All Products
Search
Document Center

VPN Gateway:Use two public IP addresses to create active/standby IPsec-VPN connections

Last Updated:Nov 09, 2023

If an on-premises gateway device in your data center has multiple public IP addresses, you can use two of them to create active/standby IPsec-VPN connections to a virtual private cloud (VPC). The two IPsec-VPN connections ensure network connectivity between the data center and the VPC.

Scenarios

The following figure shows the scenario that is used in this example. An enterprise owns a data center in Hangzhou and has a VPC deployed in the China (Hangzhou) region. Applications are deployed on Elastic Compute Service (ECS) instances in the VPC. The enterprise wants to enable the data center to access the VPC over multiple encrypted connections to ensure data security and network redundancy.

An on-premises gateway device in the data center has multiple public IP addresses. The enterprise can use two of them to create two IPsec-VPN connections between the data center and VPC. This ensures the security of data transmission between the data center and VPC and also implements network redundancy.

高可用-双IPsec连接

Networking

Network settings

Networking requirements in this scenario:

  • A public VPN gateway is created.

  • The two IPsec-VPN connections are attached to the same VPN gateway.

  • The VPN gateway uses static routing. You can set route priorities to specify active and standby connections.

  • Both IPsec-VPN connections have health checks enabled. Health checks are used to test the availability of the connections.

    If the active IPsec-VPN connection fails health checks multiple times, the standby IPsec-VPN connection automatically takes over.

Networking

Important

When you allocate CIDR blocks, make sure that the CIDR block of the data center and the CIDR block of the VPC do not overlap.

Item

CIDR block and IP address

VPC

Primary CIDR block: 172.16.0.0/16

  • vSwitch 1 CIDR block:172.16.10.0/24

  • vSwitch 2 CIDR block: 172.16.20.0/24

  • IP address of ECS1 in vSwitch 1: 172.16.10.1.

  • IP address of ECS2 in vSwitch 2: 172.16.20.1.

On-premises gateway device

Public IP address of the on-premises gateway device:

  • Public IP Address 1: 118.XX.XX.20

  • Public IP Address 2: 120.XX.XX.40

On-premises data center

CIDR block used to communicate with the VPC: 192.168.0.0/24

Preparations

Make sure that the following prerequisites are met before you start:

  • A VPC is deployed in the China (Hangzhou) region and applications are deployed on the ECS instances in VPC1. For more information, see Create a VPC with an IPv4 CIDR block.

  • The gateway device in the data center supports the IKEv1 and IKEv2 protocols. Gateway devices that support these protocols can connect to VPN gateways.

  • You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see View security group rules and Add a security group rule.

Procedure

IPsec连接高可用-多公网IP地址-配置流程

Step 1: Create a VPN gateway

You must create a VPN gateway and enable IPsec-VPN for the VPN gateway before you can create IPsec-VPN connections.

  1. Log on to the VPN Gateway console.

  2. In the top navigation bar, select the region where you want to create the VPN gateway.

    The VPN gateway and the VPC to be associated must belong to the same region. China (Hangzhou) is selected in this example.

  3. On the VPN Gateways page, click Create VPN Gateway.

  4. On the buy page, set the following parameters, click Buy Now, and then complete the payment.

    Parameter

    Description

    Name

    Enter a name for the VPN gateway.

    In this example, VPN Gateway 1 is used.

    Region

    Select the region where you want to deploy the VPN gateway.

    China (Hangzhou) is selected in this example.

    Gateway Type

    Select a gateway type for the VPN gateway.

    In this example, Standard is selected.

    Network Type

    Select a network type for the VPN gateway.

    Public is selected in this example.

    Tunnels

    The tunnel modes supported in the region are automatically displayed.

    VPC

    Select the VPC with which you want to associate the VPN gateway.

    In this example, the VPC that you created is selected.

    VSwitch

    Select a vSwitch from the selected VPC.

    • If you select Single-tunnel, you need to specify one vSwitch.
    • If you select Dual-tunnel, you need to specify two vSwitches.
    Note
    • The system selects a vSwitch by default. You can change or use the default vSwitch.
    • After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.

    vSwitch 2

    Select another vSwitch from the selected VPC.

    Ignore this parameter if you select Single-tunnel.

    Maximum Bandwidth

    Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.

