All Products
Search
Document Center

VPN Gateway:Create and manage IPsec-VPN connections in single-tunnel mode

Last Updated:Dec 06, 2023

You can create IPsec-VPN connections to establish encrypted connections. This topic describes how to create and manage IPsec-VPN connections in single-tunnel mode.

Background information

When you create an IPsec-VPN connection, you can enable or disable the following features:

  • DPD: the dead peer detection (DPD) feature.

    After you enable DPD, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. Then, the ISAKMP Security Association (SA), IPsec SA, and IPsec tunnel are deleted.

    This feature is enabled by default.

  • NAT Traversal: the network address translation (NAT) traversal feature.

    After you enable NAT traversal, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.

    This feature is enabled by default.

  • BGP: the Border Gateway Protocol (BGP) dynamic routing feature.

    After you enable BGP dynamic routing, the IPsec-VPN connection automatically learns and advertises routes. This facilitates network maintenance and configuration.

    This feature is disabled by default.

  • Health Check: the health check feature.

    In scenarios in which the same VPN gateway is used to create active and standby IPsec-VPN connections, you can configure health checks to check the connectivity of the active and standby connections. After you configure health checks, the system sends Internet Control Message Protocol (ICMP) packets to the destination IP address to check the connectivity of the IPsec-VPN connection. If the active connection is down, the standby connection automatically takes over. This improves the availability of your services.

    Note

    If the IPsec-VPN connection fails health checks, the system resets the IPsec tunnel. In scenarios in which active/standby connections are not used, we recommend that you use the DPD feature instead of the health check feature to check connectivity.

    This feature is disabled by default.

The supported features vary based on the resource associated with the IPsec-VPN connection, as described in the following section:

  • If you associate the IPsec-VPN connection with a transit router when you create the IPsec-VPN connection, DPD, NAT traversal, BGP dynamic routing, and health checks are supported.

  • If you associate the IPsec-VPN connection with a VPN gateway when you create the IPsec-VPN connection:

    If the VPN gateway uses the latest version, DPD, NAT traversal, BGP dynamic routing, and health checks are supported. Otherwise, you can use only the features supported by the current version of the VPN gateway.

    You can check whether your VPN gateway uses the latest version based on the status of the Upgrade button. If your VPN gateway does not use the latest version, you can click upgrade to update your VPN gateway. For more information, see Upgrade a VPN gateway.

Prerequisites

Before you create an IPsec-VPN connection, learn about the procedure and make sure that the prerequisites are met. For more information, see Procedure.

Create an IPsec-VPN connection

  1. Log on to the VPN gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  3. In the top navigation bar, select the region where you want to create the IPsec-VPN connection.

    Note

    The IPsec-VPN connection and the VPN gateway or the transit router to be associated must belong to the same region.

  4. On the IPsec Connections page, click Create IPsec-VPN Connection.

  5. On the Create IPsec-VPN Connection page, set the parameters for the IPsec-VPN connection, and click OK.

    The required parameters vary based on the resource that you want to associate with the IPsec-VPN connection. The following table lists all parameters.

    Basic settings

    Parameter

    Description

    Name

    Specify a name for the IPsec-VPN connection.

    Associate Resource

    Select the type of resource to be associated with the IPsec-VPN connection.

    • If you want to associate the IPsec-VPN connection with a transit router, select CEN or Do Not Associate.

      • If you select CEN, the system automatically associates the IPsec-VPN connection with the specified transit router of the current Alibaba Cloud account.

      • If you select Do Not Associate, the IPsec-VPN connection is not associated with a resource. You can manually associate the IPsec-VPN connection with a transit router of the current Alibaba Cloud account or a different Alibaba Cloud account in the Cloud Enterprise Network (CEN) console. For more information, see Attach an IPsec-VPN connection to a transit router.

