This topic describes how to establish two IPsec-VPN tunnels with a VPN Gateway. By doing so, you can implement active and standby tunnel redundancies. This configuration is suitable for a local gateway with two public IP addresses.

Scenario

You can connect a VPN Gateway to two public IP addresses (in this example, they are labeled as IP1 and IP2) of a local gateway to establish two IPsec-VPN connections, and enable health checks for the connections. Afterwards, you can specify an active route and a standby route by configuring weight values for the routes. The IPsec-VPN tunnel associated with the active route is the active tunnel, and the IPsec-VPN tunnel associated with the standby route is the standby tunnel.
  • When the IP1-based Internet link is functioning, all traffic between the on-premises data center and the VPC is forwarded only through the active tunnel.
  • When the IP1-based Internet link is unavailable, all traffic between the on-premises data center and the VPC is directed to the standby tunnel.

Prerequisites

Before you begin, make sure that the following conditions are met:

  • The gateway device of the on-premises data center operates properly. Alibaba Cloud VPN Gateways support standard IKEv1 and IKEv2 protocols. Devices that support these two protocols can connect to Alibaba Cloud VPN Gateways, including devices from Huawei, H3C, Hillstone, SANGFOR, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia.
  • A static public IP address is configured for the gateway device of the on-premises data center.
  • The CIDR block of the on-premises data center does not overlap the CIDR block of the VPC.

Step 1: Create a VPN Gateway

To create a VPN Gateway, follow these steps:

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose VPN > VPN Gateways.
  3. On the VPN Gateways page, click Create VPN Gateway.
  4. On the purchase page, set the parameters, and then click Buy Now to complete the payment.
    • Name: Enter a name for the VPN Gateway.
    • Region: Select a region for the VPN Gateway.
      Note The VPN Gateway must be in the same region as the VPC.
    • VPC: Select the VPC to be connected.
    • Peak Bandwidth: Select a peak bandwidth. The bandwidth is the Internet bandwidth of the VPN Gateway.
    • IPsec-VPN: Enable the IPsec-VPN function.
    • SSL-VPN: Select whether to enable the SSL-VPN function. The SSL-VPN function allows access to the VPC from a computer anywhere.
    • SSL connections: Select the maximum number of clients to which you want to connect simultaneously.
      Note This parameter is valid only after the SSL-VPN function is enabled.
    • Billing Cycle: Select a billing cycle.
  5. Go back to the VPN Gateways page to check the created VPN Gateway.
    The initial status of the VPN Gateway is Preparing. The status changes to Normal in about two minutes and then the VPN Gateway is ready to use.
    Note It takes one to five minutes to create a VPN Gateway.

Step 2: Create two customer gateways

Create two customer gateways and register the two public IP addresses of the local gateway to the customer gateways. To do so, follow these steps:
  1. In the left-side navigation pane, choose VPN > Customer Gateways.
  2. Select the region in which you want to create a customer gateway.
  3. On the Customer Gateways page, click Create Customer Gateway.
  4. Configure the customer gateway according to the following information:
    • Name: Enter the name of the customer gateway.
    • IP Address: Enter the public IP address of the local gateway.
    • Description: Enter a description of the customer gateway.
  5. On the Create Customer Gateway page, click + Add to add the other customer gateway.

Step 3: Create two IPsec-VPN connections

Create two IPsec-VPN connections to connect the VPN Gateway with the two customer gateways. To do so, follow these steps:
  1. In the left-side navigation pane, choose VPN > IPsec Connections.
  2. Select the region in which you want to create an IPsec connection.
  3. On the IPsec Connections page, click Create IPsec Connection.
  4. Configure the IPsec-VPN connection according to the following information and click OK.
    • Name: Enter a name for the IPsec connection.
    • VPN Gateway: Select the created VPN Gateway.
    • Customer Gateway: Select the customer gateway to be connected.
    • Local Network: Enter the CIDR block of the VPC to which the selected VPN Gateway belongs.
    • Remote Network: Enter the CIDR block of the on-premises data center.
    • Effective Immediately: Select whether to negotiate immediately.
      • Yes: Start the negotiation immediately once the configuration is complete.
      • No: Start the negotiation only when traffic is detected in the tunnel.
    • Pre-Shared Key: Enter a pre-shared key. This value must be the same as the one configured in the local gateway.
    • Health Check: Enable health checks and enter the destination IP address, source IP address, retry interval, and number of retries.

      Use the default settings for other parameters.

  5. Repeat the preceding steps to create an IPsec-VPN connection for the other customer gateway.

Step 4: Configure the local gateway

To configure the local gateway, follow these steps:
  1. In the left-side navigation pane, choose VPN > IPsec Connections.
  2. Select the target region.
  3. Find the target IPsec-VPN connection and click Download Configuration.
  4. Configure the local gateway by loading the downloaded IPsec-VPN connection configurations to the local gateway device. For more information, see Local gateway configuration.

    RemotSubnet and LocalSubnet are opposite to the Local Network and Remote Network that you set when you create an IPsec connection in Step 3. Specifically, for the VPN Gateway, its remote network is the CIDR block of the on-premises data center and its local network is the CIDR block of the VPC. For the local gateway, LocalSubnet is the CIDR block of the on-premises data center and RemoteSubnet is the CIDR block of the VPC.

Step 5: Configure a route for the VPN Gateway

To configure a route for the VPN Gateway, follow these steps:

  1. In the left-side navigation pane, choose VPN > VPN Gateways.
  2. On the VPN Gateways page, select the region of the VPN Gateway.
  3. Find the target VPN Gateway, and click the instance ID in the Instance ID/Name column.
  4. On the Destination-based Routing tab, click Add Route Entry.
  5. Configure the route entry according to the following information and then click OK.
    • Destination CIDR Block: Enter the private CIDR block of the on-premises data center.
    • Next Hop: Select the IPsec connection instance.
    • Publish to VPC: Select whether to publish the new route to the VPC route table.
    • Weight: Select a weight.
      Notice You can set different route weights to distinguish the active and standby routes. The weights of the two destination routes cannot be both set to 100 or 0 at the same time.

    The routes used in this example are as follows:

    Destination CIDR block Next hop Publish to VPC Weight
    The private CIDR block of the local gateway IPsec-VPN connection instance 1 Yes 100
    The private CIDR block of the local gateway IPsec-VPN connection instance 2 Yes 0