VPN Gateway:Connect a VPC to a data center in dual-tunnel mode

Prerequisites

• If the IPsec-VPN connection is associated with a public VPN gateway, a public IP address must be assigned to the on-premises gateway device.

  For regions that support the dual-tunnel mode, we recommend that you configure two public IP addresses for the on-premises gateway device. Alternatively, you can deploy two on-premises gateway devices in the data center and configure a public IP address for each gateway device. This way, you can create high-availability IPsec-VPN connections. For more information about the regions that support the dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

• The on-premises gateway device must support IKEv1 or IKEv2 to establish IPsec-VPN connections with a VPN gateway.

• The CIDR block of the data center does not overlap with the CIDR block of the VPC.

Example

In this example, the following scenario is used. An enterprise has created a VPC in the China (Hohhot) region. The primary CIDR block of the VPC is 192.168.0.0/16. The enterprise has a data center in Hohhot. Due to business development, the devices in the CIDR block 172.16.0.0/16 of the data center need to access the VPC. To meet this requirement, the enterprise can establish an IPsec-VPN connection between the VPC and the data center. The IPsec-VPN connection enables encrypted communication between the VPC and the data center and ensures high availability in communication.

Preparations

• A VPC is created in the China (Hohhot) region, and workloads are deployed on the Elastic Compute Service (ECS) instances in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

• The security group rules that are configured on the ECS instances in the VPC and the access control rules of the data center allow the data center and VPC to communicate with each other. For more information about security group rules for ECS instances, see View security group rules and Add a security group rule.

Procedure

Step 1: Create a VPN gateway

1. Log on to the VPN Gateway console.

2. In the top navigation bar, select the region in which you want to create the VPN gateway.

   The VPN gateway and the VPC that the data center needs to access must be in the same region.

3. On the VPN Gateway page, click Create VPN Gateway.

4. On the buy page, configure the following parameters, click Buy Now, and then complete the payment.

   Parameter	Description	Example
   Name	Enter a name for the VPN gateway.	In this example, VPNGW is used.
   Resource Group	Select the resource group to which the VPN gateway belongs. If you leave this parameter empty, the VPN gateway belongs to the default resource group.	In this example, this parameter is left empty.
   Region	Select the region in which you want to create the VPN gateway.	In this example, China (Hohhot) is selected.
   Gateway Type	Select a gateway type.	In this example, Standard is selected.
   Network Type	Select a network type for the VPN gateway. Public: The VPN gateway can be used to establish VPN connections over the Internet. Private: The VPN gateway can be used to establish VPN connections over private networks.	In this example, Public is selected.
   Tunnels	Select a tunnel mode. Valid values: Dual-tunnel Single-tunnel For more information about the single-tunnel mode and dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.	In this example, the default value Dual-tunnel is used.
   VPC	Select the VPC that you want to associate with the VPN gateway.	In this example, the VPC deployed in the China (Hohhot) region is selected.
   VSwitch	Select a vSwitch from the selected VPC. If you select Single-tunnel, you need to specify one vSwitch. If you select Dual-tunnel, you need to specify two vSwitches. Note The system selects a vSwitch by default. You can change or use the default vSwitch. After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.	In this example, a vSwitch in the VPC is selected.
   vSwitch 2	Select another vSwitch from the selected VPC. The two vSwitches must be in different zones to implement zone disaster recovery. For a region that supports only one zone, zone disaster recovery is not supported. We recommend that you specify two vSwitches in the zone to implement high availability of IPsec-VPN connections. You can select the same vSwitch as the first one. Note If only one vSwitch is deployed in the VPC, create a vSwitch. For more information, see Create and manage a vSwitch.	In this example, another vSwitch in the VPC is selected.
   Peak Bandwidth	Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.	In this example, the default value is used.
   Traffic	Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer. For more information, see Billing rules.	In this example, the default value is used.
   IPsec-VPN	Specify whether to enable IPsec-VPN. Default value: Enable.	In this example, Enable is selected.
   SSL-VPN	Specify whether to enable SSL-VPN. Default value: Disable.	In this example, Disable is selected.
   Duration	Select a billing cycle for the VPN gateway. Default value: By Hour.	In this example, the default value is used.
   Service-linked Role	Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn. The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn. If Created is displayed, the service-linked role is created and you do not need to create it again.	Configure this parameter based on actual conditions.

5. After you create the VPN gateway, view the VPN gateway on the VPN Gateway page.

   The newly created VPN gateway is in the Preparing state and changes to the Normal state after about 1 to 5 minutes. After the status changes to Normal, the VPN gateway is ready for use.

   Two public IP addresses are assigned to each public VPN gateway for establishing two encrypted tunnels. The following table describes the public IP addresses that are assigned to the VPN gateway.

