This topic describes how to use IPsec-VPN to establish a connection between a virtual private cloud (VPC) and a data center, and how to configure Border Gateway Protocol (BGP) dynamic routing for the VPN gateway to automatically learn routes. This way, the VPC and the data center can share resources with other. This reduces network maintenance costs and network configuration errors.

Prerequisites

  • An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create one.
  • The gateway device in the data center supports the IKEv1 and IKEv2 protocols. All gateway devices that support these protocols can connect to the VPN gateway.
  • A static public IP address is assigned to the gateway device in the data center.
  • The CIDR block of the data center does not overlap with the CIDR block of the VPC.
  • The BGP feature of VPN gateways is disabled by default. To enable the BGP feature, submit a ticket.
  • You have read and understand the security group rules that apply to the ECS instances in the VPC, and the security rules allow gateway devices in the data center to access cloud resources. For more information, see Query security group rules.

Background information

The following scenario is used as an example in this topic. An enterprise has created a VPC in the Germany (Frankfurt) region. The private CIDR block of the VPC is 10.0.0.0/8 and the autonomous system number (ASN) is 10001. The enterprise has a data center in Frankfurt. The public IP address of the data center is 2.XX.XX.2, the private CIDR block is 172.17.0.0/16, and the ASN is 10002. The enterprise wants to establish a connection between the VPC and the data center for business development.
You can use IPsec-VPN to establish a connection between the VPC and the data center, and configure BGP dynamic routing. After the configuration is completed, the VPC and the data center can automatically learn routes and can communicate with each other. This reduces network maintenance costs and network configuration errors.
Note An autonomous system (AS) is a small unit that independently decides which routing protocol to adopt in the system. This unit is an independent and manageable network unit. It may consist of a simple network or a network group that is controlled by one or more network administrators. Each AS has a globally unique identifier called ASN.
Connect a VPC to a data center

Procedure

Procedure

Step 1: Create a VPN gateway

  1. Log on to the VPN gateway console.
  2. On the VPN Gateways page, click Create VPN Gateway.
  3. On the buy page, set the following parameters, click Buy Now, and then complete the payment.
    • Name: Enter a name for the VPN gateway. In this example, VPN is entered.
    • Region:Select the region where you want to deploy the VPN gateway.

      Make sure that the VPN gateway and the VPC are deployed in the same region. In this example, Germany (Frankfurt) is selected.

    • VPC:Select the VPC to be associated with the VPN gateway. In this example, the VPC that is created in Germany (Frankfurt) is selected.
    • Specify vSwitch: Select whether to specify a vSwitch for the VPN gateway. In this example, No is selected.

      If you select Yes, you must also specify a vSwitch.

    • Peak Bandwidth: Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.

      The bandwidth is used for data transfer over the Internet. In this example, 5 M is selected.

    • Traffic: By default, the VPN gateway uses the pay-by-data-transfer billing method. For more information, see Pay-as-you-go.
    • IPsec-VPN: Specify whether to enable IPsec-VPN for the VPN gateway. In this example, Enable is elected.
    • SSL-VPN: Specify whether to enable SSL-VPN. In this example, Disable is selected.
    • Duration: By default, the VPN gateway is billed on an hourly basis. For more billing information, see Pay-as-you-go.
The newly created VPN gateway is in the Preparing state and changes to the Normal state after about 1 to 5 minutes. After the VPN gateway changes to the Normal state, the VPN gateway is ready for use. After the VPN gateway is created, a public IP address is automatically assigned to the gateway for establishing VPN connections. The public IP address of the VPN gateway

Step 2: Enable BGP

BGP is used to exchange routing information in different ASs. To use the BGP feature, you must enable BGP for the VPN gateway.
Note You cannot disable BGP after you enable BGP.
  1. In the left-side navigation pane, choose VPN > VPN Gateways.
  2. In the top navigation bar, select the region of the VPN gateway.
  3. On the VPN Gateways page, find the VPN gateway that you created and select More icon > Enable Automatic BGP Propagation in the Actions column.
  4. In the Enable Automatic BGP Propagation message, click OK.
    After you enable automatic BGP advertising, the VPN gateway automatically advertises BGP routes to the VPC.

