. Choose Quota Application under Select Subtype.

4. Click Create Service Ticket.
Enter required information and click Submit.
15.4 How Many IPsec VPNs Can I Have?

By default, a user can have a maximum of five IPsec VPNs. If the quota cannot
fulfill your service requirements, request for quota increase.

FAQ 16 Account Permissions
16 Account Permissions

authentication.
NOTE
16.2 What Should I Do If the System Displays a

Message Indicating That I Do Not Have the
Permissions to Create a VPN?
Check whether your account is an IAM user account. If yes, perform operations on
the IAM console as the HUAWEI CLOUD account user to authorize you the VPC
operation permissions. Ensure that your account has the VPC Administrator,
Tenant Guest, and VPN Administrator permissions.
16.3 How Do I Determine that My Account Cannot

Create a VPN Due to Insufficient Permissions?
● The VPN gateways and connections created by the HUAWEI CLOUD account
are invisible to the IAM user accounts.
● A message will be displayed indicating that the system is busy if you create a
VPN gateway or connection using an IAM user account.

FAQ 16 Account Permissions
For details about the permissions required for creating a VPN connection, see
What Should I Do If the System Displays a Message Indicating That I Do Not
Have the Permissions to Create a VPN?

VPN Faq

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VPN Faq

Uploaded by

Copyright:

Available Formats

Virtual Private Network

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. i

1 Most Frequently Asked Questions.......................................................................................1

Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. ii

3 Networking and Application Scenarios........................................................................... 32

Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. iii

4 Billing and Payments............................................................................................................40

5 Related Operations on the Console.................................................................................. 43

Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. iv

5.10 What Is a Remote Gateway and Remote Subnet in a VPN Connection?....................................................... 46

6 VPN Negotiation and Interconnection.............................................................................51

7 Connection or Ping Failure..................................................................................................60

Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. v

7.4 Will an IPsec VPN Connect Automatically?................................................................................................................. 62

11 VPN Interesting Traffic...................................................................................................... 72

12 Keeping VPN Connection Alive........................................................................................ 73

Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. vi

13.2 Will I Be Notified If a VPN Connection Is Interrupted?......................................................................................... 75

14 Bandwidth and Network Speed...................................................................................... 80

Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. vii

1 Most Frequently Asked Questions

1.1 What Devices Can Be Connected to HUAWEI

Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 1

1.2 What Are VPN Negotiation Parameters? What Are

IKE Authentication SHA2-256 (default), SHA1, MD5,

Encryption AES-128 (default), AES-192, AES-256,

DH Algorithm Group 14 (default), Group 1, Group 2,

Version v2 (default) and v1

Lifecycle (s) 86400 (default)

Negotiation Mode Main (default) and Aggressive

IPsec Authentication SHA2-256 (default), SHA1, MD5,

Encryption AES-128 (default), AES-192, AES-256,

PFS DH group 14 (default), DH group 1,

Transfer Protocol ESP (default), AH, and AH-ESP

Transfer Mode Only the tunnel mode is supported,

Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 2

Protocol Parameter Value

Lifecycle (s) 3600 (default)

● Perfect Forward Secrecy (PFS) is a security feature.

1.3 What Are the Categories of VPN Service Tickets?

Figure 1-1 Creating a service ticket

Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 3

Figure 1-2 Selecting Virtual Private Network

4. Select the service ticket type.

Figure 1-3 Selecting the service ticket type

Figure 1-4 Ticket category and classification basis

1.4 Can I Deploy Applications on the Cloud, Databases

Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 4

1.5 Can I Visit Websites Across International Borders

1.6 What Is VPN Connection? How Do I Set the

Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 5

1.7 Will I Be Notified If a VPN Connection Is

Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 6

Figure 1-5 Viewing metrics about VPN connections

1.8 Are a Username and Password Required for

1.9 What Are the Differences Between the Application

Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 7

Currently, HUAWEI CLOUD only supports IPsec VPN.

1.10 Will an IPsec VPN Connect Automatically?

1.11 What Fees Will Be Incurred for Creating a VPN?

Issue 01 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 8