This topic takes an SRX series Services Gateway firewall device from Juniper as an example to show how to configure the VPN settings to connect an on-premises data center to Alibaba Cloud VPC. When using IPsec-VPN to create a site-to-site connection, you must configure the local gateway according to the IPsec-VPN connection configured for the Alibaba Cloud VPN Gateway.
Prerequisites
-
An IPsec-VPN connection is created in an Alibaba Cloud VPC. For more information, see Create and manage IPsec-VPN connections.
-
The configuration of the IPsec-VPN connection is downloaded. For more information, see Download the configuration file of an IPsec-VPN connection.
The IPsec-VPN connection configurations in the following table are used in this example.
-
IPsec protocol
Configuration Example value IKE Authentication Algorithm md5 Encryption Algorithm 3des DH Group group2 IKE Version ikev1 SA Life Cycle 86400 Negotiation Mode main PSK 123456 IPsec Authentication Algorithm md5 Encryption Algorithm des DH Group group2 IKE Version ikev1 SA Life Cycle 28800 -
Network configurations
Network configuration Example value VPC CIDR block of the VSwitch 192.168.1.0/24 Public IP address of the gateway 47.xxx.xxx.56 On-premises data center CIDR block of the intranet 192.168.18.0/24 Public IP address of the gateway 122.xxx.xxx.248
-
Procedure
- Log on to the CLI of the firewall device.
- Configure the basic network, security zone, and address book.
set security zones security-zone trust address-book address net-cfgr_192-168-18-0--24 192.168.18.0/24 set security zones security-zone vpn address-book address net-cfgr_192-168-1-0--24 192.168.1.0/24
- Configure IKE policies.
set security ike policy ike-policy-cfgr mode main set security ike policy ike-policy-cfgr pre-shared-key ascii-text "123456"
- Configure the IKE gateway, outbound interface, and protocol version.
set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr set security ike gateway ike-gate-cfgr address 47.xxx.xxx.56 set security ike gateway ike-gate-cfgr external-interface ge-0/0/3 set security ike gateway ike-gate-cfgr version v1-only
- Configure IPsec policies.
set security ipsec policy ipsec-policy-cfgr proposal-set standard
- Apply IPsec policies.
set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0 set security ipsec vpn ipsec-vpn-cfgr establish-tunnels immediately set security ipsec policy ipsec-policy-cfgr perfect-forward-secrecy keys group2
- Configure outbound policies.
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match source-address net-cfgr_192-168-18-0--24 set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-1-0--24 set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match application any set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr then permit
- Configure inbound policies.
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-1-0--24 set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match destination-address net-cfgr_192-168-18-0--24 set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match application any set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr then permit