All Products
Search
Document Center

VPN Gateway:IPsec-VPN configuration overview

Last Updated:Feb 19, 2024

This topic describes how to configure IPsec-VPN to establish a private network connection between a data center and a virtual private cloud (VPC).

Select the resource with which you want to associate the IPsec-VPN connection

You can associate a VPN gateway or a transit router with an IPsec-VPN connection. Both a VPN gateway and a transit router can be used to connect a data center to a VPC. However, the features supported are different, as described in the following table. You can select a VPN gateway or a transit router based on your business requirements.

Item

Associated with a VPN gateway

Associated with a transit router

Associated resource

You must purchase a VPN gateway and associate the VPN gateway with a VPC to create an IPsec-VPN connection.

Your data center or office network can communicate with the associated VPC or with other networks through the associated VPC.

You do not need to purchase a VPN gateway or associate the VPN gateway with a VPC to create an IPsec-VPN connection. You must create a Cloud Enterprise Network (CEN) instance and create a transit router on the CEN instance.

Your data center or office network can communicate with all VPCs connected to the transit router or with other networks through the transit router.

Supported encryption algorithm

Commercial cryptographic algorithms that comply with international standards

Commercial cryptographic algorithms that comply with international standards

Tunnel mode supported by IPsec-VPN connections

  • Dual-tunnel mode

  • Single-tunnel mode

Single-tunnel mode

Maximum bandwidth supported by each IPsec-VPN connection

1,000 Mbit/s.

Note

The maximum bandwidth supported by VPN gateways in some regions is 200 Mbit/s. For more information about the regions, see Limits on VPN gateways.

1 Gbit/s by default.

You can increase the bandwidth of an IPsec-VPN connection by using other methods. For more information, see the How do I increase the maximum bandwidth of IPsec-VPN connections? section of the "FAQ about VPN gateways" topic.

Maximum number of packets that can be transmitted through each IPsec-VPN connection per second

120,000 (256 bytes per packet)

120,000 (256 bytes per packet)

Supported network type

  • Public

    Indicates an encrypted connection over the Internet.

  • Private

    Indicates an encrypted connection over an Express Connect circuit.

    Note

    If you want to establish an encrypted tunnel by using a private network connection based on an Express Connect circuit, we recommend that you create an IPsec-VPN connection and associate the IPsec-VPN connection with a transit router.

  • Public

    Indicates an encrypted connection over the Internet.

  • Private

    Indicates an encrypted connection over an Express Connect circuit.

Method used to implement high availability

High availability implemented by using active/standby connections:

Equal-cost multi-path (ECMP) routing, as shown in the ECMP routing figure

Figure 1. Dual-tunnel mode主备链路方式(双隧道模式)

Figure 2. Single-tunnel mode图2

Figure 3. ECMP routing图3

Descriptions of tunnel modes

In scenarios where an IPsec-VPN connection is associated with a VPN gateway, the original single-tunnel mode is upgraded to the dual-tunnel mode. The dual-tunnel mode improves the availability of IPsec-VPN connections, as shown in the following figure. Compared with the single-tunnel mode, the dual-tunnel mode creates two encrypted tunnels for each IPsec-VPN connection. By default, data is transferred through the active tunnel specified by the system. If the active tunnel is down, the standby tunnel takes over.

For more information about the dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

双隧道和单隧道

Limits

  • You can associate an IPsec-VPN connection with a transit router in specific regions. For more information about the supported regions, see Regions that support different features of VPN Gateway.

  • In scenarios where an IPsec-VPN connection is associated with a transit router, the IPsec-VPN connection can be associated only with an Enterprise Edition transit router and supports only the single-tunnel mode.

  • If you purchase new VPN gateways in regions that support the dual-tunnel mode, IPsec-VPN connections of the new VPN gateways support only the dual-tunnel mode and do not support the single-tunnel mode.

  • However, IPsec-VPN connections of the existing VPN gateways in the supported regions support only the single-tunnel mode. You can upgrade a VPN gateway to support the dual-tunnel mode. After a VPN gateway is upgraded, you can no longer create IPsec-VPN connections in single-tunnel mode on the VPN gateway. For more information, see Upgrade a VPN gateway to enable the dual-tunnel mode.

  • IPsec-VPN connections in regions that do not support the dual-tunnel mode support only the single-tunnel mode.

  • Only the following regions and zones support the dual-tunnel mode.