   IPsec tunnel	IP address
   Tunnel 1 (active tunnel)	47.XX.XX.157
   Tunnel 2 (standby tunnel)	47.XX.XX.138

Step 2: Create a customer gateway

1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.

2. In the top navigation bar, select the region in which you want to create the customer gateway.

   Make sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.

3. On the Customer Gateways page, click Create Customer Gateway.

4. In the Create Customer Gateway panel, configure the following parameters and click OK.

   You must create two customer gateways in order to create two encrypted tunnels. The following table describes only the parameters that are relevant to this topic. You can use the default values for other parameters or leave them empty. For more information, see Create and manage a customer gateway.

   Parameter	Description	Customer Gateway 1	Customer Gateway 2
   Name	Enter a name for the customer gateway.	For Customer Gateway 1, CustomerGW1 is used.	For Customer Gateway 2, CustomerGW2 is used.
   IP Address	Enter the public IP address of the gateway device in the data center.	For Customer Gateway 1, 211.XX.XX.36 is used.	For Customer Gateway 2, 211.XX.XX.71 is used.

Step 3: Create an IPsec-VPN connection

1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

2. In the top navigation bar, select the region in which you want to create the IPsec-VPN connection.

   Make sure that the IPsec-VPN connection and the VPN gateway are in the same region.

3. On the IPsec Connections page, click Create IPsec-VPN Connection.

4. On the Create IPsec-VPN Connection page, configure the following parameters and click OK.

   Parameter	Description	Example
   Name	Enter a name for the IPsec-VPN connection.	In this example, IPsec-Connection is used.
   Resource Group	Select the resource group to which the VPN gateway belongs.	In this example, the default resource group is selected.
   Associate Resource	Select the type of network resource to be associated with the IPsec-VPN connection.	In this example, VPN Gateway is selected.
   VPN Gateway	Select the VPN gateway that you want to associate with the IPsec-VPN connection.	In this example, the VPN gateway VPNGW is selected.
   Routing Mode	Select a routing mode. Destination Routing Mode: Traffic is forwarded based on the destination IP address. Protected Data Flows: Traffic is forwarded based on the source and destination IP addresses.	In this example, Destination Routing Mode is selected.
   Effective Immediately	Specify whether to immediately start negotiations for the connection. Valid values: Yes: starts negotiations after the configuration is complete. No: starts negotiations when traffic is detected.	In this example, Yes is selected.
   Enable BGP	If you want to use Border Gateway Protocol (BGP) routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off.	In this example, Enable BGP is turned off.
   Tunnel 1	Configure VPN parameters for the active tunnel. By default, Tunnel 1 serves as the active tunnel and Tunnel 2 serves as the standby tunnel. You cannot modify this configuration.
   Customer Gateway	Select the customer gateway that you want to associate with the active tunnel.	In this example, CustomerGW1 is selected.
   Pre-Shared Key	Enter a pre-shared key for the active tunnel to verify identities. The pre-shared key must be 1 to 100 characters in length, and can contain digits, letters, and the following characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : ' , . < > / ?. If you do not specify a pre-shared key, the system generates a random 16-character string as the pre-shared key. Important The IPsec-VPN connection and the peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.	In this example, fddsFF123**** is used.
   Encryption Configuration	Configure the parameters for IKE, IPsec, dead peer detection (DPD), and NAT traversal features.	In this example, IKEv1 is used and the default values are retained for other parameters. For more information, see Create and manage an IPsec-VPN connection in dual-tunnel mode.
   Tunnel 2	Configure VPN parameters for the standby tunnel.
   Customer Gateway	Select the customer gateway that you want to associate with the standby tunnel.	In this example, CustomerGW2 is selected.
   Pre-Shared Key	Enter a pre-shared key for the standby tunnel to verify identities.	In this example, fddsFF456**** is used.
   Encryption Configuration	Configure the parameters for IKE, IPsec, DPD, and NAT traversal features.	In this example, IKEv1 is used and the default values are retained for other parameters. For more information, see Create and manage an IPsec-VPN connection in dual-tunnel mode.
   Tags	Add a tag to the IPsec-VPN connection.	In this example. this parameter is left empty.

5. In the Created message, click OK.

6. On the IPsec Connections page, find the IPsec-VPN connection that you create and click Generate Peer Configuration in the Actions column.

   The configurations of the IPsec peer refer to the VPN configurations that you need to add when you create the IPsec-VPN connection. In this example, you need to add the VPN configurations to the gateway device of the data center.

7. In the IPsec-VPN Connection Configuration dialog box, copy and save the configurations to an on-premises machine. The configurations are required when you configure the gateway device of the data center.

Step 4: Configure the gateway devices in the data center

After you create an IPsec-VPN connection on Alibaba Cloud, you need to add VPN and routing configurations to the gateway devices in the data center to allow the gateway devices to connect to the IPsec-VPN connection. Then, network traffic is transmitted from the active tunnel to the VPC by default. If the active tunnel is down, the standby tunnel automatically takes over.

