This topic describes how to configure active/standby IPsec-VPN connections for high availability. You can connect a VPN gateway to two customer gateways that are created for two customer-premises equipment (CPE) in the on-premises network.

Overview

You can create a VPN gateway for a virtual private cloud (VPC) and create two customer gateways for the gateway devices in the on-premises network.

Then, create two IPsec-VPN connections to connect the two customer gateways to the same VPN gateway. You can enable health checks for the IPsec-VPN connections to ensure that the negotiations are successful. If the health check result shows that one of the two customer gateways is malfunctioning, traffic is automatically routed to the other customer gateway.

Prerequisites

Before you start, make sure that the following requirements are met:
  • The gateway devices in the on-premises network are checked. VPN Gateway supports the standard IKEv1 and IKEv2 protocols. Any gateway device that supports these two protocols can connect to Alibaba Cloud VPN gateways, such as gateway devices that are manufactured by H3C, Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia.
  • Make sure that a static public IP address is assigned to each gateway device in the on-premises network.
  • The CIDR block of the on-premises network must not overlap with that of the VPC.

Step 1: Create a VPN gateway

Take the following steps to create a VPN gateway:

  1. Log on to the VPN gateway console.
  2. In the left-side navigation pane, choose VPN > VPN Gateways.
  3. On the VPN Gateways page, click Create VPN Gateway.
  4. On the buy page, set the following parameters, click Buy Now, and complete the payment.
    • Name: Enter a name for the VPN gateway.
    • Region: Select the region where you want to deploy the VPN gateway.
      Note Make sure that the VPC network and the VPN gateway associated with the VPC network are deployed in the same region.
    • VPC: Select the VPC network to be associated with the VPN gateway.
    • Bandwidth: Specify the maximum bandwidth of the VPN gateway. The bandwidth is provided for data transfer over the Internet.
    • IPsec-VPN: Specify whether to enable IPsec-VPN for the VPN gateway.
    • SSL-VPN: Specify whether to enable SSL-VPN. SSL-VPN allows you to connect a client to a VPC network from any places.
    • SSL Connections: Specify the maximum number of concurrent SSL connections that the VPN gateway supports.
      Note This parameter is available only after SSL-VPN is enabled.
    • Billing Cycle: Specify the subscription duration.
  5. Go to the VPN Gateways page to view the newly created VPN gateway.
    The newly created VPN gateway is in the Preparing state. Its status changes to Normal after about two minutes. The Normal state indicates that the VPN gateway is initialized and ready for use.
    Note It takes about one to five minutes to create a VPN gateway.

Step 2: Create two customer gateways

Perform the following operations to create two customer gateways and register the public IP addresses of the gateway devices in the on-premises network to the customer gateways.
  1. In the left-side navigation pane, click VPN > Customer Gateways.
  2. Select the region where the customer gateways are deployed.
  3. On the Customer Gateways page, click Create Customer Gateway.
  4. On the Create Customer Gateway page, set the following parameters and click OK:
    • Name: Enter a name for the first customer gateway.
    • IP Address: Enter one of the public IP addresses of the gateway devices that you want to connect to the VPC.
    • Description: Enter a description for the first customer gateway.
    • +Add: Add another customer gateway.

Step 3: Create two IPsec-VPN connections

Perform the following operations to create two IPsec-VPN connections between the customer gateways and the VPN gateway, and enable the health check feature:
  1. In the left-side navigation pane, choose VPN > IPsec Connections.
  2. Select the region where you want to create the IPsec-VPN connection.
  3. On the IPsec Connections page, click Create IPsec Connection.
  4. Set the following parameters and then click OK:
    • Name: Enter a name for the IPsec-VPN connection.
    • VPN Gateway: Select a VPN gateway from the drop-down list.
    • Customer Gateway: Select the customer gateway to be connected through the IPsec-VPN connection.
    • Local Network: Enter the CIDR block of the VPC where the VPN gateway is deployed.
    • Remote Network: Enter the CIDR block of the on-premises network.
    • Effective Immediately: Specify whether to immediately start negotiations.
      • Yes: immediately negotiates after the configuration is completed.
      • No: negotiates when traffic is detected.
    • Pre-Shared Key: Enter the pre-shared key. The pre-shared key must be the same as the one specified on the gateway device.
    • Health Check: Enable health checks, and specify the destination IP address, source IP address, retry interval, and number of retries.

      Use the default settings for other parameters.

  5. Repeat the preceding operations to create the other IPsec-VPN connection.

Step 4: Load the configurations of the IPsec-VPN connections to the gateway devices

Perform the following operations to load the configurations of the two IPsec-VPN connections to the gateway devices:
  1. In the left-side navigation pane, choose VPN > IPsec Connections.
  2. Select the region where the IPsec-VPN connections are created.
  3. Find the IPsec-VPN connections that you have created and click Download Configuration in the Actions column.
  4. Load the configurations of the IPsec-VPN connections to the gateway device. For more information about how to load the configuration of an IPsec-VPN connection to a gateway device, see Configure local gateways.

    The RemotSubnet and LocalSubnet values in the configurations that you have downloaded are opposite to the RemotSubnet and LocalSubnet values that you have specified when you create the IPsec-VPN connections. For a VPN gateway, RemotSubnet refers to the CIDR block of the on-premises network and LocalSubnet refers to the CIDR block of the VPC. For a gateway device, LocalSubnet refers to the CIDR block of the on-premises network and RemotSubnet refers to the CIDR block of the VPC.

Step 5: Configure two routes on the VPN gateway

Perform the following operations to configure two routes on the VPN gateway:

  1. In the left-side navigation pane, choose VPN > VPN Gateways.
  2. On the VPN Gateway page, select the region where the VPN gateway is deployed.
  3. Find the VPN gateway that you want to manage and click its ID in the Instance ID/Name column.
  4. On the Destination-based routing tab, click Add Route Entry.
  5. Set the following parameters and click OK to configure two routes:
    • Destination CIDR Block: Enter the private CIDR block of the on-premises network.
    • Next Hop: Select one of the IPsec-VPN connections.
    • Publish to VPC: Specify whether to automatically advertise this route to the route table of the VPC.
    • Weight: Select a weight.
      Notice You must specify different weights to the routes so that they can serve as active/standby routes. You cannot set the weights of both routes to 100 or 0.

    The following table describes the routes in this example.

    Destination CIDR block Next hop Advertise to VPC Weight
    Private CIDR block of the gateway device IPsec-VPN connection 1 Yes 100
    Private CIDR block of the gateway device IPsec-VPN connection 2 Yes 0