    Traffic

    Select a billing method for the VPN gateway. Default value: Pay-by-data-transfer.

    For more information, see Billing.

    IPsec-VPN

    Specify whether to enable the IPsec-VPN feature.

    In this example, the default value Enable is selected.

    SSL-VPN

    Specify whether to enable the SSL-VPN feature.

    In this example, the default value Disable is selected.

    Duration

    Select a billing cycle. Default value: By Hour.

    Service-linked Role

    Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn.

    The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.

    If Created is displayed, it indicates that the service-linked role is created and you do not need to create it again.

  5. Return to the VPN Gateways page to view the VPN gateway.

    After you create a VPN gateway, it is in the Preparing state. After 1 to 5 minutes, the VPN gateway changes to the Normal state. After the VPN gateway changes to the Normal state, the VPN gateway is ready for use.

Step 2: Create two customer gateways

You must create customer gateways and register the gateway information on Alibaba Cloud before you can create IPsec-VPN connections.

  1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.

  2. In the top navigation bar, select the region where you want to create the customer gateways.

    Note

    Make sure that the customer gateways and the VPN gateway created in Step 1 are deployed in the same region.

  3. On the Customer Gateways page, click Create Customer Gateway.

  4. In the Create Customer Gateway panel, set the following parameters and click OK.

    The following table lists the public IP addresses with which the two customer gateways are associated. Parameters not listed in the following table use the default values. For more information, see Create a customer gateway.

    Parameter

    Description

    Customer Gateway 1

    Customer Gateway 2

    Name

    Enter a name for the customer gateway.

    Customer1 is used in this example.

    Customer2 is used in this example.

    IP Address

    Enter a public IP address for the customer gateway.

    In this example, the public IP address 118.XX.XX.20 of the on-premises gateway device is entered.

    In this example, the public IP address 120.XX.XX.40 of the on-premises gateway device is entered.

Step 3: Create two IPsec-VPN connections

After you create customer gateways, you must create IPsec-VPN connections to connect the on-premises gateway device to the VPN gateway.

  1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  2. In the top navigation bar, select the region where you want to create the IPsec-VPN connections.

    Note

    The IPsec-VPN connections must be created in the same region as the VPN gateway created in Step 1.

  3. On the IPsec Connections page, click Create IPsec Connection.

  4. On the Create IPsec-VPN Connection page, set the parameters for the IPsec-VPN connection, and click OK.

    The following table describes the parameters of the IPsec-VPN connections. Parameters not listed in the following table use the default values. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.

    Parameter

    Description

    IPsec-VPN Connection 1

    IPsec-VPN Connection 2

    Parameter

    Enter a name for the IPsec-VPN connection.

    In this example, IPsec-VPN Connection 1 is used.

    In this example, IPsec-VPN Connection 2 is used.

    Associate Resource

    Select the type of network resource that you want to associate with the IPsec-VPN connection.

    In this example, VPN Gateway is selected.

    VPN Gateway

    Select the VPN gateway that you created.

    In this example, VPN Gateway is selected.

    In this example, VPN Gateway is selected.

    Customer Gateway

    Select the customer gateway that you created.

    In this example, Customer1 is selected.

    In this example, Customer2 is selected.

    Routing Mode

    Select a routing mode.

    In this example, Destination Routing Mode is selected.

    Effective Immediately

    Specify whether to immediately start IPsec negotiations. Valid values:

    • Yes: immediately starts IPsec negotiations after the configuration takes effect.

    • No: starts IPsec negotiations only when inbound traffic is detected.

    In this example, No is selected.

    Pre-shared Key

    Enter a pre-shared key that is used to authenticate the on-premises gateway devices.

    • The key must be 1 to 100 characters in length and can contain digits, letters, and the following characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : ' , . < > / ?.

    • If you do not specify a pre-shared key, the system generates a random 16-bit string as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection.

    Important

    The pre-shared keys must be the same on both sides. Otherwise, the system cannot establish an IPsec-VPN connection.

    fddsFF123****

    Encryption Configuration

    Configure IKE and IPsec settings based on your business requirements.

    In this example, IKEv1 is used and the other parameters use the default values.

    BGP Configuration

    Specify whether to enable BGP.

    In this example, the default value is used. BGP is disabled.

    Health Check

    Specify whether to enable the health check feature.

