Product Introduction

Last updated:2020-06-05 19:26:27

VPN Connections is a service to connect your on-premises data center to a VPC through an encrypted tunnel built over the Internet.

Components

VPN Connections consists of three components: VPN gateway, customer gateway, and VPN tunnel.

VPN gateway

A VPN gateway is an egress gateway for a VPC to establish a VPN connection. A VPN gateway is used together with a customer gateway (IPsec VPN gateway in a customer data center). A VPN gateway is used to establish secure and reliable encrypted network tunnels between a Kingsoft Cloud VPC and a data center outside Kingsoft Cloud. Kingsoft Cloud VPN gateways adopt the dual-node hot standby policy. If a single node fails, traffic is automatically switched without interrupting services.

The maximum bandwidth of a VPN gateway can be set to 5 Mbit/s, 10 Mbit/s, 20 Mbit/s, 50 Mbit/s, and 100 Mbit/s. You can adjust the bandwidth of a VPN gateway at any time and the adjustment takes effect immediately.

Customer gateway

A customer gateway refers to an IPsec VPN gateway in a customer’s data center. A customer gateway is used together with a Kingsoft Cloud VPN gateway. A VPN gateway can establish encrypted VPN tunnels with multiple customer gateways.

VPN tunnel

After a VPN gateway and a customer gateway are deployed, a VPN tunnel can be established for encrypted communication between a VPC and an on-premises data center outside Kingsoft Cloud. VPN tunnels support IPsec and GRE over IPsec encryption protocols, which can meet most VPN connection requirements.

VPN tunnels run on carrier networks. Because congestion and jitter on the carrier networks will affect the quality of the VPN network, SLA cannot be provided. If your service is sensitive to latency and jitter, it is recommended that you use Direct Connect to connect the service to a private network through a leased line. For more information, see Direct Connect documentation.

In a VPN tunnel, the Internet Key Exchange (IKE) protocol is used to establish IPsec sessions. IKE has a self-protection mechanism that can securely authenticate identities, distribute keys, and establish IPsec sessions on insecure networks.

The establishment of a VPN tunnel includes the following configuration information:

  • Basic Information
  • IKE configuration (optional)
  • IPsec configuration (optional)

The following content details these configuration information.

Basic Information

Protocol type: Ipsec or GRE over IPsec

Pre-shared key (PSK): A PSK is a Unicode string used to verify an IPsec connection. The Kingsoft Cloud side and the customer side must use the same PSK.

IKE configuration

Configuration item Description
Version IKEv1.
Encryption algorithm Supported identity encryption algorithms: AES, 3DES, and DES.
Authentication algorithm Supported identity authentication algorithms: MD5 and SHA.
DH group Supported DH groups in IKE: DHGroup1, DHGroup2, and DHGroup5. The security of key exchange increases with the expansion of a DH group, but the exchange time also increases.

IPsec configuration

Configuration item Description
Encryption algorithm Supported identity encryption algorithms: ESP-3DES, ESP-AES, ESP-DES, ESP-NULL, and ESP-SEAL.
Authentication algorithm Supported identity authentication algorithms: ESP-SHA-HMAC and ESP-SHA-HMAC.
Lifecycle(s) Unit: second.
Lifecycle(KB) Unit: KB.

Did you find the above information helpful?

Unhelpful
Mostly Unhelpful
A little helpful
Helpful
Very helpful

What might be the problems?

Insufficient
Outdated
Unclear or awkward
Redundant or clumsy
Lack of context for the complex system or functionality

More suggestions

0/200

Please give us your feedback.

Submitted

Thank you for your feedback.

问题反馈