This topic describes how to use the IPsec-VPN feature to establish a connection between a Virtual Private Cloud (VPC) network and an on-premises data center, and how to use Border Gateway Protocol (BGP) dynamic routing to connect the VPC network and on-premises data center. This reduces network maintenance costs and network configuration errors.

Prerequisites

Before you start, make sure the following requirements are met:
  • You have created an Alibaba Cloud account. To create an Alibaba Cloud account, log on to the Alibaba Cloud site. For more information, see Create an Alibaba Cloud account.
  • You have created a VPC network that you want to connect to your on-premises data center. The CIDR block of the VPC is different from that of the on-premises data center. For more information, see Create a VPC.

Background information

This topic takes the following scenario as an example. A company has created a VPC network in Germany (Frankfurt). The CIDR block of the VPC is 10.0.0.0/8 and the Autonomous System Number (ASN) is 10001. The company has an on-premises data center in Frankfurt. The public IP address of the data center is 2.2.2.2, the CIDR block is 172.17.0.0/16, and the ASN is 10002. The company needs to establish a connection between the VPC network and the on-premises data center for business development.
You can use the IPsec-VPN feature to establish a connection between the VPC network and on-premises data center, and configure BGP dynamic routing. After configuration, network interconnection can be achieved by using the dynamic routing protocol to automatically learn routes. This reduces network maintenance costs and network configuration errors.
Note An Autonomous System (AS) is a small unit that independently decides which routing protocol to adopt in the system. This unit is an independent and manageable network unit. It may consist of a simple network or a network group that is controlled by one or more network administrators. Each AS has a specific identifier called ASN.
VPC-on-premises data center

Procedure

Procedure

Step 1: Create a VPN gateway instance

VPN Gateway enables network connections and achieves encrypted communications on the Internet. Create a VPN gateway instance for the VPC network that you want to connect to the on-premises data center.

To create a VPN gateway instance, follow these steps:

  1. Log on to the VPN gateway console.
  2. On the VPN Gateways page, click Create VPN Gateway.
  3. On the buy page, set the following parameters, and create a VPN gateway instance.
    • Name: Enter a name for the VPN gateway instance. In this example, enter VPN.
    • Region: Select the region where the VPN gateway instance is deployed.

      The VPN gateway instance and the VPC network must be deployed in the same region. In this example, select Germany (Frankfurt).

    • VPC: Select the VPC network that you want to connect. In this example, select the VPC network that is created in Germany (Frankfurt).
    • Assign VSwitch: Choose whether to assign a VSwitch to the VPN gateway instance. In this example, select No.
    • VSwitch: Select the VSwitch to which the VPN gateway instance is attached.
      Note The option is only displayed when you select Yes in the Assign VSwitch section.
    • Peak Bandwidth: Select the peak bandwidth.

      The peak bandwidth refers the maximum Internet bandwidth of the VPN gateway instance. In this example, select 5 Mbps.

    • IPsec-VPN: Specify whether to enable the IPsec-VPN feature.

      You can use IPsec-VPN to connect an on-premises data center to a VPC network or connect multiple VPC networks. In this example, select Enable.

    • SSL-VPN: Specify whether to enable the SSL-VPN feature.

      The SSL-VPN feature allows you to connect to a VPC network from a local host that is located in any region. In this example, select Disabled.

    • SSL Connections: Specify the maximum number of concurrent SSL connections.
      Note You can configure SSL connections only when SSL-VPN authentication is enabled.
    • Billing Cycle: Select a billing cycle for the VPN gateway instance.
  4. Click Buy Now to complete the payment.
It takes about 1 to 5 minutes to create a VPN gateway instance. The status of a newly created VPN gateway instance is Preparing and then changes to Normal after about two minutes. After the status changes to Normal, the VPN gateway instance is ready to use. After the VPN gateway instance is created, a public IP address is automatically assigned to the instance for establishing VPN connections. Public IP address of the VPN gateway instance

Step 2: Enable BGP

BGP is used to exchange routing information in different ASs. To use the BGP feature, you need to enable BGP for the VPN gateway instance.
Note The BGP feature cannot be disabled after it is enabled.

To enable BGP, follow these steps:

  1. In the left-side navigation pane, select VPN > VPN Gateways.
  2. On the VPN Gateways page, find the VPN gateway instance created in step 1, and click Enable BGP in the Actions column.
    Enable BGP
  3. In the Enable BGP page that appears, select whether to propagate BGP routes to the VPC network.
    • Yes: The VPN gateway instance automatically propagates BGP routes to the VPC network.
    • No: The VPN gateway instance does not propagate BGP routes to the VPC network. You need to manually advertise BGP routes to the VPC network.
    In this example, select Yes.
  4. Click OK.

After you enable the BGP feature for the VPN gateway instance, the status of the VPN gateway changes to Enable BGP.

Step 3: Create a customer gateway instance

You can create a customer gateway instance to register and update information about the on-premises data center to Alibaba Cloud, and then connect the customer gateway instance to the VPN gateway instance.

To create a customer gateway instance, follow these steps:

  1. In the left-side navigation pane, select VPN > Customer Gateways.
  2. On the Customer Gateways page, click Create Customer Gateway.
  3. On the Create Customer Gateway page that appears, set the following parameters:
    • Name: Enter a name for the customer gateway instance. In this example, enter CGW.
    • IP Address: Enter the public IP address of the gateway device in the on-premises data center. In this example, enter 2.2.2.2.
    • ASN: Enter the ASN of the on-premises data center network. In this example, enter 10002.
    • Description: Enter a description for the customer gateway instance.
  4. Click OK.