    • Destination IP Address: Enter the IP address on the data center side that the VPC can communicate with over the IPsec-VPN connection.

    • Source IP Address: Enter the IP address on the VPC side that the data center can communicate with over the IPsec-VPN connection.

    • Retry Interval: Enter the interval between two consecutive health checks. Unit: seconds. Default value: 3.

    • Number of Retries: Select the number of attempts to retry health checks. Default value: 3.

    In this example, the health check feature is enabled and uses the following settings:

    • Destination IP Address: 192.168.0.1.

    • Source IP Address: 172.16.10.1.

    • Retry Interval: 3.

    • Number of Retries: 3.

    In this example, the health check feature is enabled and uses the following settings:

    • Destination IP Address: 192.168.0.2.

    • Source IP Address: 172.16.20.1.

    • Retry Interval: 3.

    • Number of Retries: 3.

  5. In the Created dialog box, click OK.

  6. Return to the IPsec Connections page, find the IPsec-VPN connection and click Download Peer Configuration in the Actions column.

    Save the peer configurations of IPsec-VPN Connection 1 and IPsec-VPN Connection 2 to your on-premises machine. The peer configurations will be used in subsequent steps when you configure the on-premises gateway device.

Step 4: Add routes to the VPN gateway

You need to configure routes to route VPC traffic destined for the data center to the IPsec-VPN connections.

  1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.

  2. In the top navigation bar, select the region of the VPN gateway.

  3. On the VPN Gateway page, find the VPN gateway that you want to manage and click its ID.

  4. On the Destination-based Route Table tab, click Add Route Entry.

  5. In the Add Route Entry panel, set the following parameters and click OK.

    The following table describes the parameters of the routes added to the VPN gateway. You can set route priorities to specify active and standby IPsec-VPN connections.

    Parameter

    Description

    Route 1

    Route 2

    Destination CIDR Block

    Enter the destination CIDR block.

    In this example, the CIDR block 192.168.0.0/24 that the data center uses to communicate with the VPC is entered.

    In this example, the CIDR block 192.168.0.0/24 that the data center uses to communicate with the VPC is entered.

    Next Hop Type

    Select the next hop type.

    Select IPsec Connection.

    In this example, IPsec Connection is selected.

    Next Hop

    Select a next hop.

    In this example, IPsec-VPN Connection 1 is selected.

    In this example, IPsec-VPN Connection 2 is selected.

    Publish to VPC

    Specify whether to advertise the route to the VPC that is associated with the VPN gateway.

    In this example, Yes is selected.

    In this example, Yes is selected.

    Weight

    Select a weight for the route.

    • 100: specifies a high priority for the route.

    • 0: specifies a low priority for the route.

    In this example, 100(Active) is selected.

    Important

    You must specify different weights for the routes to specify the active and standby routes. You cannot set the weights of both routes to 100 or 0.

    In this example, 0(Standby) is selected.

Step 5: Configure the on-premises gateway device

After you complete the preceding steps in the console, you must add the VPN settings, route settings, and health check settings to the on-premises gateway device. Otherwise, the IPsec-VPN connections cannot be established between the on-premises gateway device and VPN gateway. After you add these settings to the on-premises gateway device, traffic destined for the VPC is transmitted over the active IPsec-VPN connection. The standby IPsec-VPN connection automatically takes over if the active IPsec-VPN connection fails.

The following configurations are used for reference only. The commands may vary based on the network device vendor. Contact the vendor to obtain the information about specific commands.

  1. Add VPN configurations to the on-premises gateway device.

    Add VPN configurations to the on-premises gateway device based on the IPsec peer configurations downloaded in Step 6.

    1. Open the command-line interface (CLI) of the gateway device.

    2. Create an ISAKMP policy.

      crypto isakmp policy 1 
      authentication pre-share 
      encryption aes
      hash sha 
      group  2
      lifetime 86400
    3. Set the pre-shared key.

      crypto isakmp key fddsFF123**** address 46.XX.XX.21
    4. Configure the IPsec protocol.

      crypto ipsec transform-set ipsecpro64 esp-aes esp-sha-hmac 
      mode tunnel
    5. Create network access control lists (ACLs) to specify the inbound and outbound traffic flows to be encrypted.