      Note

      If you want to associate the IPsec-VPN connection with different transit routers, these transit routers must belong to different CEN instances. You can associate the IPsec-VPN connection with different transit routers in the CEN console. For more information, see Attach an IPsec-VPN connection to a transit router.

    • If you want to associate the IPsec-VPN connection with a VPN gateway, select VPN Gateway.

    Gateway Type

    Select the network type of the IPsec-VPN connection.

    • Public (default): The IPsec-VPN connection is established over the Internet.

    • Private: The IPsec-VPN connection is established over private networks.

    CEN Instance ID

    Select the ID of the CEN instance to which the transit router belongs.

    Zone

    Select a zone.

    The system creates resources in the specified zone.

    Transit Router

    Select the transit router to be associated with the IPsec-VPN connection.

    VPN Gateway

    Select the VPN gateway to be associated with the IPsec-VPN connection.

    Customer Gateway

    Select the customer gateway to be associated with the IPsec-VPN connection.

    Routing Mode

    Select a routing mode for the IPsec-VPN connection.

    • Destination Routing Mode (default): routes and forwards traffic based on the destination IP address.

    • Protected Data Flows: routes and forwards traffic based on source and destination IP addresses.

      After you select Protected Data Flows, you must set Local Network and Remote Network. After you configure the IPsec-VPN connection:

      • If the IPsec-VPN connection is associated with a VPN gateway, the system automatically adds policy-based routes to the route table of the VPN gateway.

        The policy-based routes are not advertised by default. You can determine whether to advertise the routes to the VPC route table based on your requirements. For more information, see Advertise a policy-based route.

      • If the IPsec-VPN connection is associated with a transit router, the system automatically adds destination-based routes to the route table of the IPsec-VPN connection. The destination-based routes are automatically advertised to the route table of the associated transit router.

    Note

    If the IPsec-VPN connection is associated with a VPN gateway and the VPN gateway does not use the latest version, you do not need to specify the routing mode.

    Local Network

    Enter the CIDR block on the VPC side. The CIDR block is used in Phase 2 negotiations.

    Click the 添加 icon on the right side of the text box to add more CIDR blocks.

    Note

    If you specify multiple CIDR blocks, you must set the Internet Key Exchange (IKE) version to ikev2.

    Remote Network

    Enter the CIDR block on the data center side. This CIDR block is used in Phase 2 negotiations.

    Click the 添加 icon on the right side of the text box to add more CIDR blocks.

    Note

    If you specify multiple CIDR blocks, you must set the IKE version to ikev2.

    Effective Immediately

    Specify whether to immediately start IPsec negotiations.

    • Yes: immediately starts IPsec negotiation after the settings are completed. This is the default value.

    • No: starts IPsec negotiations when inbound traffic is detected.

    Pre-Shared Key

    Enter the pre-shared key that is used for authentication between the data center and the VPN gateway or transit router.

    • The key must be 1 to 100 characters in length and can contain digits, letters, and the following characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : ' , . < > / ?.

    • If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection.

    Important

    The pre-shared keys must be the same on both sides. Otherwise, the system cannot establish an IPsec-VPN connection.

    Encryption settings

    Parameter

    Description

    Advanced settings: IKE settings

    Version

    The version of the IKE protocol.

    • ikev1

    • ikev2 (default)

      Compared with IKEv1, IKEv2 simplifies SA negotiations and provides better support for scenarios in which communication is established among multiple CIDR blocks. We recommend that you use IKEv2.

    Negotiation Mode

    Select a negotiation mode.

    • main (default): This mode offers higher security during negotiations.

    • aggressive: This mode supports faster negotiations and supports a higher success rate.

    Connections negotiated in both modes ensure the same level of security for data transmission.

    Encryption Algorithm

    Select the encryption algorithm that is used in Phase 1 negotiations.

    Supported algorithms are aes (aes128 by default), aes192, aes256, des, and 3des.

    Note

    If the bandwidth of the VPN gateway is 200 Mbit /s or higher, aes, aes192, and aes256 are recommended. 3des is not recommended.

    • Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES has little impact on network latency, throughput, and forwarding performance while ensuring data transmission security.

    • Triple DES (3DES) offers enhanced security through its triple-layered encryption technique. Compared with AES, 3DES encryption requires a large amount of computation, takes a long time, and downgrades forwarding performance.

    Authentication Algorithm

    Select the authentication algorithm that is used in phase 1 negotiations.

    Supported algorithms are sha1 (default), md5, sha256, sha384, and sha512.

    DH Group

    Select the Diffie-Hellman (DH) key exchange algorithm that is used in Phase 1 negotiations.

    • group1: DH group 1

    • group2 (default): DH group 2

    • group5: DH group 5

    • group14: DH group 14

    SA Life Cycle (seconds)

    Enter a lifetime for the SA after Phase 1 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.

    LocalId

    The identifier of the IPsec-VPN connection on the Alibaba Cloud side. The identifier is used in Phase 1 negotiations.

    • If the IPsec-VPN connection is associated with a transit router, the default value is the gateway IP address of the IPsec-VPN connection.

    • If the IPsec-VPN connection is associated with a VPN gateway, the default value is the IP address of the VPN gateway.

    You can set LocalId to a fully qualified domain name (FQDN). In this case, we recommend that you set Negotiation Mode to aggressive.

    RemoteId

    Specify the identifier of the IPsec-VPN connection on the data center side. The identifier is used in Phase 1 negotiations. The default identifier is the public IP address of the customer gateway.

    You can set RemoteId to an FQDN. In this case, we recommend that you set Negotiation Mode to aggressive.

    Advanced settings: IPsec settings

    Encryption Algorithm

    Select the encryption algorithm that is used in phase 2 negotiations.

    Supported algorithms are aes (aes128 by default), aes192, aes256, des, and 3des.

    Note

    If the bandwidth of the VPN gateway is 200 Mbit /s or higher, aes, aes192, and aes256 are recommended. 3des is not recommended.

    • Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES has little impact on network latency, throughput, and forwarding performance while ensuring data transmission security.

    • Triple DES (3DES) offers enhanced security through its triple-layered encryption technique. Compared with AES, 3DES encryption requires a large amount of computation, takes a long time, and downgrades forwarding performance.

    Authentication Algorithm

    Select the authentication algorithm that is used in phase 2 negotiations.

    Supported algorithms are sha1 (default), md5, sha256, sha384, and sha512.

    DH Group

    The DH key exchange algorithm that is used in Phase 2 negotiations.

    • disabled: does not use the DH key exchange algorithm.

      • For clients that do not support PFS, select disabled.

      • If you select a value other than disabled, PFS is enabled by default. In this case, the key is updated for each negotiation. Therefore, you must enable PFS for the client.

    • group1: DH group 1

    • group2 (default): DH group 2

    • group5: DH group 5

    • group14: DH group 14

    SA Life Cycle (seconds)

    Specify the lifetime of the SA after Phase 2 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.

    DPD

    Specify whether to enable the DPD feature. This feature is enabled by default.

    • For VPN gateways created between April, 2019 and January, 2023:

      • If IKEv1 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 30 seconds.

      • If IKEv2 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 3,600 seconds.

    • For VPN gateways created after February, 2023:

      • If IKEv1 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 30 seconds.

      • If IKEv2 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 130 seconds.

    NAT Traversal

    Specify whether to enable the NAT traversal feature. This feature is enabled by default.

    BGP Configuration

    Before you use BGP dynamic routing, we recommend that you learn about how it works and its limits. For more information, see VPN Gateway supports BGP dynamic routing.

    By default, the BGP feature is disabled. Before you add a BGP configuration, enable the BGP feature.

    Parameter

    Description

    Tunnel CIDR Block

    Enter the CIDR block of the IPsec tunnel.

    The CIDR block must fall into 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length.

