This topic describes how to establish active/standby IPsec-VPN connections by using two on-premises gateways and creating two customer gateways.
Overview of configuration methods
You can create a VPN gateway in a virtual private cloud (VPC) and create two customer gateways.
Then, connect the customer gateways to the same VPN gateway through IPsec-VPN connections. You can enable health checks for the IPsec-VPN connections to ensure that the negotiations are successful. If health check detects that one customer gateway is unavailable, the other customer gateway automatically takes over.
Prerequisites
Before you start, make sure that the following requirements are met:
The gateway devices in the data center are checked. The VPN gateway supports the standard IKEv1 and IKEv2 protocols. Devices that support these protocols can be used, such as devices produced by H3C , Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia.
Static public IP addresses are assigned to the gateway devices in the data center.
The CIDR block of the data center does not overlap with that of the VPC.
Step 1: Create a VPN gateway
- Log on to the VPN gateway console.
In the top navigation bar, select the region where you want to create the VPN gateway.
The VPN gateway and the VPC to be associated must belong to the same region.
On the VPN Gateways page, click Create VPN Gateway.
On the buy page, set the following parameters, click Buy Now, and then complete the payment.
Parameter
Description
Name
Enter a name for the VPN gateway.
In this example, VPN Gateway 1 is used.
Region
Select the region where you want to deploy the VPN gateway.
NoteThe VPN gateway must belong to the same region as the VPC.
Gateway Type
Select a VPN gateway type.
Default value: Standard.
Network Type
Select the network type of the VPN gateway.
In this example, Public is selected.
Tunnels
The supported tunnel modes are automatically displayed.
Single-tunnel
Dual-tunnel
For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
VPC
Select the VPC with which you want to associate the VPN gateway.
VSwitch
Select a vSwitch from the selected VPC.
- If you select Single-tunnel, you need to specify one vSwitch.
- If you select Dual-tunnel, you need to specify two vSwitches.
Note- The system selects a vSwitch by default. You can change or use the default vSwitch.
- After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.
vSwitch 2
Ignore this parameter if you select Single-tunnel.
Maximum Bandwidth
Specify a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
Traffic
Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.
For more information, see Billing.
IPsec-VPN
Specify whether to enable IPsec-VPN.
In this example, Enable is selected.
SSL-VPN
Specify whether to enable SSL-VPN.
In this example, Disable is selected.
Duration
Select a billing cycle. Default value: By Hour.
Service-linked Role
Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn.
The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.
If Created is displayed, it indicates that the service-linked role is created and you do not need to create it again.
For more information about the parameters, see Create a VPN gateway.
Return to the VPN Gateways page to view the VPN gateway that you created.
A newly created VPN gateway is in the Preparing state and changes to the Normal state in about 1 to 5 minutes. After the status changes to Normal, the VPN gateway is ready for use.
Step 2: Create customer gateways
Perform the following operations to create two customer gateways and register the public IP addresses of the on-premises gateway devices to the customer gateways.
In the left-side navigation pane, choose
.In the top navigation bar, select the region where you want to create the customer gateways.
On the Customer Gateways page, click Create Customer Gateway.
On the Create Customer Gateway page, set the following parameters and click OK.
Name: Enter a name for the customer gateway.
IP Address: Enter the public IP address of the gateway device in the data center that you want to connect to the VPC.
Step 3: Create IPsec-VPN connections
Perform the following operations to create two IPsec-VPN connections between the customer gateways and the VPN gateway, and enable health checks:
In the left-side navigation pane, choose
.In the top navigation bar, select the region where you want to create the IPsec-VPN connections.
On the IPsec Connections page, click Create IPsec-VPN Connection.
Set the following parameters and click OK:
Name: Enter a name for the IPsec-VPN connection.
Associate Resource: Select the resource to be associated with the IPsec-VPN connection. In this example, VPN Gateway is selected.
VPN Gateway: Select the VPN gateway that you created.
Customer Gateway: Select the customer gateway you created.
Routing Mode: Select a routing mode. In this example, Protected Data Flows is selected.
Local Network: Enter the CIDR block of the VPC where the VPN gateway is deployed.
Remote Network: Enter the CIDR block of the data center.
Effective Immediately: Specify whether to immediately start negotiations.
Yes: starts connection negotiations when the parameters are configured.
No: starts connection negotiations when inbound traffic is detected.
Pre-Shared Key: Enter a pre-shared key. The pre-shared key must be the same as the one specified on the gateway device.
Encryption Configuration: IKEv1 is used in this example. The other parameters use the default values.
Health Check: Enable health checks, and enter the destination IP address, source IP address, retry interval, and number of retries.
The other parameters use the default values. For more information, see Create and manage an IPsec-VPN connection in single-tunnel mode.
Repeat the preceding operations to create the other IPsec-VPN connection.
Step 4: Load the configuration of the IPsec-VPN connections to the gateway devices in the data center
Perform the following operations to load the configurations of the two IPsec-VPN connections to the gateway devices:
In the left-side navigation pane, choose
.In the top navigation bar, select the region where the IPsec-VPC connection resides.
Find the IPsec-VPN connection and click Generate Peer Configurations in the Actions column.
Add the downloaded configurations to the on-premises gateway devices. For more information, see Configure on-premises gateways.
The values of RemoteSubnet and LocalSubnet in the configuration are opposite to the values that you specified when you create the IPsec-VPN connection. For a VPN gateway, RemoteSubnet refers to the CIDR block of the on-premises network, whereas LocalSubnet refers to the CIDR block of the VPC. For a gateway device, LocalSubnet refers to the CIDR block of the on-premises network, whereas RemoteSubnet refers to the CIDR block of the VPC.
Step 5: Configure routes for the VPN gateway
Perform the following operations to configure routes.
In the left-side navigation pane, choose
.On the VPN Gateways page, select the region where the VPN gateway is created.
Find the VPN gateway that you want to manage and click its ID in the Instance ID/Name column.
On the Destination-based Route Table tab, click Add Route Entry.
Set the following parameters and click OK.
Destination CIDR Block: Enter the private CIDR block of the on-premises gateway device.
Next Hop Type: Use the default value IPsec-VPN connection.
Next Hop: Select the IPsec-VPN connection that you created.
Advertise to VPC: Specify whether to automatically advertise the route to the VPC route table.
Weight: Select a weight.
ImportantYou must specify different weights for the routes to specify the active and standby routes. You cannot set the weights of both routes to 100 or 0.
The following table describes the routes in this example.
Destination CIDR block
Next Hop
Advertise to VPC
Weight
Private CIDR block of the on-premises gateway device
IPsec-VPN Connection 1
Yes
100
Private CIDR block of the on-premises gateway device
IPsec-VPN Connection 2
Yes
0