<p><strong><span style="font-size:18px">Prerequisites</span></strong></p> <p>&bull;&nbsp;Make sure you have created the VPC, and the DMZ network domain and subnet in the VPC. For more information about the VPC, network domain, and subnet, and see <a href="https://yun.pingan.com/ssr/help/network/vpc/og.vpc.createvpc" target="_blank">Operation Guide</a> of VPC.</p> <p>&bull;&nbsp;Tenant local data center has equipment to support VPN function.</p> <p><strong><span style="font-size:18px">Step 1: Create a VPN Gateway</span></strong></p> <p>1.&nbsp;Log in to the <a href="https://yun.pingan.com/console/vpn/gateway/list" target="_blank">VPN Gateway Console</a>.</p> <p>2.&nbsp;Click <strong>Create</strong> in the upper-right corner to enter the <strong>Create VPN Gateway</strong> page.</p> <p>3. Create a VPN gateway as described in the following table:</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20210206114949-17612c52999b.png" style="height:653px; width:640px" /></p> <table border="1" cellpadding="0" cellspacing="0" style="width:0px"> <tbody> <tr> <td style="background-color:#ededed; width:243px"> <p><strong>Configuration item</strong></p> </td> <td style="background-color:#ededed; vertical-align:top; width:540px"> <p><strong>Description</strong></p> </td> </tr> <tr> <td style="width:196px"> <p>Charge Mode</p> </td> <td style="vertical-align:top; width:587px"> <p>Currently, only the prepayment mode is supported.</p> </td> </tr> <tr> <td style="width:196px"> <p>Region</p> </td> <td style="vertical-align:top; width:587px"> <p>Select the region for the VPN gateway.</p> </td> </tr> <tr> <td style="width:196px"> <p>VPC</p> </td> <td style="vertical-align:top; width:587px"> <p>Select the VPC for the VPN gateway.</p> </td> </tr> <tr> <td style="width:196px"> <p>ISP</p> </td> <td style="vertical-align:top; width:587px"> <p>Currently only <strong>BGP&nbsp;</strong>can be selected.</p> </td> </tr> <tr> <td style="width:196px"> <p>Bandwidth</p> </td> <td style="vertical-align:top; width:587px"> <p>Select a bandwidth. Options are 5 Mbps, 10 Mbps, 20 Mbps, 50 Mbps, and 100 Mbps. The price of the VPN gateway varies by bandwidth.</p> </td> </tr> <tr> <td style="width:196px"> <p>Description</p> </td> <td style="vertical-align:top; width:587px"> <p>Customize description of the VPN gateway.</p> </td> </tr> <tr> <td style="width:196px">Purchase Duration</td> <td style="vertical-align:top; width:587px"> <p>Select the purchase duration.</p> </td> </tr> <tr> <td style="width:196px">Auto Renewal</td> <td style="vertical-align:top; width:587px"> <p>Select whether to enable automatic renewal.</p> </td> </tr> </tbody> </table> <p>5.&nbsp;Click <strong>Purchase</strong> to enter the <strong>Order Confirmation</strong> page.</p> <p>6.&nbsp;Click <strong>CONFIRM OPEN</strong> to complete the payment.</p> <p><strong><span style="font-size:18px">Step 2: Create a VPN Connection</span></strong></p> <p>1.&nbsp;Log in to the <a href="https://yun.pingan.com/console/vpn/gateway/list" target="_blank">VPN Gateway Console</a>.</p> <p>2.&nbsp;Select the target region to view the existing VPN gateways of that region.</p> <p>3.&nbsp;Click <strong>Name</strong> of the VPN gateway created in Step 1 to enter the <strong>VPN Gateway Information</strong> page.</p> <p>4.&nbsp;Click <strong>Create</strong> in the upper-right corner of the <strong>VPN Connect</strong> area to enter the <strong>VPN Connect Create</strong> page.</p> <p>5.&nbsp;Create a VPN connection based on the following information.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707170232-1cbfb77c9064.png" style="height:523px; width:831px" /></p> <table border="1" cellpadding="0" cellspacing="0" style="width:0px"> <tbody> <tr> <td colspan="2" style="background-color:#ededed; vertical-align:top; width:292px"> <p><strong>Configuration item</strong></p> </td> <td style="background-color:#ededed; vertical-align:top; width:490px"> <p><strong>Description</strong></p> </td> </tr> <tr> <td rowspan="4" style="vertical-align:top; width:137px"> <p><strong>Basic Information</strong></p> </td> <td style="width:154px"> <p><strong>Display Name</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Customize name of the VPN connection.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Protocol Type</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Currently, only the IPsec VPN option is supported, which is selected by default.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Remote Gateway</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Enter the IP address of the VPN gateway in the local data center that needs to communicate with the VPC.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Link Monitoring</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Start link monitoring by default.</p> </td> </tr> <tr> <td rowspan="4" style="vertical-align:top; width:137px"> <p><strong>Subnet Configuration</strong></p> </td> <td style="width:154px"> <p><strong>Local Subnet Group</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Select the IP address of the subnet in the DMZ network domain under the VPC where the VPN gateway of Ping An Cloud is located. The selected subnet can communicate with the tenant local data center.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707170251-19e77e009c8d.png" style="height:22px; margin:1px; width:50px" /><strong>：</strong>Select one or a maximum of five subnet IP addresses.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Selected Local Subnet Group</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Display one or more selected local subnets.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Remote Subnet Group</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Enter the IP address of the subnet in the tenant local data center that need to communicate with the VPC, and click <strong>Add</strong>.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707170251-19e77e009c8d.png" style="height:22px; margin:1px; width:50px" /><strong>:</strong> Add one or a maximum of five IP addresses.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Filled Remote Subnet Group</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Display one or more added remote subnets.</p> </td> </tr> <tr> <td rowspan="9" style="vertical-align:top; width:137px"> <p><strong>IKE Configuration</strong></p> </td> <td style="width:154px"> <p><strong>Version</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Choose IKE (Internet Key Exchange Protocol) version, and support two versions, IKEV1 and IKEV2.</p> <p>The default value is: IKEV2.