Create an IPsec Tunnel

On the main menu of ZStack Cloud, choose Resource Center > Network Service > Advanced Network Service > IPsec Tunnel. On the IPsec Tunnel page, click Create IPsec Tunnel. Then, the Create IPsec Tunnel page is displayed.

On the displayed page, set the following parameters:
  • Name: Enter a name for the IPsec tunnel.
  • Description: Optional. Enter a description for the IPsec tunnel.
  • VIP: You can create a VIP or use an existing VIP to provide IPsec tunnel services.
    Create VIP: Create a VIP. If you select to create a VIP, set the following parameters:
    • Public Network: Select a public network to create a VIP.
    • IP Range: Optional. Select an IP range. If you selected an IPv4 public network, you can select a normal IP range or an address pool.
    • Assign IP: Optional. You can assign a virtual IP address. If left blank, the system automatically assigns a VIP.
    Use Existing VIP: Use an existing VIP. If you select to use an existing VIP, set the following parameters:
    • VIP: Select an existing VIP.
      Note: The system VIP of a VPC vRouter can be used to provide IPsec tunnel services.
  • Local Subnet: Select a VPC network attached to the VPC vRouter that is associated with the selected public network. If only one VPC network is attached to the VPC vRouter, the VPC network is selected by default.
  • Peer Public IP: Enter the peer public IP address that provides IPsec tunnel services.
  • Peer CIDR: Specify a specified peer network CIDR.
    Note: The CIDR block cannot be overlapped with the network range of the management network and public network attached to the VPC vRouter.
  • Authentication Key: Set a relatively strong authentication key.
  • Advanced: You can configure advanced parameter settings for the IPsec tunnel. The Cloud automatically configures default settings for the parameters, as shown in the following list:
    • Authentication Mode: psk
    • IPsec Mode: tunnel
    • IKE Authentication Algorithm: sha1
    • IKE Encryption Algorithm: aes128
    • IKE DH Group: 2
    • IPsec Security Protocol: esp
    • ESP Authentication Algorithm: sha1
    • ESP Encryption Algorithm: aes128
    • Perfect Forward Secrecy: dh-group2
    Note:
    • If you configure an IPsec tunnel by using a VPC vRouter of ZStack Cloud and a third-party device, you need to negotiate the advanced settings of the two devices.
    • When you create an IPsec tunnel, you need to adjust local advanced settings based on the IPsec configurations of the peer network device.
Figure 1. Create IPsec Tunnel