All Products
Search
Document Center

VPN Gateway:Use IPsec-VPN and CEN to build a high-quality global network

Last Updated:Jul 18, 2023

This topic describes how to use VPN Gateway and Cloud Enterprise Network (CEN) to connect data centers to Alibaba Cloud and build a cross-border enterprise network that is high quality and cost-effective.

Prerequisites

Before you start, make sure that the following requirements are met:

  • Virtual private clouds (VPCs) are created, and applications are deployed in the VPCs. For more information, see Create and manage a VPC.

  • A gateway device is deployed in each office and a static public IP address is allocated to each gateway device.

  • A CEN instance is created. For more information, see Create a CEN instance.

  • A CEN bandwidth plan is purchased and the bandwidth for inter-region communication is allocated. For more information, see Use a bandwidth plan and Manage bandwidth for cross-region connections.

  • The CIDR blocks to be connected must not overlap with each other.

Background information

BackgroundAn international company has two offices in Silicon Valley and two offices in Shanghai. The company has created VPC1 in the US (Silicon Valley) region and VPC2 in the China (Shanghai) region. An application is deployed in each VPC. Due to business development, the company wants to connect the following networks: the networks of the offices in Shanghai and Silicon Valley, VPC1, and VPC2. The following table describes the CIDR blocks of the networks.

Network

CIDR block

Office1 in Silicon Valley

10.10.10.0/24

Office2 in Silicon Valley

10.10.20.0/24

VPC1 in US (Silicon Valley)

172.16.0.0/16

Office3 in Shanghai

10.20.10.0/24

Office4 in Shanghai

10.20.20.0/24

VPC2 in China (Shanghai)

192.168.0.0/16

IPsec

You can use a VPN gateway (VPNgateway1) to connect Office1 and Office2 to VPC1, and use another VPN gateway (VPNgateway2) to connect Office3 and Office4 to VPC2, as shown in the preceding figure. Then, you can attach VPC1 and VPC2 to the same CEN instance to enable cross-border communication.

Procedure

Procedure

Step 1: Create IPsec-VPN connections to connect Office1 and Office2 to VPC1

To create IPsec-VPN connections in the US (Silicon Valley) region to connect Office1 and Office2 to VPC1, perform the following operations:

  1. Create a VPN gateway in VPC1.

    Set the following parameters:

    • Name: Enter a name for the VPN gateway. In this example, VPNgateway1 is used.

    • Region: Select US (Silicon Valley).

    • VPC: Select the VPC in the US (Silicon Valley) region.

    • Specify VSwitch: Select No.

    • Maximum Bandwidth: Select 10 Mbit/s.

    • Traffic: Select Pay-by-data-transfer.

    • IPsec-VPN: Select Enable.

    • SSL-VPN: Select Disable.

    • Duration: Select By Hour.

    • Service-linked Role: Click Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn.

      Note

      For more information about how a VPN gateway assumes the role to access other cloud resources, see AliyunServiceRoleForVpn.

      If Created is displayed, the service-linked role is created and you do not need to create it again.

    For more information, see Create and manage a VPN gateway.

  2. Create two customer gateways and register the public IP addresses of the gateway devices in Office1 and Office2 to the customer gateways. The public IP addresses are used to create IPsec-VPN connections.

    Set the following parameters to create a customer gateway for Office1:

    • Name: Enter a name for the customer gateway. In this example, customer_gt1 is used.

    • IP Address: Enter the static public IP address of the gateway device in Office1. In this example, 1.1.XX.XX is used.

    Set the following parameters to create a customer gateway for Office2:

    • Name: Enter a name for the customer gateway. In this example, customer_gt2 is used.

    • IP Address: Enter the static public IP address of the gateway device in Office2. In this example, 2.2.XX.XX is used.

    For more information, see Create a customer gateway.

  3. Create two IPsec-VPN connections to connect the gateway devices in Office1 and Office2 to VPNgateway1.

    Set the following parameters to create an IPsec-VPN connection between Office1 and the VPNgateway1:

    • Name: Enter a name for the IPsec-VPN connection. In this example, IPsec1 is used.

    • VPN Gateway: Select the VPN gateway created in the US (Silicon Valley) region. In this example, VPNgateway1 is selected.