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Negotiation Mode</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>If the IKE policy version is IKEV1, the negotiation mode can be configured. Support Main and AGGR.</p> <p>The default value is: Main.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Encryption Algorithm</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Support 3DES, AES128, and AES256 encryption algorithms.</p> <p>The default value is: AES128.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Authentication Algorithm</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Specify the authentication hash algorithm and support SHA1 and MD5 authentication algorithms.</p> <p>The default value is: SHA1.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>DH Group</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Support DH2, DH5, and DH14.</p> <p>The default value is: DH14.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Local ID</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Customize ID of the VPC.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707170251-19e77e009c8d.png" style="height:22px; margin:1px; width:50px" /><strong>:</strong> Recommend IP or email format.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Remote ID</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Customize ID of local data center.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707170251-19e77e009c8d.png" style="height:22px; margin:1px; width:50px" /><strong>:</strong> Recommend IP or email format.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Life Time</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Life time of the Security Association. The SA will be renegotiated if its life time expires.</p> <p>The default value is: 86400 seconds.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Pre-shared Key</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>A pre-shared key will be automatically generated when you create a VPN connection. You can click <img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707170412-1dadaeb89fc1.png" style="height:21px; width:23px" />&nbsp;icon to view or re-customize new pre-shared key.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707170251-19e77e009c8d.png" style="height:22px; margin:1px; width:50px" /><strong>:</strong> The VPN deployed on the cloud should be consistent with that of the data center.</p> </td> </tr> <tr> <td rowspan="8" style="vertical-align:top; width:137px"> <p><strong>IPSec Configuration</strong></p> </td> <td style="width:154px"> <p><strong>Encryption Algorithm</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Support 3DES, AES128, and AES256 encryption algorithms.</p> <p>The default value is: AES128.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Authentication Algorithm</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Specify the authentication hash algorithm and support SHA1 and MD5 authentication algorithms.</p> <p>The default value is: SHA1.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>PFS</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Perfect Forward Secrecy, and support NONE, DH2, DH5, and DH14.</p> <p>The default value is: DH14.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Life Time</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Life time of the Security Association. The SA will be renegotiated if its life time expires.</p> <p>The default value is: 3600 seconds.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>NAT KA Time</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>The default setting is 20 seconds.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>DPD</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>Started by default.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Detection Period</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>The default setting is 10 seconds.</p> </td> </tr> <tr> <td style="width:154px"> <p><strong>Timeout</strong></p> </td> <td style="vertical-align:top; width:490px"> <p>The default setting is 120 seconds.</p> </td> </tr> </tbody> </table> <p>6.&nbsp;Check the configuration list, and click <strong>Confirm</strong> in the lower-right corner to create the VPN connection on Ping An Cloud. <strong>&nbsp;</strong></p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707170251-19e77e009c8d.png" style="height:22px; margin:1px; width:50px" /><strong>:</strong> The created VPN connection is in <strong>Stopped</strong> status.</p> <p><strong><span style="font-size:18px">Step 3: Configure Remote Gateway</span></strong></p> <p>After you configured the VPN gateway on Ping An Cloud, configure parameters of the VPN gateway in the local data center.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707170251-19e77e009c8d.png" style="height:22px; margin:1px; width:50px" /><strong>:</strong> Make sure the connection configuration of the VPN gateway of the tenant local data center (IKE parameters and IPsec parameters) is the same as that of the VPN gateway on Ping An Cloud. Otherwise the VPN communication channel will fail. For more information about the configuration of the VPN gateway on Ping An Cloud, see <a href="https://yun.pingan.com/ssr/help/network/vpn/quick_start.5db64eb93e4c891dfb33f499.5db64fbee0f5fd1e11593caf" target="_blank">View VPN Connection Details</a>, or <a href="https://yun.pingan.com/ssr/help/network/vpn/quick_start.5db64eb93e4c891dfb33f499.5db650f2df22c932c52779fb" target="_blank">Download VPN Connection Parameter List</a>.</p> <p><strong><span style="font-size:18px">Step 4: Start VPN Connection</span></strong></p> <p>1.&nbsp;Log in to the <a href="https://yun.pingan.com/console/vpn/gateway/list" target="_blank">VPN Gateway Console</a>.</p> <p>2.&nbsp;Select the target region to view the existing VPN gateways of that region.</p> <p>3.&nbsp;Click <strong>Name</strong> of the target VPN gateway to enter the <strong>VPN Gateway Information</strong> page.</p> <p>4.&nbsp;In the <strong>VPN Connect</strong> area, click ︙ in the <strong>Operations</strong> column of the target VPN connection, and click <strong>Start</strong>. &quot;<strong>Operation succeeded</strong>&quot; will appear at the bottom of the page.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707170424-1d2641519a1d.png" style="height:446px; width:830px" /></p> <p>5.&nbsp;Wait a moment. Click <strong>Refresh</strong> in the upper-right corner of the <strong>VPN Connect</strong> area and the status of the VPN connection changes into <strong>Running</strong>. It indicates that a connection is created between the VPN gateway on Ping An Cloud and the VPN gateway in the tenant local data center.</p>