    Regions and zones that support the dual-tunnel mode

    Region

    Zone

    China (Hangzhou)

    Zone K, Zone J, Zone I, Zone H, and Zone G

    China (Shanghai)

    Zone K, Zone L, Zone M, Zone N, Zone B, Zone D, Zone E, Zone F, and Zone G

    China (Nanjing - Local Region)

    Zone A

    China (Shenzhen)

    Zone A, Zone E, Zone D, and Zone F

    China (Heyuan)

    Zone A and Zone B

    China (Guangzhou)

    Zone A and Zone B

    China (Qingdao)

    Zone B and Zone C

    China (Beijing)

    Zone F, Zone E, Zone H, Zone G, Zone A, Zone C, Zone J, Zone I, Zone L, and Zone K

    China (Zhangjiakou)

    Zone A, Zone B, and Zone C

    China (Hohhot)

    Zone A and Zone B

    China (Ulanqab)

    Zone A, Zone B, and Zone C

    China (Chengdu)

    Zone A and Zone B

    China (Hong Kong)

    Zone B, Zone C, and Zone D

    Singapore

    Zone A, Zone B, and Zone C

    Thailand (Bangkok)

    Zone A

    Japan (Tokyo)

    Zone A, Zone B, and Zone C

    South Korea (Seoul)

    Zone A

    Philippines (Manila)

    Zone A

    Indonesia (Jakarta)

    Zone A, Zone B, and Zone C

    Malaysia (Kuala Lumpur)

    Zone A and Zone B

    India (Mumbai)

    Zone A and Zone B

    UK (London)

    Zone A and Zone B

    Germany (Frankfurt)

    Zone A, Zone B, and Zone C

    US (Silicon Valley)

    Zone A and Zone B

    US (Virginia)

    Zone A and Zone B

Prerequisites

Before you create an IPsec-VPN connection to connect a data center to a VPC, make sure that the following requirements are met:

  • If you want to associate the IPsec-VPN connection with a public VPN gateway or create a public IPsec-VPN connection that is associated with a transit router, you need to assign a public IP address to the on-premises gateway device in the data center.

    If you want to associate the IPsec-VPN connection with a public VPN gateway and the region of the public VPN gateway supports the dual-tunnel mode, we recommend that you create two IPsec-VPN connections for high availability. To do this, you need to assign two public IP addresses to the on-premises gateway device, or deploy another on-premises gateway device and then assign a public IP address to each on-premises gateway device.

  • The on-premises gateway device must support IKEv1 or IKEv2 to establish IPsec-VPN connections with a VPN gateway.

  • The CIDR block of the data center does not overlap with the CIDR block of the VPC.

  • The security group rules that are applied to the Elastic Compute Service (ECS) instances in the VPC allow gateway devices in the data center to access cloud resources. For more information, see View security group rules and Add a security group rule.

Procedure

The procedure for configuring IPsec-VPN varies based on the instance that is associated with the IPsec-VPN connection. The following section describes the procedures for different scenarios.

Procedure for scenarios in which a VPN gateway is used

IPsec-VPN使用流程-1

Step

References

Description

1

Create a VPN gateway

Create a VPN gateway and enable IPsec-VPN.

2

Create a customer gateway

Create a customer gateway and add the configuration of the gateway device in the data center to the customer gateway on Alibaba Cloud.

3

An IPsec-VPN connection is an encrypted VPN tunnel between a VPN gateway and a gateway device in the data center.

Note

When you create an IPsec-VPN connection, set the Associate Resource parameter to VPN Gateway.

4

Configure on-premises gateways

To connect the data center to the VPN gateway, you must add the configuration of IPsec-VPN to the gateway device in the data center.

5

Configure a route for the VPN gateway

You must configure a route that points to the data center for the VPN gateway and advertise the route to the VPC route table. This way, the data center can be connected to the VPC.

6

Test network connectivity

Log on to an ECS instance that is not assigned a public IP address in the VPC. Then, run the ping command to ping the private IP address of a server in the data center.

Procedure for scenarios in which a transit router is used

IPsec-VPN使用流程2

Step

References

Description

1

Create a CEN instance

Before you create a transit router, you must first create a CEN instance.

2

Create a transit router

A transit router is used to forward data. You must create a transit router in the region in which the data center is deployed or in a region near the data center.

Important

When you create a transit router, you must configure a CIDR block for the transit router. Otherwise, IPsec-VPN connections cannot be associated with the transit router.

If you have already created a transit router, you can configure a CIDR block for the transit router. For more information, see Transit router CIDR blocks.

3

Create a customer gateway

Create a customer gateway and add the configuration of the gateway device in the data center to the customer gateway on Alibaba Cloud.

4

Create and manage an IPsec-VPN connection in single-tunnel mode

An IPsec-VPN connection is an encrypted VPN tunnel between Alibaba Cloud and a gateway device in the data center.

After you associate a transit router with the IPsec-VPN connection, traffic from the data center can be forwarded to the transit router over the IPsec-VPN connection.

Note

When you create an IPsec-VPN connection, set the Associate Resource parameter to CEN or Do Not Associate.

5

Configure on-premises gateways

To connect the data center to Alibaba Cloud, you must add the configuration of IPsec-VPN to the gateway device in the data center.

6

Configure a route for an IPsec-VPN connection

You must configure a route that points to the data center for the IPsec-VPN connection and advertise the route to the route table of the transit router. This way, the data center can be connected to the VPC.

7

Test network connectivity

Log on to an ECS instance that is not assigned a public IP address in the VPC. Then, run the ping command to ping the private IP address of a server in the data center.