1. Add the VPN configurations downloaded in Step 3 to the gateway device in the data center.

   1. Open the command-line interface (CLI) of the gateway device.

   2. Create an ISAKMP policy.

      // Add the following configurations to Gateway Device 1 and Gateway Device 2 in the data center:
      crypto isakmp policy 1 
      authentication pre-share 
      encryption aes
      hash sha 
      group  2
      lifetime 86400

   3. Set a pre-shared key.

      // Add the following configurations to Gateway Device 1 in the data center:
      crypto isakmp key fddsFF123**** address 47.XX.XX.157
      // Add the following configurations to Gateway Device 2 in the data center:
      crypto isakmp key fddsFF456**** address 47.XX.XX.138

   4. Configure the IPsec protocol.

      // Add the following configurations to Gateway Device 1 and Gateway Device 2 in the data center:
      crypto ipsec transform-set ipsecpro64 esp-aes esp-sha-hmac 
      mode tunnel

   5. Create an access control list (ACL) to implement access control.

      // Add the following configurations to Gateway Device 1 and Gateway Device 2 in the data center:
      access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255

   6. Create an IPsec policy.

      // Add the following configurations to Gateway Device 1 in the data center:
      crypto map ipsecpro64 10 ipsec-isakmp
      set peer 47.XX.XX.157
      set transform-set ipsecpro64
      set pfs group2
      match address 100
      // Add the following configurations to Gateway Device 2 in the data center:
      crypto map ipsecpro64 10 ipsec-isakmp
      set peer 47.XX.XX.138
      set transform-set ipsecpro64
      set pfs group2
      match address 100

   7. Apply the IPsec policy.

      // Add the following configurations to Gateway Device 1 in the data center:
      interface GigabitEthernet1    // Apply the IPsec policy to the interface that is assigned a public IP address.
      crypto map ipsecpro64
      // Add the following configurations to Gateway Device 2 in the data center:
      interface GigabitEthernet1    // Apply the IPsec policy to the interface that is assigned a public IP address.
      crypto map ipsecpro64

2. Add routing configurations to Gateway Device 1 and Gateway 2 in the data center.

   1. Add a route that points to the VPC to Gateway Device 1 and Gateway Device 2.

      // Add a route that points to the VPC to Gateway Device 1.
      ip route 192.168.0.0 255.255.0.0  47.XX.XX.157
      // Add a route that points to the VPC to Gateway Device 2.
      ip route 192.168.0.0 255.255.0.0  47.XX.XX.138

   2. Add routes to the data center based on your network environment. The routes must allow network traffic to be transmitted from the data center to the VPC preferentially over Gateway Device 1. If Gateway Device 1 is down, Gateway Device 2 automatically takes over. Contact the vendor to obtain the information about specific commands.

Step 5: Add routes to the VPN gateway

1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.

2. In the top navigation bar, select the region of the VPN gateway.

3. On the VPN Gateway page, click the ID of the VPN gateway that you want to manage.

4. Click the Destination-based Route Table tab and click Add Route Entry.

5. In the Add Route Entry panel, configure the following parameters and click OK.

   Parameter	Description	Example
   Destination CIDR Block	Enter the private CIDR block of the data center.	In this example, 172.16.0.0/16 is entered.
   Next Hop Type	Select a next hop type.	In this example, IPsec-VPN connection is selected.
   Next Hop	Select a next hop.	In this example, IPsec-Connection is selected.
   Advertise to VPC	Specify whether to advertise the route to the VPC that is associated with the VPN gateway.	In this example, Yes is selected.

Step 6: Test the network connectivity

1. Test the network connectivity between the VPC and data center.

   1. Log on to an ECS instance in the VPC. For more information about how to log on to an ECS instance, see Connection method overview.

   2. Run the ping command on the ECS instance to ping a server in the data center to test the accessibility of the data center.

      If an echo reply packet is returned to the ECS instance, it indicates that the VPC can communicate with the data center.

      ping <IP address of a server in the data center>

2. Test high availability of the IPsec-VPN connection.

   1. Log on to an ECS instance in the VPC. For more information about how to log on to an ECS instance, see Connection method overview.

   2. Run the following command to consecutively send packets from the ECS instance to the data center:

      ping <IP address of a server in the data center> -c 10000

   3. Close the active tunnel of the IPsec-VPN connection.

      You can close the active tunnel by modifying the pre-shared key of the active tunnel. The active tunnel is closed when the two sides of the tunnel use different pre-shared keys.

   4. After the active tunnel is closed, you can check the traffic status on the ECS instance. If the traffic is interrupted and then resumed, it indicates that the standby tunnel automatically takes over after the active tunnel is down.