When you use IPsec-VPN to establish a site-to-site connection, you must load the IPsec-VPN configuration to the gateway device that is deployed in the data center after you configure the VPN gateway on Alibaba Cloud. This topic provides an example on how to load the IPsec-VPN configuration to a Cisco firewall device that is deployed in a data center.
Background information
Parameter | Example | |
---|---|---|
VPC | vSwitch CIDR block | 192.168.10.0/24 and 192.168.11.0/24 |
Public IP address of the VPN gateway | 47.XX.XX.161 | |
Data center | Private CIDR block | 10.10.10.0/24 |
Public IP address of the Cisco firewall device | 124.XX.XX.171 |
- The following section describes how to add VPN configurations when the on-premises gateway device (Cisco firewall device) uses IKEv1 and IKEv2. You can choose the appropriate configuration based on the IKE version supported by the Cisco firewall device.
For more information about how to select an IKE version, see How do I choose the IKE version when I configure an IPsec-VPN connection? .
- If you want to connect multiple CIDR blocks of a data center to a VPC, we recommend that you use IKEv2, create multiple IPsec-VPN connections, and add routes to the VPN gateway on Alibaba Cloud. For more information, see Configuration suggestions and FAQ about enabling communication among CIDR blocks.
Configure IKEv1 VPN
An IPsec-VPN connection is created in a VPC. For more information, see Create and manage IPsec-VPN connections.
- The configuration of the IPsec-VPN connection is downloaded. For more information, see Download the configuration file of an IPsec-VPN connection. The following configuration is used in this example.
Protocol Parameter Example IKE Authentication algorithm SHA-1 Encryption algorithm AES-128 DH group group2 IKE version IKEv1 Lifecycle 86400 Negotiation mode main PSK 123456 IPsec Authentication algorithm SHA-1 Encryption algorithm AES-128 DH group group2 IKE version IKEv1 Lifecycle 86400 Negotiation mode esp
- Log on to the command-line interface of the firewall device.
- Create an ISAKMP policy.
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 2 lifetime 86400
- Set a pre-shared key.
crypto isakmp key 123456 address 47.XX.XX.161
- Configure the IPsec protocol.
crypto ipsec transform-set ipsecpro64 esp-aes esp-sha-hmac mode tunnel
- Create network access control lists (ACLs) to specify the inbound and outbound traffic flows to be encrypted. Note If multiple CIDR blocks are configured on the firewall device, you must create a network ACL for each CIDR block.
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.11.0 0.0.0.255
- Create an IPsec policy.
crypto map ipsecpro64 10 ipsec-isakmp set peer 47.XX.XX.161 set transform-set ipsecpro64 set pfs group2 match address 100
- Apply the IPsec policy.
interface g0/0 crypto map ipsecpro64
- Configure static routes.
ip route 192.168.10.0 255.255.255.0 47.XX.XX.161 ip route 192.168.11.0 255.255.255.0 47.XX.XX.161
- Test the connectivity. You can use a host on Alibaba Cloud and a host in the data center to test the connectivity.
Configure IKEv2 VPN
Prerequisites
An IPsec-VPN connection is created in a VPC. For more information, see Create and manage IPsec-VPN connections.
The configuration of the IPsec-VPN connection is downloaded. For more information, see Download the configuration file of an IPsec-VPN connection. The following configuration is used in this example.
Protocol Parameter Example IKE Authentication algorithm SHA-1 Encryption algorithm AES-128 DH group group2 IKE version IKEv2 Lifecycle 86400 PRF algorithm SHA-1 PSK 123456 IPsec Authentication algorithm SHA-1 Encryption algorithm AES-128 DH group group2 IKE version IKEv2 Lifecycle 86400 Negotiation mode esp
- Log on to the command-line interface of the firewall device.
- Specify the algorithm that is used in IKE Phase 1 negotiations.
crypto ikev2 proposal daemon encryption aes-cbc-128 integrity sha1 group 2
- Create an IKEv2 policy and set an IKEv2 proposal.
crypto ikev2 policy ipsecpro64_v2 proposal daemon
- Set a pre-shared key.
crypto ikev2 keyring ipsecpro64_v2 peer vpngw address 47.XX.XX.161 pre-shared-key 0 123456
- Configure identity verification.
crypto ikev2 profile ipsecpro64_v2 match identity remote address 47.XX.XX.161 255.255.255.255 identity local address 10.10.10.1 authentication remote pre-share authentication local pre-share keyring local ipsecpro64_v2
- Configure the IPsec protocol.
crypto ipsec transform-set ipsecpro64_v2 esp-aes esp-sha-hmac mode tunnel
- Create network access control lists (ACLs) to specify the inbound and outbound traffic flows to be encrypted. Note If multiple CIDR blocks are configured on the firewall device, you must create a network ACL for each CIDR block.
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.11.0 0.0.0.255
- Create an IPsec policy.
crypto map ipsecpro64_v2 10 ipsec-isakmp set peer 47.XX.XX.161 set transform-set ipsecpro64_v2 set pfs group2 set ikev2-profile ipsecpro64_v2 match address 100
- Apply the IPsec policy.
interface g0/1 crypto map ipsecpro64_v2
- Configure static routes.
ip route 192.168.10.0 255.255.255.0 47.XX.XX.161 ip route 192.168.11.0 255.255.255.0 47.XX.XX.161
- Test the connectivity.
You can use a host on Alibaba Cloud and a host in the data center to test the connectivity.