## Product Introduction

VPN gateway service provides a highly available VPN service with disaster recovery capabilities. It needs to be used in conjunction with the user's VPC in SCloud, the user's local gateway, and public network services. 
Users can choose various encryption and authentication algorithms to ensure the reliability of the tunnel.

### Basic Concepts of VPN Gateways

#### Service Structure of VPN Gateway

The VPN gateway service mainly consists of three parts:

VPN Gateway: The VPN gateway on the public cloud side of SCloud, which needs to be associated with the corresponding UVPC.

Customer Gateway: The customer's gateway in the local network.

Tunnel: A tunnel connecting the VPN gateway and the customer gateway, the customer needs to configure corresponding algorithms and policies. The tunnel is established on the Internet, and the network quality is affected by the Internet.

#### Explanation of VPN Gateway Terms

| Term     | Explanation                                                       |
| ------- | -------------------------------------------------------- |
| VPN Gateway | The customer's outbound gateway in the UVPC of the SCloud public cloud.                             |
| Customer Gateway | Represents the customer's gateway in the local network. On the console, the customer needs to set the IP, name, etc., of the customer gateway.                   |
| Tunnel  | A channel connecting the customer gateway and the VPN gateway. Customers need to set its encryption algorithm, authentication algorithm, keys, etc. After setting, if one party initiates a connection, then the tunnel can be established. |
| EIP     | Public elastic IP, it's bound to VPN to provide external network access address and bandwidth.                         |

#### VPN Gateway Functional Overview

| Function        | Description                                                                 |
| ------------ | ------------------------------------------------------------------ |
| IKE Authentication Support | Provides authentication for IKE negotiation process messages, supports md5, sha1, and sha2-256 three authentication algorithms.                        |
| IKE Encryption Support  | Provides encryption protection for IKE negotiation process messages, supports 3des, aes128, aes192, and aes256 four encryption algorithms.                 |
| IKE DH Group  | Specifies the Diffie-Hellman group used in IKE key exchange, supports 1,2,5,14,15,16.                      |
| ID Type       | Describes the endpoint identity of the VPN gateway, can choose auto-recognition, IP address representation or domain name representation.                              |
| IPSec Authentication Support | IPSec provides authentication protection for user data, supports md5 and sha1 two authentication algorithms.                         |
| IPSec Encryption Support | IPSec provides encryption protection for user data, supports 3des, aes128, aes192, and aes256 four encryption algorithms.                 |
| IPSec Security Protocol | IPSec supports AH and ESP two security protocols, AH only supports data authentication protection, ESP supports authentication and encryption, ESP protocol is recommended.              |
| PFS  | PFS is a security feature, if one key is cracked, it will not affect the security of other keys, Supported DH groups are 1,2,5,14,15,16 and closed (Disable).   |

#### VPN Gateway Usage Quota

The default quota for each account is as follows:

| Name              | Quota |
| --------------- | -- |
| VPN Gateway     | 5  |
| Customer Gateway | 30 |
| Tunnel (single VPN gateway creation quota) | 20 |
| Number of peer segments per tunnel   | 20 |
| Number of local segments per tunnel  | 10 |