Community Blog Create a Multi-CIDR Block VPN with IKEv1 in a Multi-Network CEN in Alibaba Cloud

Create a Multi-CIDR Block VPN with IKEv1 in a Multi-Network CEN in Alibaba Cloud

In this tutorial, we will provide a solution to multi-CIDR block issue faced by many clients in setting up a multi-CIDR-block VPN using the IKEv1 Protocol as part of the CEN.

By Rohit Kumar, Alibaba Cloud Solutions Architect


Alibaba Cloud provides VPN Gateway as a service which can be used to connect your on-premise data centre. Office or personal device to connect to Alibaba Cloud VPC. To connect a data centre/office network to Alibaba Cloud VPC, you can use IKEv1 or IKEv2 protocols and configure an IPSec connection. However, IKEv1 protocol by default does not support multiple CIDR block selection. The IKEv1 protocol only support a single CIDR block as local traffic selector and a single CIDR block for remote traffic selector. This is a limitation of the protocol itself.

In Alibaba Cloud, we provide the recommendation to use IKEv2 protocol for a better support of multi-CIDR block scenario. However, there are many clients(enterprises) who already use IKEv1 for their VPN requirement and are not in a position to change to IKEv2 protocol when they want to connect different networks in different geographies using Alibaba Cloud CEN and last mile connectivity with VPN.

In this document, I will provide a solution to multi-CIDR block issue faced by many clients in setting up a multi-CIDR-block VPN using the IKEv1 Protocol as part of the CEN. This can help connect different sites using IKEv1 IPSec VPN gateway and use within a single CEN instance.

Problem Details

Consider a scenario where you have two offices/datacenters in different parts of the world and you want to use Cloud Enterprise Network (CEN) to connect to these offices/datacenters. In that case, once you have created a VPN Gateway using IKEv1 protocol between local office and Alibaba Cloud VPC in local region, you need to add the remote VPC CIDR block from remote region to the VPN tunnel to make sure that all three networks are part of a larger private network. In Alibaba Cloud console, when you try to add more than one 'Local Network' or 'Remote Network' entry while using IKEv1 protocol, it gives you error "Use the IKEv2 protocol if the local network segment or remote network segment contains multiple subnets."

As shown in the screenshots below, it is a requirement by Alibaba Cloud (because of protocol) and adding more than 1 pair of CIDR blocks as part of the network gives the error.



Network Architecture

To solve the issue of allowing more than one network CIDR block pair as part of the same VPN tunnel, we need to create more than one IPSec connection as part of the same VPN Gateway and IKEv1 protocol. This would allow user to create only one VPN Gateway to connection local office to local VPC and remote network. This way everything would still be part of the same large network even when using IKEv1 protocol.

Here is the architecture diagram to explain the scenario.


Example Implementation

In this example implementation, I am going to use three different VPCs in Alibaba Cloud in three different regions and use one of them as an on-premise DC, one as local VPC and third one as remote VPC in a different region. All three networks would be part of CEN network to reflect the client requirements and also to show that the solution delivers the intended results.

1. First create three VPCs in three different regions which to simulate the scenario described above. Here is the network configuration for these three different networks:


2. Once you have created the VPCs, next create two VPN Gateways, one in Local Data Centre and one in Local VPC. For our case, here is the configuration. VPN Gateway in Local Data Centre would act as Customer Gateway for Local VPC network and VPN Gateway in Local VPC network would act as remote network gateway for Local Data Centre.



3. Create Customer Gateway in Local VPC and Remote Gateway in Local Data Centre with the IPs used as described above.



4. Next create one IPSec connection between Local VPC and Local Data Centre with the IKEv1 protocol, and Local VPC CIDR and Local Data Centre which would be used for local VPN tunnel. Next create another IPSec connection on the same VPN Gateway between Local VPC and Local Data Centre with the Remote VPC network CIDR (instead of Local VPC CIDR) using following configuration. The latter IPSec connection will help create the larger network but still use CEN bandwidth to connect to remote VPC.

IPSec for local networks:


IPSec for Local DC and Remote VPC networks:


5. Attach the Local VPC and Remote VPC to CEN network to create the connection between the networks in Alibaba Cloud.


6. First, add route entries for Remote VPC CIDR and Local VPC CIDR in the Local DC route table to redirect traffic to the Remote VPC and Local VPC and add route entries in the Local VPC route table for Local DC CIDR to redirect traffic to the Local DC. This is shown in red squares in screenshots below.

Next, to make Remote VPC attached to the CEN instance learn the route pointing to the Local DC, publish the route entry pointing to the VPN Gateway to the CEN instance so that other Remote VPC can learn the route. This is shown in green squares in screenshots below.

Local DC:


Local VPC:


Remote VPC:


Test the Connectivity

Once the above steps are performed, this all becomes part of a larger private network. To test the connectivity, you can create three VMs in each of the networks and ping these machines from one another.

From Local VPC to Local DC VPN ping:


From Local DC to Remote VPC ping:



Though IKEv2 is an advanced protocol, not many clients use it in internal their VPN tunnels. It may become a challenge some time for customers when they want to use multi-subnet pairs to create a larger network. Though IKEv1 protocol has the limitation to support multiple subnet (CIDR blocks) pairs as part of a VPN tunnel, it is possible to create many IPSec connections on IKEv1 protocol as part of the same VPN tunnel and create a larger private network without the hassle of using IKEv2 protocol and simple network architectural change.

0 0 0
Share on

Rohit Kumar

3 posts | 0 followers

You may also like


Rohit Kumar

3 posts | 0 followers

Related Products