## User Guide

### Creating a VPN Gateway

When creating a VPN gateway, you need to fill out two main sections: Gateway Information and IP Settings. In Gateway Information, in addition to the basic information such as the gateway name, notes, business group, etc., you also need to select the VPC network where this gateway is located. The VPN gateway must belong to a certain VPC network. Additionally, there are two types of gateway specifications to choose from. In IP Settings, the bandwidth of the IP bound should be selected in conjunction with the VPN's specifications.

<!-- image-todo -->

### Creating a Customer Gateway

When creating a customer gateway, it should be noted that the customer gateway IP is the IP of your local network gateway device. The customer gateway is a virtual concept representing the projection of your local gateway on the SCloud, making it easier for you to create and manage tunnels.

<!-- image-todo -->

### Creating Tunnel

When creating a tunnel, in addition to the tunnel name, notes, business group, etc., you also need to select the VPN gateway or customer gateway corresponding to the tunnel. If no VPN gateway or customer gateway has been created, a tunnel cannot be established.

<!-- image-todo -->

### IKE Rules

IKE currently only supports version 1. You need to fill out a pre-shared key. The pre-shared key format is unicode. This is the basic IKE setting. When you do not choose advanced options, our default configuration is used. When using the default configuration, if the tunnel connection is initiated by the client gateway, the SCloud
VPN gateway acts as the acceptor, and the VPN gateway negotiates. If the VPN gateway initiates the connection and the client gateway acts as the acceptor, the default configuration is launched, and the same configuration or negotiation mode needs to be configured at the end to establish the tunnel. The default configuration can be seen in the configuration table.

If you need to configure more options aside from the pre-shared key, you can open the advanced options for configuration.

<!-- image-todo -->

After opening the advanced options, you can configure the encryption algorithm, authentication algorithm, negotiation mode, DH group, ID type of the local end and the peer end, and SA timeout time. The supported configurable items are as follows:

| Config Item | Supported Type and Description  |
| ----------- | ----------------------------------------------------------- |
| Encryption Algorithm | Configures the message encryption algorithm used in the IKE negotiation process. It supports aes128, aes192, aes256, and 3des four encryption algorithms. The default is aes128. |
| Authentication Algorithm | Configures the message authentication algorithm used in the IKE negotiation process. It supports md5, sha1, and sha2-256 three authentication algorithms. The default is sha1. |
| Negotiation Mode | Configures the negotiation mode used in the IKE negotiation process. It supports main mode and aggressive mode two negotiation modes. The default is the main mode. |
| DH Group|Configures the Diffie-Hellman group used in the IKE negotiation process. It supports 1, 2, 5, 14, 15, and 16. The default is 15. |
| Local ID type | Configures the ID that describes the local VPN gateway device. It supports automatic recognition, IP address identification, and domain name identification three types. The default is automatic recognition. |
| Peer ID type | Configures the ID describing the peer VPN gateway device. It supports automatic recognition, IP address identification, and domain name identification three types. The default is automatic recognition. |
| SA Timeout (Time) | Configures the timeout of the Security Association. The range is 600-604800. The default is 1080, in seconds |

<!-- image-todo -->

### IPSec Rules

In IPSec configuration, you need to configure the subnet of the local end and the subnet of the peer end. The subnet of the local end refers to the subnet you created under VPC when you created VPC. The subnet of the peer end is the subnet in your local data center that you hope to connect with. The subnet you configured on SCloud VPC cannot overlap with the subnet of your local gateway.
The connection between the local subnet and the peer subnet is as shown below:

<!-- image-todo -->

Apart from the basic configuration of the subnet, if you have not changed the configuration changes in the advanced options, our default configuration is used. Like IKE, when using the default configuration, if the tunnel connection is initiated by the client gateway, the SCloud
VPN gateway acts as the acceptor, and the VPN gateway negotiates. If the VPN gateway initiates the connection and the client gateway acts as the acceptor, the default configuration is launched, and the same configuration or negotiation mode needs to be configured at the end to establish the tunnel.
Click on advanced options for configuration:

<!-- image-todo -->

| Config Item | Explanation  |
| ----------- | ----------------------------------------------------------- |
| PFS DH Group | Configures whether PFS is enabled, supports Disable, 1, 2, 5, 14, 15, and 16. The default is Disable |
| Security Protocol | Configures the security protocol used by IPSec, supports AH and ESP, default is ESP |
| Encryption Algorithm | Configures the encryption algorithm used by IPSec, supports aes128, aes192, aes256, and 3des, default is aes128 |
| Authentication Algorithm | Configures the authentication algorithm used by IPSec, supports sha1 and md5, the default value is sha1 |
| SA Timeout (Time) | Configures the Security Association timeout of IPSec, range 1200-604800, default is 3600 seconds |
| SA Timeout (Traffic)| Configures the Security Association timeout of IPSec, range 8000-2000000, default SA Timeout (Time), unit is bytes |

### Editing Tunnels

After the tunnel is created, if you need to make changes to the configuration items, you can edit the tunnel. However, after saving the new configuration items, you need to adapt the configuration of the local data center gateway, then the tunnel can be re-established.

<!-- image-todo -->

### Managing Gateways

When you have created multiple VPN gateways and customer gateways, you can manage the gateways on the VPN gateway or customer gateway list page. You can filter gateways from different dimensions. Or enter the gateway page to edit the gateway.
For VPN gateway management, you can unbind the Elastic IP currently bound to the VPN gateway and bind other IPs. But before performing this operation, you need to delete the tunnel created on the VPN gateway first, otherwise the new EIP cannot bind to the VPN gateway.

<!-- image-todo -->

When you decide to stop using the VPN gateway or the customer gateway, you can delete the VPN gateway and the customer gateway. But before deleting the gateway, you also need to delete the tunnel established on the gateway. Deleting the VPN gateway will not delete the Elastic IP bound to the VPN gateway.

<!-- image-todo -->

### Viewing Monitoring

VPN Gateway Monitoring VPN gateway monitors the in-and-out traffic of the bound Elastic IP. You can retrieve the monitoring view on the VPN gateway page.

<!-- image-todo -->

<!-- image-todo -->

Tunnel Monitoring Tunnel monitoring provides monitoring of tunnel status changes and changes in the in-and-out traffic of the tunnel.

<!-- image-todo -->