Step 3: Create a customer gateway

You can create a customer gateway to register and update information about the data center to Alibaba Cloud, and then connect the customer gateway to the VPN gateway.

  1. In the left-side navigation pane, choose VPN > Customer Gateways.
  2. In the top navigation bar, select the region where you want to create the customer gateway.
    Note Make sure that the customer gateway and the VPN gateway to be connected belong to the same region.
  3. On the User Gateway page, click Create Customer Gateway.
  4. On the Create Customer Gateway page, set the following parameters and click OK.
    • Name: Enter a name for the customer gateway. In this example, CGW is entered.
    • IP Address: Enter the public IP address of the gateway device in the data center. In this example, 2.XX.XX.2 is entered.
    • ASN: Enter the ASN of the data center. In this example, 10002 is entered.
    • Description: Enter a description for the customer gateway.
    For more information about the parameters, see Create a customer gateway.

Step 4: Create an IPsec-VPN connection

  1. In the left-side navigation pane, choose VPN > IPsec Connections.
  2. In the top navigation bar, select the region where you want to create the IPsec-VPN connection.
    Note Make sure that the IPsec-VPN connection and the VPN gateway to be connected belong to the same region.
  3. On the IPsec Connections page, click Create IPsec Connection.
  4. On the Create IPsec Connection page that appears, set the following parameters to create an IPsec-VPN connection between the VPC and the data center, and click OK.
    • Name: Enter a name for the IPsec-VPN connection. In this example, VPC TO IDC is entered.
    • VPN Gateway: Select the VPN gateway to be connected.

      In this example, the VPN gateway that is created in Step 1 is selected.

    • Customer Gateway: Select the customer gateway to be connected.

      In this example, the customer gateway that is created in Step 3 is selected.

    • Routing Mode: Select a routing mode. In this example, Destination Routing Mode is selected.
    • Effective Immediately: Select whether to immediately start negotiations.
      • Yes: immediately starts negotiations after you complete the configuration.
      • No: starts negotiations when traffic is detected.

      In this example, Yes is selected.

    • Pre-shared Key: Enter a pre-shared key (PSK).

      Make sure that the VPC and the data center use the same pre-shared key. In this example, 123456 is used.

    • Version: Select an Internet Key Exchange (IKE) version. In this example, ikev2 is selected.
    • Encryption Algorithm: Select an encryption algorithm. In this example, aes is selected.
    • Authentication Algorithm: Select an authentication algorithm. In this example, sha1 is selected.
    • DH Group: Select a Diffie-Hellman (DH) group. In this example, group2 is selected.
    • Tunnel CIDR Block: Enter the CIDR block of the IPsec tunnel. The CIDR block belongs to 169.254.0.0/16. The mask of the CIDR block is 30 bits in length. In this example, 169.254.10.0/30 is entered.
    • Local BGP IP Address: Enter the BGP IP address of the VPC. This IP address falls within the CIDR block of the IPsec tunnel. In this example, 169.254.10.1 is entered.
      Note Make sure that the BGP IP addresses of the VPC and the data center do not conflict with each other.
    • Local ASN: Enter the ASN of the VPC. In this example, 10001 is entered.

    Use the default settings for other parameters. For more information, see the Create an IPsec-VPN connection section in this topic.

Step 5: Load the configuration of the VPN gateway to the gateway device in the data center

To establish a connection between the VPC and the data center, you must load the configuration of the VPN gateway to the gateway device in the data center after you create the IPsec-VPN connection in the cloud.

The following example shows how to load the configuration of the VPN gateway to the gateway device in the data center. A Cisco firewall device that runs the Cisco IOS XE system is used in the example.

