Operation Guide
Creating UWAN Virtual Router
When creating a UWAN virtual router, you need to select the region where the UWAN virtual router is located and give it a name. Only one UWAN virtual router can be created in each region. In addition, each UWAN virtual router comes with a UWAN access bandwidth package. You need to configure the bandwidth package name, bandwidth mode, and bandwidth quota. After creation, UCloud Global will automatically assign a public network IP to your UWAN virtual router for connection with CE-side equipment.
Creating CE Customer Gateway
When creating a customer gateway, please note that the customer gateway IP is the gateway device IP of your local network. The customer gateway is a virtual concept, representing the projection of your local gateway on UCloud Global, which is convenient for you to create and manage tunnels.
Creating Tunnel
After the gateway is created, you can directly proceed to create the tunnel.
You can also create a tunnel by clicking “Create Tunnel” on the CE customer gateway page.
Tunnel Basic Information
On this page, you can fill in the pre-shared key for the tunnel. The pre-shared key is a Unicode string used to verify the IPSec connection and increase the security of the connection between your local network and the UWAN virtual router.
IKE Rules
Currently, IKE only supports versions V1 and V2. If you do not adjust the configuration, our default configuration is used. When using the default configuration, if the tunnel connection is initiated by the customer gateway, the VPN gateway does the negotiation when UCloud Global VPN gateway is the acceptor. If the VPN gateway initiates the connection, the customer gateway acts as the receiver. It needs to establish the tunnel with the negotiation mode configured at the other end or the same configuration. The default configuration is shown in the configuration table.
| Configuration Item | Supported Types and Descriptions |
|---|---|
| Encryption Algorithm | Configures the encryption algorithm used during IKE negotiation, supports aes128, aes192, aes256, and 3des. The default is aes128. |
| Authentication Algorithm | Configures the authentication algorithm used during IKE negotiation, supports md5, sha1, and sha2-256. The default is sha1. |
| Negotiation Mode | Configures the negotiation mode used during IKE negotiation, supports main mode and aggressive mode. The default is main mode. |
| DH Group | Configures the Diffie-Hellman group used during IKE negotiation, supports 1, 2, 5, 14, 15, and 16. The default is 15. |
| Local ID Type | Configures the ID describing the local VPN gateway device. Supports 3 types: automatic recognition, IP address identification, and domain name identification. The default is automatic recognition. |
| Remote ID Type | Configures the ID describing the remote VPN gateway device. Supports 3 types: automatic recognition, IP address identification, and domain name identification. The default is automatic recognition. |
| SA Timeout (Time) | Configures the timeout of the Security Association, ranging from 600 to 604800. The default is 1080, in seconds. |
IPSec Rules
In the IPSec configuration, the subnet of the CE side needs to be configured, and up to 10 subnets can be filled in. The subnet of the CE side is the subnet of your local data center that you want to connect to.
In addition to the basic configuration of the subnet, if you have not changed the configuration in the advanced options, our default configuration is used, which is the same as IKE. When using the default configuration, if the tunnel connection is initiated by the CE customer gateway, the UWAN virtual router acts as the receiver and does the negotiation. If the UWAN virtual router initiates the connection, the CE customer gateway acts as the receiver, it also needs to set up the tunnel with the negotiation mode configured at the other end or the same configuration.
| Configuration Item | Supported Types and Descriptions |
|---|---|
| Encryption Algorithm | Configures the encryption algorithm used during IKE negotiation, supports aes128, aes192, aes256, and 3des. The default is aes128. |
| Authentication Algorithm | Configures the authentication algorithm used during IKE negotiation, supports md5, sha1, and sha2-256. The default is sha1. |
| SA Timeout (Time) | Configures the timeout of the Security Association, ranges from 1200 to 604800. The default is 3600, in seconds. |
| SA Timeout (Traffic) | Configures the timeout of the IPSec Security Association, ranges from 8000 to 2000000. By default, it uses the SA Timeout (Time), in bytes. |
| Security Protocol | Configures the security protocol used by IPSec, supports AH and ESP, the default is ESP |
| PFS DH Group | Configures whether to enable PFS, supports Disable, 1, 2, 5, 14, 15, and 16. The default is Disable |
Edit Tunnel
After the tunnel is created, if you need to change the configuration items, you can edit the tunnel. But after saving the new configuration items, you need to adapt the configuration of the local data center gateway, and the tunnel can be re-established.
Manage UWAN Virtual Router
When you have created multiple UWAN virtual routers, you can manage the UWAN virtual routers on the UWAN virtual router management page.
On the details page, you can view the detailed information of the UWAN virtual router, including basic information, associated cloud network information, and the associated UWAN cross-domain bandwidth package.
View Route Information
You can view the routing information received by this UWAN virtual router from the CE side on the “UWAN Virtual Router-Details-Routing Table” page. The destination subnet represents the subnet learned from the CE side, and the resource ID points to the resource ID of the gateway publishing this subnet. The next-hop gateway type, i.e., the gateway type corresponding to the gateway resource ID.
Bandwidth Package Upgrades and Downgrades
You can view the UWAN access bandwidth package and adjust the bandwidth quota on the “UWAN Virtual Router-Details-Overview” page, or directly adjust the bandwidth quota on the “UWAN Virtual Router Management” page by clicking “Adjust Bandwidth”.
Monitor UWAN Virtual Router
【Image to be added】
Manage CE Customer Gateway
When you have created multiple CE customer gateways, you can manage the CE customer gateway on the CE customer gateway management page.
You can view the basic information and tunnel monitoring information of the CE customer gateway on the “CE Customer Gateway Management-Details” page; check the tunnel configuration on the “CE Customer Gateway Management-Tunnel Management” page.
Delete UWAN Virtual Router
You can delete the UWAN virtual router on the “UWAN Virtual Router Management” page. To prevent misoperation leading to mass network interruption, before deleting the UWAN virtual router, you need to delete the CE customer gateways connected under this virtual router and remove its association with the cloud network.
Delete CE Customer Gateway
You can delete the CE customer gateway on the “CE Customer Gateway Management” page. Deletion will disconnect the VPN connection and terminate the network connection from your local network to the UWAN virtual router. Please proceed with caution.