    • Customer Gateway: Select the customer gateway to be connected. In this example, customer_gt1 is selected.

    • Routing Mode: Select Protected Data Flows.

    • Local Network: Enter the CIDR block of the VPC to be connected to the office. In this example, 172.16.0.0/16 is entered.

    • Remote Network: Enter the CIDR block of Office1 to be connected to the VPC. In this example, 10.10.10.0/24 is entered.

    • Effective Immediately: Specify whether to negotiate immediately. In this example, Yes is selected.

      • Yes: starts connection negotiations after the configuration is completed.

      • No: starts negotiations when inbound traffic is detected.

    • Pre-Shared Key: Enter a pre-shared key for identity verification between VPNgateway1 and customer_gt1. In this example, 123456 is entered.

    Use the default settings for the other parameters.

    Set the following parameters to create an IPsec-VPN connection between Office2 and VPNgateway1:

    • Name: Enter a name for the IPsec-VPN connection. In this example, IPsec2 is used.

    • VPN Gateway: Select the VPN gateway created in the US (Silicon Valley) region. In this example, VPNgateway1 is selected.

    • Customer Gateway: Select the customer gateway to be connected. In this example, customer_gt2 is selected.

    • Routing Mode: Select Protected Data Flows.

    • Local Network: Enter the CIDR block of the VPC to be connected to the office. In this example, 172.16.0.0/16 is entered.

    • Remote Network: Enter the CIDR block of Office1 to be connected to the VPC. In this example, 10.10.20.0/24 is entered.

    • Effective Immediately: Specify whether to negotiate immediately. In this example, Yes is selected.

      • Yes: starts connection negotiations after the configuration is completed.

      • No: starts negotiations when inbound traffic is detected.

    • Pre-Shared Key: Enter a pre-shared key for identity verification between VPNgateway1 and customer_gt2. In this example, 123456 is entered.

    Use the default settings for the other parameters.

    For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.

  4. Load the configurations of the IPsec-VPN connections to the gateway devices in Office1 and Office2.

    For more information, see Configure local gateways.

  5. Configure routes on VPNgateway1.

    Configure the following route on VPNgateway1 to route network traffic that is destined for Office1:

    • Destination CIDR Block: Enter the private CIDR block of the destination. In this example, 10.10.10.0/24 is entered.

    • Next Hop Type: Select IPsec Connection.

    • Next Hop: Select an IPsec-VPN connection. In this example, IPsec1 is selected.

    • Publish to VPC: Specify whether to automatically advertise this route to the route table of VPC1. In this example, Yes is selected.

      • Yes: automatically advertises the route to the route table of the VPC. We recommend that you select this value.

      • No: does not advertise the route to the route table of the VPC.

    • Weight: Specify a weight. In this example, 0 is specified.

    Configure the following route on VPNgateway1 to route network traffic that is destined for Office2:

    • Destination CIDR Block: Enter the private CIDR block of the destination. In this example, 10.10.20.0/24 is entered.

    • Next Hop Type: Select IPsec Connection.

    • Next Hop: Select an IPsec-VPN connection. In this example, IPsec2 is selected.

    • Publish to VPC: Specify whether to automatically advertise this route to the route table of VPC1. In this example, Yes is selected.

      • Yes: automatically advertises the route to the route table of the VPC. We recommend that you select this value.

      • No: does not advertise the route to the route table of the VPC.

    • Weight: Specify a weight. In this example, 0 is specified.

    The following figure shows the route tables of Office1, Office2, VPNgateway1, and VPC1. Route tables of Office1, Office2, VPNgateway1, and VPC1.

Step 2: Create IPsec-VPN connections to connect Office3 and Office4 to VPC2

To create IPsec-VPN connections in the China (Shanghai) region to connect Office3 and Office4 to VPC2, perform the following operations:

  1. Create a VPN gateway in VPC2.

    Set the following parameters:

    • Name: Enter a name for the VPN gateway. In this example, VPNgateway2 is used.

    • Region: Select US (Silicon Valley).

    • VPC: Select the VPC in the US (Silicon Valley) region.

    • Specify VSwitch: Select No.

