This topic describes how to connect a VPC to an on-premises data center through IPsec-VPN.

Prerequisites

Before you use IPsec-VPN to connect an on-premises data center to a VPC, make sure that the following requirements are met:
  • The gateway device of the on-premises data center supports the IKEv1 and IKEv2 protocols.

    IPsec-VPN supports the IKEv1 and IKEv2 protocols. Gateway devices that support these two protocols can connect to VPN gateways on Alibaba Cloud, such as devices from H3C, Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia.

  • The gateway device of the on-premises data center is assigned a static public IP address.
  • The CIDR block of the on-premises data center must not overlap with that of the VPC.

Procedure

The following figure shows the procedure of connecting an on-premises data center to a VPC through IPsec-VPN.
  1. Create a VPN gateway

    You must enable the IPsec-VPN feature for the VPN gateway. A maximum of 10 IPsec-VPN connections can be established to each VPN gateway.

  2. Create a customer gateway

    You can update the information of the gateway device to Alibaba Cloud by creating a customer gateway, and then connect the customer gateway to the VPN gateway. A customer gateway can be connected to multiple VPN gateways.

  3. Create an IPsec-VPN connection

    An IPsec-VPN connection is a VPN channel established between a VPN gateway and a customer gateway. The on-premises data center can exchange encrypted data with Alibaba Cloud only after an IPsec-VPN connection is established.

  4. Configure the gateway device

    You must load the configuration of the VPN gateway on Alibaba Cloud to the gateway device of the on-premises data center. For more information about how to load the configuration of a VPN gateway on Alibaba Cloud to a gateway device, see Configure local gateways.

  5. Configure routes for the VPN gateway

    You must configure routes for the VPN gateway and publish the routes to the route table of the VPC where the VPN gateway is deployed. For information, see VPN Gateway route overview.

  6. Test the connectivity

    Log on to an Elastic Compute Service (ECS) instance that is not assigned a public IP address, and ping the private IP address of a server in the on-premises data center to test the connectivity.

For more information, see Connect on-premises data centers to VPC networks.