Last updated：2021-10-11 17:58:53
VPN Connections is a service to connect your on-premises data center to a VPC through an encrypted tunnel built over the Internet.
VPN Connections consists of three components: VPN gateway, customer gateway, and VPN tunnel.
A VPN gateway is an egress gateway for a VPC to establish a VPN connection. A VPN gateway is used together with a customer gateway (IPsec VPN gateway in a customer data center). A VPN gateway is used to establish secure and reliable encrypted network tunnels between a Kingsoft Cloud VPC and a data center outside Kingsoft Cloud. Kingsoft Cloud VPN gateways adopt the dual-node hot standby policy. If a single node fails, traffic is automatically switched without interrupting services.
The maximum bandwidth of a VPN gateway can be set to 5 Mbit/s, 10 Mbit/s, 20 Mbit/s, 50 Mbit/s, 100 Mbit/s, and 200 Mbit/s. You can adjust the bandwidth of a VPN gateway at any time and the adjustment takes effect immediately.
A customer gateway refers to an IPsec VPN gateway in a customer's data center. A customer gateway is used together with a Kingsoft Cloud VPN gateway. A VPN gateway can establish encrypted VPN tunnels with multiple customer gateways.
After a VPN gateway and a customer gateway are deployed, a VPN tunnel can be established for encrypted communication between a VPC and an on-premises data center outside Kingsoft Cloud. VPN tunnels support IPsec and GRE over IPsec encryption protocols, which can meet most VPN connection requirements.
VPN tunnels run on carrier networks. Because congestion and jitter on the carrier networks will affect the quality of the VPN network, SLA cannot be provided. If your service is sensitive to latency and jitter, it is recommended that you use Direct Connect to connect the service to a private network through a leased line. For more information, see Direct Connect documentation.
In a VPN tunnel, the Internet Key Exchange (IKE) protocol is used to establish IPsec sessions. IKE has a self-protection mechanism that can securely authenticate identities, distribute keys, and establish IPsec sessions on insecure networks.
The establishment of a VPN tunnel includes the following configuration information:
The following content details these configuration information.
Protocol type: IPsec or GRE over IPsec
Pre-shared key (PSK): A PSK is a Unicode string used to verify an IPsec connection. The Kingsoft Cloud side and the customer side must use the same PSK.
|Supported identity encryption algorithms: AES, 3DES, and DES.
|Supported identity authentication algorithms: MD5 and SHA.
|Supported DH groups in IKE: DHGroup1, DHGroup2, and DHGroup5. The security of key exchange increases with the expansion of a DH group, but the exchange time also increases.
|Supported identity encryption algorithms: ESP-3DES, ESP-AES, ESP-DES, ESP-NULL, and ESP-SEAL.
|Supported identity authentication algorithms: ESP-SHA-HMAC and ESP-MD5-HMAC.