      Note

      If multiple CIDR blocks are configured on the on-premises gateway device, you must create a network ACL for each CIDR block.

      access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
    6. Create an IPsec policy.

      crypto map ipsecpro64 10 ipsec-isakmp
      set peer 46.XX.XX.21
      set transform-set ipsecpro64
      set pfs group2
      match address 100
    7. Apply the IPsec policy.

      interface GigabitEthernet1    #Apply the IPsec policy to the interface that uses Public IP Address 1.
      crypto map ipsecpro64
      interface GigabitEthernet2    #Apply the IPsec policy to the interface that uses Public IP Address 2.
      crypto map ipsecpro64
  2. Configure routes and health checks on the on-premises gateway device.

    You must add the route and health check settings to enable traffic destined for the VPC to be transmitted over the active IPsec-VPN connection, and enable health checks to automatically check the status of the active IPsec-VPN connection. If the active IPsec-VPN connection fails, the standby IPsec-VPN connection automatically takes over.

    type icmp-echo  
     destination ip 46.XX.XX.21  #Set the destination IP address to the public IP address of the VPN gateway. 
     frequency 5000  
     reaction 1 checked-element probe-fail threshold-type consecutive 2 action-type trigger-only
    nqa schedule admin test start-time now lifetime forever
    track 1 nqa entry admin test reaction 1
    ip route-static 172.16.0.0 16 118.XX.XX.20 track 1 preference 40     #172.16.0.0/16 is the CIDR block of the VPC to be connected to the data center. 118.XX.XX.20 is the public IP address that the on-premises gateway device uses to establish an active IPsec-VPN connection to the VPN gateway. 
    ip route-static 172.16.0.0 16 120.XX.XX.40    #172.16.0.0/16 is the CIDR block of the VPC to be connected to the data center. 120.XX.XX.40 is the public IP address that the on-premises gateway device uses to establish a standby IPsec-VPN connection to the VPN gateway.
  3. Add a reverse route to the on-premises gateway device for health checks.

    Add the following route to the on-premises gateway device: The destination CIDR block is Source IP Address, the subnet mask is 32 bits in length, and the next hop is an IPsec-VPN connection. This ensures that health checks can work as expected.

    ip route-static 172.16.10.1 32  118.XX.XX.20  #Configure a reverse route for IPsec-VPN Connection 1.
    ip route-static 172.16.20.1 32  120.XX.XX.40  #Configure a reverse route for IPsec-VPN Connection 2.  

Step 6: Test the network connectivity

After you complete the preceding steps, the data center can communicate with the VPC over two IPsec-VPN connections. This section describes how to test the network connectivity and check whether the IPsec-VPN connections can work as active and standby connections.

  1. Test the network connectivity.

    1. Log on to an ECS instance in the VPC. In this example, ECS1 is used. For more information, see Connect to an ECS instance.

    2. Run the ping command on ECS1 to ping a client in the data center.

      ping <The IP address of a client in the data center>

      If you receive an echo reply packet, it indicates that the data center can communicate with the VPC.

  2. Check whether the IPsec-VPN connections can work as active and standby connections.

    1. Continuously send requests from clients in the data center to ECS1 or use Iperf3 on the clients to send requests to ECS1. For more information about how to install and use Iperf3, see Test the performance of an Express Connect circuit.

    2. Log on to the Alibaba Cloud Management Console, and check the monitoring data of the IPsec-VPN connections.

      In error-free scenarios, only the traffic monitoring data of IPsec-VPN Connection 1 (the active connection) is displayed.

      The following steps show how to open the details page of IPsec-VPN Connection 1:

      1. Log on to the VPN Gateway console.

      2. In the top navigation bar, select the region in which IPsec-VPN Connections 1 is created.

      3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

      4. On the IPsec Connections page, find the IPsec-VPN connection and click its ID.

        On the details page, click the Monitor tab.

    3. Temporarily close the active IPsec-VPN connection.

      You can close the active IPsec-VPN connection by disabling the interface that the on-premises gateway device uses to connect to the VPN gateway. For more information about how to disable an interface, see the user guide of the on-premises gateway device.

    4. Log on to the Alibaba Cloud Management Console, and check the traffic monitoring data of IPsec-VPN Connection 2 (the standby connection).

      After the active IPsec-VPN connection is closed, network traffic is automatically switched to the standby IPsec-VPN connection. Traffic monitoring data of IPsec-VPN Connection 2 is generated and displayed on the Monitor tab.