  1. Log on to the command-line interface (CLI) of the Cisco firewall device.
  2. Run the following commands to set the IKEv2 proposal and policy:
    crypto ikev2 proposal alicloud  
    encryption aes-cbc-128          //Set the encryption algorithm. In this example, aes-cbc-128 is used. 
    integrity sha1                  //Set the authentication algorithm. In this example, sha1 is used. 
    group 2                         //Set the DH group. In this example, group 2 is used. 
    exit
    !
    crypto ikev2 policy Pureport_Pol_ikev2
    proposal Pureport_prop
    exit
    !
  3. Run the following commands to set the IKEv2 keyring:
    crypto ikev2 keyring alicloud
    peer alicloud
    address 1.XX.XX.1                //Set the public IP address of the VPN gateway created in the VPC.In this example, 1.XX.XX.1 is used. 
    pre-shared-key 123456          //Set the pre-shared key. In this example, 123456 is used. 
    exit
    !
  4. Run the following commands to set the IKEv2 profile:
    crypto ikev2 profile alicloud
    match identity remote address 1.XX.XX.1 255.255.255.255    //Set the public IP address of the VPN gateway created in the VPC.In this example, 1.XX.XX.1 is used. 
    identity local address 2.XX.XX.2    //Set the public IP address of the data center.In this example, 2.XX.XX.2 is used. 
    authentication remote pre-share   //Set the authentication mode for the VPC to PSK. 
    authentication local pre-share    //Set the authentication mode for the data center to PSK. 
    keyring local alicloud            //Invoke the IKEv2 keyring. 
    exit
    !
  5. Run the following commands to set transform:
    crypto ipsec transform-set TSET esp-aes esp-sha-hmac
    mode tunnel
    exit
    !
  6. Run the following commands to set the IPsec profile and to invoke the transform, PFS, and IKEv2 profiles:
    crypto ipsec profile alicloud
    set transform-set TSET
    set pfs group2
    set ikev2-profile alicloud
    exit
    !
  7. Run the following commands to set the IPsec tunnel:
    interface Tunnel100
    ip address 169.254.10.2 255.255.255.252    //Set the tunnel address for the data center. In this example, 169.254.10.2 is used. 
    tunnel source GigabitEthernet1
    tunnel mode ipsec ipv4
    tunnel destination 1.XX.XX.1                 //Set the public IP address of the VPN gateway created in the VPC.In this example, 1.XX.XX.1 is used. 
    tunnel protection ipsec profile alicloud
    no shutdown
    exit
    !
    interface GigabitEthernet1
    ip address 2.XX.XX.2 255.255.255.0
    negotiation auto
    !
  8. Run the following commands to set the BGP routing protocol:
    router bgp 10002                         //Enable BGP routing and set an ASN for the data center. In this example, 10002 is used. 
    bgp router-id 169.254.10.2               //Set the BGP router ID. In this example, 169.254.10.2 is used. 
    bgp log-neighbor-changes
    neighbor 169.254.10.1 remote-as 10001    //Set an ASN for the BGP neighbor. 
    neighbor 169.254.10.1 ebgp-multihop 10   //Set the EBGP hop-count to 10.   
    !
    address-family ipv4
    network 172.17.0.0 mask 255.255.0.0      //Advertise the CIDR block of the data center. In this example, the CIDR block is 172.17.0.0/16. 
    neighbor 169.254.10.1 activate           //Activate the BGP neighbor. 
    exit-address-family
    !
After you establish the IPsec-VPN connection, the VPN gateway of the VPC and the gateway device in the data center advertise the following routes:
  • The gateway device in the data center automatically learns routes from the CIDR block of the data center through BGP, and then advertises the routes to the VPN gateway of the VPC. The VPN gateway of the VPC automatically advertises the learned routes to the VPC route table. VPC route table
  • The VPN gateway of the VPC automatically learns routes from the route table of the VPC through BGP, and then advertises the routes to the gateway device in the data center. On-premises route table

Step 6: Test the connectivity

  1. Log on to an ECS instance that is not assigned a public address in the VPC. For more information about how to log on to an ECS instance, see Methods used to connect to ECS instances.
  2. Run the ping command to access a client in the local data center and test the connectivity.
    The ECS instance in the VPC can access the client in the data center. Access the data center from the VPC
  3. Log on to the client in the data center.
  4. Run the ping command to access an ECS instance in the VPC and test the connectivity.
    The client in the data center can access the ECS instance in the VPC. Access the VPC from the data center