    • Maximum Bandwidth: Select 10 Mbit/s.

    • Traffic: Select Pay-by-data-transfer.

    • IPsec-VPN: Select Enable.

    • SSL-VPN: Select Disable.

    • Duration: Select By Hour.

    • Service-linked Role: Click Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn.

      Note

      For more information about how a VPN gateway assumes the role to access other cloud resources, see AliyunServiceRoleForVpn.

      If Created is displayed, the service-linked role is created and you do not need to create it again.

    For more information, see Create and manage a VPN gateway.

  2. Create two customer gateways and register the public IP addresses of the gateway devices in Office3 and Office4 to the customer gateways. The public IP addresses are used to create IPsec-VPN connections.

    Set the following parameters to create a customer gateway for Office3:

    • Name: Enter a name for the customer gateway. In this example, customer_gt3 is used.

    • IP Address: Enter the static public IP address of the gateway device in Office3. In this example, 3.3.XX.XX is used.

    Set the following parameters to create a customer gateway for Office4:

    • Name: Enter a name for the customer gateway. In this example, customer_gt4 is used.

    • IP Address: Enter the static public IP address of the gateway device in Office4. In this example, 4.4.XX.XX is entered.

    For more information, see Create a customer gateway.

  3. Create two IPsec-VPN connections to connect the gateway devices in Office3 and Office4 to VPNgateway2.

    Set the following parameters to create an IPsec-VPN connection between Office3 and VPNgateway2:

    • Name: Enter a name for the IPsec-VPN connection. In this example, IPsec3 is used.

    • VPN Gateway: Select the VPN gateway created in the China (Shanghai) region. In this example, VPNgateway2 is selected.

    • Customer Gateway: Select the customer gateway to be connected. In this example, customer_gt3 is selected.

    • Routing Mode: Select Protected Data Flows.

    • Local Network: Enter the CIDR block of the VPC to be connected to the office. In this example, 192.168.0.0/16 is entered.

    • Remote Network: Enter the CIDR block of Office3 to be connected to the VPC. In this example, 10.20.10.0/24 is entered.

    • Effective Immediately: Specify whether to negotiate immediately. In this example, Yes is selected.

      • Yes: starts connection negotiations after the configuration is completed.

      • No: starts negotiations when inbound traffic is detected.

    • Pre-Shared Key: Enter a pre-shared key for identity verification between VPNgateway2 and customer_gt3. In this example, 123456 is entered.

    Use the default settings for the other parameters.

    Set the following parameters to create an IPsec-VPN connection between Office4 and VPNgateway2:

    • Name: Enter a name for the IPsec-VPN connection. In this example, IPsec4 is used.

    • VPN Gateway: Select the VPN gateway created in the China (Shanghai) region. In this example, VPNgateway2 is selected.

    • Customer Gateway: Select the customer gateway to be connected. In this example, customer_gt4 is selected.

    • Routing Mode: Select Protected Data Flows.

    • Local Network: Enter the CIDR block of the VPC to be connected to the office. In this example, 192.168.0.0/16 is entered.

    • Remote Network: Enter the CIDR block of Office4 to be connected to the VPC. In this example, 10.20.20.0/24 is entered.

    • Effective Immediately: Specify whether to negotiate immediately. In this example, Yes is selected.

      • Yes: starts connection negotiations after the configuration is completed.

      • No: starts negotiations when inbound traffic is detected.

    • Pre-Shared Key: Enter a pre-shared key for identity verification between VPNgateway2 and customer_gt4. In this example, 654321 is entered.

    Use the default settings for the other parameters.

    For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.

  4. Load the configurations of the IPsec-VPN connections to the gateway devices in Office3 and Office4.

    For more information, see Configure local gateways.

  5. Configure routes on VPNgateway2.

    Configure the following route on VPNgateway2 to route network traffic that is destined for Office3:

    • Destination CIDR Block: Enter the private CIDR block of the destination. In this example, 10.20.10.0/24 is entered.

    • Next Hop Type: Select IPsec Connection.

    • Next Hop: Select an IPsec-VPN connection. In this example, IPsec3 is selected.

