This topic describes how to establish two IPsec-VPN connections by creating and connecting two customer gateways to a VPN Gateway. By doing so, you can configure an IPsec-VPN failover to ensure connectivity.

Scenario

As shown in the following figure, one VPN Gateway is deployed on the Alibaba Cloud side, and two customer gateways are deployed on the side of the on-premises data center.

You can connect the customer gateways to the VPN Gateway to create two IPsec-VPN tunnels. Then, you can enable health checks for the two IPsec-VPN tunnels and make sure that the negotiations are successful. In this case, if a health check detects that one customer gateway is unavailable, the traffic switches to the other customer gateway automatically.

Prerequisites

Before you begin, make sure that the following conditions are met:

  • The gateway device of the on-premises data center operates properly. Alibaba Cloud VPN Gateways support standard IKEv1 and IKEv2 protocols. Devices that support these two protocols can connect to Alibaba Cloud VPN Gateways, including devices from Huawei, H3C, Hillstone, SANGFOR, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia.
  • A static public IP address is configured for the gateway device of the on-premises data center.
  • The CIDR block of the on-premises data center does not overlap the CIDR block of the VPC.

Step 1: Create a VPN Gateway

To create a VPN Gateway, follow these steps:

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose VPN > VPN Gateways.
  3. On the VPN Gateways page, click Create VPN Gateway.
  4. On the purchase page, set the parameters, and then click Buy Now to complete the payment.
    • Name: Enter a name for the VPN Gateway.
    • Region: Select a region for the VPN Gateway.
      Note The VPN Gateway must be in the same region as the VPC.
    • VPC: Select the VPC to be connected.
    • Peak Bandwidth: Select a peak bandwidth. The bandwidth is the Internet bandwidth of the VPN Gateway.
    • IPsec-VPN: Enable the IPsec-VPN function.
    • SSL-VPN: Select whether to enable the SSL-VPN function. The SSL-VPN function allows access to the VPC from a computer anywhere.
    • SSL connections: Select the maximum number of clients to which you want to connect simultaneously.
      Note This parameter is valid only after the SSL-VPN function is enabled.
    • Billing Cycle: Select a billing cycle.
  5. Go back to the VPN Gateways page to check the created VPN Gateway.
    The initial status of the VPN Gateway is Preparing. The status changes to Normal in about two minutes and then the VPN Gateway is ready to use.
    Note It takes one to five minutes to create a VPN Gateway.

Step 2: Create two customer gateways

Create two customer gateways and register the public IP addresses of the local gateway devices to the customer gateways. To do so, follow these steps:
  1. In the left-side navigation pane, choose VPN > Customer Gateways.
  2. Select the region in which you want to create a customer gateway.
  3. On the Customer Gateways page, click Create Customer Gateway.
  4. On the Create Customer Gateway page, set the parameters, and then click OK.
    • Name: Enter a name for the customer gateway.
    • IP Address: Enter the public IP address of the local gateway.
    • Description: Enter a description of the customer gateway.
    • + Add: Add another customer gateway.

Step 3: Create two IPsec-VPN connections

Create two IPsec-VPN connections to connect the VPN Gateway to the two customer gateways. To do so, follow these steps:
  1. In the left-side navigation pane, choose VPN > IPsec Connections.
  2. Select the region.
  3. On the IPsec Connections page, click Create IPsec Connection.
  4. Configure the IPsec-VPN connection according to the following information and click OK.
    • Name: Enter a name for the IPsec-VPN connection.
    • VPN Gateway: Select the created VPN Gateway.
    • Customer Gateway: Select the created customer gateway.
    • Local Network: Enter the CIDR block of the VPC to which the selected VPN Gateway belongs.
    • Remote Network: Enter the CIDR block of the on-premises data center.
    • Effective Immediately: Select whether to negotiate immediately.
      • Yes: Start the negotiation immediately once the configuration is complete.
      • No: Start the negotiation only when traffic is detected in the tunnel.
    • Pre-Shared Key: Enter a pre-shared key. This value must be the same as the one configured in the local gateway.
    • Health Check: Enable health checks and enter the destination IP address, source IP address, retry interval, and number of retries.

      Use the default settings for other parameters.

  5. Repeat the preceding steps to create an IPsec-VPN connection for the other customer gateway.

Step 4: Configure the local gateway

To configure the local gateway, follow these steps:
  1. In the left-side navigation pane, choose VPN > IPsec Connections.
  2. Select the region.
  3. Find the target IPsec-VPN connection and click Download Configuration.
  4. Configure the local gateway by loading the downloaded IPsec-VPN connection configurations to the local gateway device. For more information, see Local gateway configuration.

    RemotSubnet and LocalSubnet are opposite to the Local Network and Remote Network that you set when you create an IPsec connection in Step 3. Specifically, for the VPN Gateway, its remote network is the CIDR block of the on-premises data center and its local network is the CIDR block of the VPC. For the local gateway, LocalSubnet is the CIDR block of the on-premises data center and RemoteSubnet is the CIDR block of the VPC.

Step 5: Configure a route for the VPN Gateway

To configure a route for the VPN Gateway, follow these steps:

  1. In the left-side navigation pane, choose VPN > VPN Gateways.
  2. On the VPN Gateways page, select the region of the VPN Gateway.
  3. Find the target VPN Gateway, and click the instance ID in the Instance ID/Name column.
  4. On the Destination-based Routing tab page, click Add Route Entry.
  5. Configure the route entry according to the following information and then click OK.
    • Destination CIDR Block: Enter the private CIDR block of the local gateway.
    • Next Hop: Select the target IPsec-VPN connection instance.
    • Publish to VPC: Select whether to publish the new route to the VPC route table.
    • Weight: Select a weight.
      Notice You can set different route weights to distinguish the active and standby routes. The weights of the two destination routes cannot be both set to 100 or 0 at the same time.

    The routes used in this example are as follows:

    Destination CIDR block Next hop Publish to VPC Weight
    The private CIDR block of the local gateway IPsec-VPN connection instance 1 Yes 100
    The private CIDR block of the local gateway IPsec-VPN connection instance 2 Yes 0