    Local BGP IP address

    Enter the BGP IP address of the IPsec-VPN connection on the Alibaba Cloud side.

    This IP address falls within the CIDR block of the IPsec tunnel.

    Local ASN

    Enter the autonomous system number (ASN) of the IPsec-VPN connection on the Alibaba Cloud side. Default value: 45104. Valid values: 1 to 4294967295.

    You can enter the ASN in two segments and separate the first 16 bits from the following 16 bits with a period (.). Enter the number in each segment in the decimal format.

    For example, if you enter 123.456, the ASN is: 123 × 65536 + 456 = 8061384.

    Note

    We recommend that you use a private ASN to establish a connection to Alibaba Cloud over BGP. Refer to the relevant documentation for the valid range of a private ASN.

    Health checks

    By default, the health check feature is disabled. Before you add a health check configuration, enable the health check feature.

    Important

    After you enable health checks for the IPsec-VPN connection, add the following route to the data center: The destination CIDR block is Source IP Address, the subnet mask is 32 bits in length, and the next hop is the IPsec-VPN connection. This ensures that health checks run as expected.

    Parameter

    Description

    Destination IP Address

    Enter the IP address of the data center with which the VPC can communicate based on the IPsec-VPN connection.

    Note

    Make sure that the destination IP address supports ICMP responses.

    Source IP Address

    Enter the IP address of the VPC with which the data center can communicate based on the IPsec-VPN connection.

    Retry Interval

    Select the retry interval of the health check. Unit: seconds. Default value: 3.

    Number of Retries

    Specify the number of health check retries. Default value: 3.

    Switch Route

    Specify whether to allow the system to withdraw advertised routes after health checks fail. Default value: Yes. The system is allowed to withdraw advertised routes after health checks fail.

    If you clear Yes, the system is not allowed to withdraw advertised routes after health checks fail.

    Advanced Configuration

    When you create an IPsec-VPN connection, the system selects the following advanced features by default.

    Parameter

    Description

    Automatic Advertising

    After you enable this feature, the system automatically advertises routes of the route table of the transit router associated with the IPsec-VPN connection to the BGP route table associated with the IPsec-VPN connection.

    Note
    • This feature takes effect only if BGP dynamic routing is enabled for the IPsec-VPN connection and data center.

    • You can disable this feature by turning off Automatic Route Advertisement. For more information, see Disable route synchronization.

    Associate with Default Route Table of Transit Router

    After you enable this feature, the IPsec-VPN connection will be associated with the default route table of the transit router. The transit router queries the default route table to forward traffic from the IPsec-VPN connection.

    Automatically Advertise System Routes to Default Route Table of Transit Router

    After you enable this feature, the system advertises the routes of the destination-based route table and the BGP route table of the IPsec-VPN connection to the default route table of the transit router.

    You can disable the preceding advanced features, and use the transit router to establish network communication based on business requirements. For more information, see Manage routes.

    Tags

    When you create an IPsec-VPN connection, you can add tags to the IPsec-VPN connection to facilitate resource aggregation and search. For more information, see Overview.

    Parameter

    Description

    Tag Key

    Select or enter a tag key.

    Tag Value

    Select or enter a tag value. You can leave the tag value empty.

Download the configuration of an IPsec-VPN connection

After you create an IPsec-VPN connection, you can download the configuration file of an IPsec-VPN connection and load the configuration to an on-premise gateway device.

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, find the IPsec-VPN connection and click Download Peer Configuration in the Actions column.

  5. In the IPsec-VPN Connection Configuration dialog box, copy the configuration and save it to your on-premises machine to configure your on-premises gateway device.

    For more information about how to configure on-premises gateway devices, see Configure on-premises gateways.

Grant the permissions on the IPsec-VPN connection to a transit router of another Alibaba Cloud account

You can associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account. However, you cannot associate an IPsec-VPN connection with a VPN gateway of another Alibaba Cloud account. Before you associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account, you must grant the permissions on the IPsec-VPN connection to the transit router.