    • Publish to VPC: Specify whether to automatically advertise this route to the route table of VPC2. In this example, Yes is selected.

      • Yes: automatically advertises the route to the route table of the VPC. We recommend that you select this value.

      • No: does not advertise the route to the route table of the VPC.

    • Weight: Specify a weight. In this example, 0 is specified.

    Configure the following route on VPNgateway2 to route network traffic that is destined for Office4:

    • Destination CIDR Block: Enter the private CIDR block of the destination. In this example, 10.20.20.0/24 is entered.

    • Next Hop Type: Select IPsec Connection.

    • Next Hop: Select an IPsec-VPN connection. In this example, IPsec4 is selected.

    • Publish to VPC: Specify whether to automatically advertise this route to the route table of VPC2. In this example, Yes is selected.

      • Yes: automatically advertises the route to the route table of the VPC. We recommend that you select this value.

      • No: does not advertise the route to the route table of the VPC.

    • Weight: Specify a weight. In this example, 0 is specified.

    The following figure shows the route tables of Office3, Office4, VPNgateway2, and VPC2. Route tables of Office3, Office4, VPNgateway2, and VPC2

Step 3: Attach VPC1 and VPC2 to the same CEN instance

After you connect the offices to the VPCs, you must attach VPC1 and VPC2 to the same CEN instance.

Note

In this example, the previous version of the CEN console is used. For more information, see Usage notes on the previous console version.

  1. Log on to the CEN console.

  2. On the Instances page, find the CEN instance that you want to manage and click its ID.

  3. Click the Networks tab, and then click Attach Network.

  4. Click the Your Account tab.

  5. Set the following parameters and click OK:

    • Network Type: Select VPC.

    • Region: Select US (Silicon Valley).

    • Networks: Select VPC1.

  6. Repeat the preceding operations to attach VPC2 to the same CEN instance.

Step 4: Advertise routes to the CEN instance

To enable other VPCs that are attached to the CEN instance to learn the routes that point to the offices, you must advertise the routes of the VPCs in the US (Silicon Valley) and China (Shanghai) regions to the CEN instance. For more information, see Advertise routes to CEN.

The following figure shows the CEN route table after the routes are advertised. The CEN route table

Step 5: Configure routes on the gateway devices

After the routes are advertised to the CEN instance, you must configure routes that point to Office3 and Office4 on the gateway devices of Office1 and Office2. You must also configure routes that point to Office1 and Office2 on the gateway devices of Office3 and Office4.

The configurations in the following table are for reference only. The configurations may vary based on the manufacturer of the gateway devices.

Office

Routes

Office1

ip route 192.168.0.0/16 5.5.XX.XX
ip route 10.20.10.0/24 5.5.XX.XX
ip route 10.20.20.0/24 5.5.XX.XX
ip route 10.10.20.0/24 5.5.XX.XX   #5.5.XX.XX is the public IP address of VPNgateway1.

Office2

ip route 192.168.0.0/16 5.5.XX.XX
ip route 10.20.10.0/24 5.5.XX.XX
ip route 10.20.20.0/24 5.5.XX.XX
ip route 10.10.10.0/24 5.5.XX.XX   #5.5.XX.XX is the public IP address of VPNgateway1.

Office3

ip route 172.16.0.0/16 6.6.XX.XX
ip route 10.10.10.0/24 6.6.XX.XX
ip route 10.10.20.0/24 6.6.XX.XX
ip route 10.20.20.0/24 6.6.XX.XX   #6.6.XX.XX is the public IP address of VPNgateway2.

Office4

ip route 172.16.0.0/16 6.6.XX.XX
ip route 10.10.10.0/24 6.6.XX.XX
ip route 10.10.20.0/24 6.6.XX.XX
ip route 10.20.10.0/24 6.6.XX.XX   #6.6.XX.XX is the public IP address of VPNgateway2.

The following figure shows the route tables of the offices. Route tables of the offices

Step 6: Test the connectivity

In this example, a client in Office1 is used to access the clients in Office2, Office3, and Office4 to test the connectivity.

  1. Open the CLI on a client in Office1.

  2. Run the ping command to ping the clients in Office2, Office3, and Office4. If echo reply packets are returned, it indicates that the connections are established.