Before you grant the permissions, make sure that the IPsec-VPN connection is not associated with a resource.

  • If the IPsec-VPN connection is already associated with a VPN gateway, you cannot associate the IPsec-VPN connection with a transit router of the same or another Alibaba Cloud account.

  • If the IPsec-VPN connection is already associated with a transit router, you must first disassociate the IPsec-VPN connection from the transit router. For more information, see Delete a network instance connection.

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, find the IPsec-VPN connection and click its ID.

  5. On the details page, click the CEN Cross Account Authorization tab, and then click Authorize Cross Account Attach CEN.

  6. In the Attach to CEN dialog box, set the following parameters and click OK.

    Parameter

    Description

    Peer Account UID

    Enter the ID of the Alibaba Cloud account to which the transit router belongs.

    Peer Account CEN ID

    Enter the ID of the CEN instance to which the transit router belongs.

    Payer

    Select the payer.

    • CEN Instance Owner (default): After the IPsec-VPN connection is associated with a transit router, the owner of the transit router pays the connection fee and data processing fee of the transit router.

    • VPN Owner: After the IPsec-VPN connection is associated with a transit router, the owner of the IPsec-VPN connection pays the connection fee and data processing fee of the transit router.

    Important
    • Proceed with caution. Your services may be interrupted if you change the payer. For more information, see Change the account that pays the bills.

    • After the IPsec-VPN connection is associated with a transit router, the owner of the IPsec-VPN connection pays the instance fee and data transfer fee of the IPsec-VPN connection.

  7. We recommend that you record the ID of the IPsec-VPN connection and the ID of the Alibaba Cloud account to which the IPsec-VPN connection belongs. This facilitates creating VPN connections. For more information, see Attach an IPsec-VPN connection to a transit router.

    You can view the account ID on the Account Center page.账号查看

Modify an IPsec-VPN connection

  • If the IPsec-VPN connection is already associated with a transit router, you cannot modify the following information about the IPsec-VPN connection: the associated transit router, zone, or gateway type. However, you can modify the following information: the customer gateway, routing mode, pre-shared key, and advanced configurations.

  • If the IPsec-VPN connection is already associated with a VPN gateway, you cannot modify the associated VPN gateway or customer gateway. However, you can modify the following information: the routing mode, pre-shared key, and advanced configurations.

  • If the IPsec-VPN connection is not associated with a resource, you cannot modify the associated customer gateway or gateway type. However, you can modify the following information: the routing mode, pre-shared key, and advanced configurations.

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, find the IPsec-VPN connection that you want to manage, and click Edit in the Actions column.

  5. On the Modify IPsec-VPN Connection page, modify the name, advanced settings, and CIDR blocks as needed, and then click OK.

    For more information about the parameters, see Create an IPsec-VPN connection.

Revoke the permissions on the IPsec-VPN connection granted to a transit router of another Alibaba Cloud account

If you no longer need to associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account, you can revoke the permissions on the IPsec-VPN connection granted to the transit router.

If the IPsec-VPN connection is already associated with a transit router, you must first disassociate the IPsec-VPN connection from the transit router before you revoke the permissions. For more information, see Delete a network instance connection.

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, find the IPsec-VPN connection and click its ID.

  5. On the CEN Cross Account Authorization tab, find the authorization record and click Unauthorize in the Actions column.

  6. In the Unauthorize message, confirm the information and click OK.

Delete an IPsec-VPN connection

  • If the IPsec-VPN connection is associated with a transit router, disassociate the IPsec-VPN connection from the transit router before you delete the IPsec-VPN connection. For more information, see Delete a network instance connection.

  • If the IPsec-VPN connection is associated with a VPN gateway, you can directly delete the IPsec-VPN connection.

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, find the IPsec-VPN connection that you want to delete, and click Delete in the Actions column.

  5. In the message that appears, confirm the information and click OK.