Step 4: Create an IPsec connection

IPsec-VPN is based on routes. It facilitates the configuration and maintenance of VPN policies, and provides flexible traffic routing methods.

To create an IPsec connection, follow these steps:

  1. In the left-side navigation pane, select VPN > IPsec Connections.
  2. On the IPsec Connections page, click Create IPsec Connection.
  3. On the Create IPsec Connection page that appears, set the following parameters:
    • Name: Enter a name for the IPsec-VPN connection. In this example, enter VPC TO IDC.
    • VPN Gateway: Select a VPN gateway instance.

      In this example, select the VPN gateway instance that is created in step 1. For more information, see Step 1: Create a VPN gateway instance.

    • Customer Gateway: Select a customer gateway instance.

      In this example, select the customer gateway instance that is created in step 3. For more information, see Step 3: Create a customer gateway instance.

    • Local Network: Enter the CIDR block of the VPC network. In this example, enter 10.0.0.0/8.
    • Remote Network: Enter the CIDR block of the on-premises data center. In this example, enter 172.17.0.0/16.
    • Effective Immediately: Specify whether to negotiate immediately.
      • Yes: Negotiate immediately after the configuration is completed.
      • No: Negotiate only when traffic is detected.

      In this example, select Yes.

    • Pre-shared key: Enter a pre-shared key (PSK).

      The pre-shared key must be the same as that configured for the local gateway. In this example, enter 123456.

    • Version: Select an Internet Key Exchange (IKE) version. In this example, select ikev2.
    • Encryption Algorithm: Select an encryption algorithm. In this example, select aes.
    • Authentication Algorithm: Select an authentication algorithm. In this example, select sha1.
    • DH Group: Select a DH group. In this example, select group2.
    • Tunnel CIDR Block: Enter the CIDR block of the IPsec tunnel. The subnet mask of the CIDR block is 30 bits in 169.254.0.0/16. In this example, enter 169.254.10.0/30.
    • Local BGP IP Address: Enter the local BGP IP address. This IP address is within the IPsec tunnel CIDR block. In this example, enter 169.254.10.1.
      Note Make sure that the BGP IP addresses of the VPC network and the on-premises data center do not conflict with each other.
    • ASN: Enter the ASN of the VPC network. In this example, enter 10001.

    Use the default settings for the other parameters.

  4. Click OK.

Step 5: Load VPN configurations to the local gateway device

To establish a connection between the VPC network and the on-premises data center, you need to load VPN configurations to the local gateway device after creating the IPsec connection in the cloud.

The following example shows how to load VPN configurations to the local gateway device in the Cisco IOSXE system.

  1. Log on to the command line interface of the Cisco firewall device.
  2. Run the following commands to set the IKEv2 proposal and policy.
    crypto ikev2 proposal alicloud  
    encryption aes-cbc-128 //Set the encryption algorithm. Set to aes-cbc-128 in this example.
    integrity sha1 //Set the authentication algorithm. Set to sha1 in example.
    group2 //Set the DH group. Set to group2 in this example.
    exit
    !
    crypto ikev2 policy Pureport_Pol_ikev2
    proposal Pureport_prop
    exit
    !
  3. Run the following commands to set the IKEv2 keyring.
    crypto ikev2 keyring alicloud
    peer alicloud
    address 1.1.1.1 //Set the public IP address for the VPN gateway instance of the VPC network. Set to 1.1.1.1 in this example.
    pre-shared-key 123456 //Set the pre-shared key. Set to 123456 in this example.
    exit
    !
  4. Run the following commands to set the IKEv2 profile.
    crypto ikev2 profile alicloud
    match identity remote address 1.1.1.1 255.255.255.255 //Match the public IP address for the VPN gateway instance of the VPC network. The matched address is 1.1.1.1 in this example.
    identity local address 2.2.2.2 //Set the public IP address for the VPN gateway instance of the on-premises data center. Set to 2.2.2.2 in this example.
    authentication remote pre-share //Set the authentication mode for remote networks to PSK.
    authentication local pre-share //Set the authentication mode for local networks to PSK.
    keyring local alicloud //Invoke the IKEv2 keyring.
    exit
    !
  5. Run the following commands to set the transform.
    crypto ipsec transform-set TSET esp-aes esp-sha-hmac
    mode tunnel
    exit
    !
  6. Run the following commands to set the IPsec profile and to invoke the transform, PFS, and IKEv2 profile.
    crypto ipsec profile alicloud
    set transform-set TSET
    set pfs group2
    set ikev2-profile alicloud
    exit
    !
  7. Run the following commands to set the IPsec tunnel.
    interface Tunnel100
    ip address 169.254.10.2 255.255.255.252 //Set the tunnel address for the local network (on-premises data center). Set to 169.254.10.2 in this example.
    tunnel source GigabitEthernet1
    tunnel mode ipsec ipv4
    tunnel destination 1.1.1.1 //Set the public IP address for the remote network (VPN gateway instance). Set to 1.1.1.1 in this example.
    tunnel protection ipsec profile alicloud
    no shutdown
    exit
    !
    interface GigabitEthernet1
    ip address 2.2.2.2 255.255.255.0
    negotiation auto
    Exclamation points (!)
  8. Run the following commands to set the BGP routing protocol.
    router bgp 10002 //Enable the BGP routing protocol and set an ASN for the local network (on-premises data center). Set to 10002 in this example.
    bgp router-id 169.254.10.2 //Set the BGP router ID. Set to 169.254.10.2 in this example.
    bgp log-neighbor-changes
    neighbor 169.254.10.1 remote-as 10001 //Set an ASN for the BGP neighbor.
    neighbor 169.254.10.2 ebgp-multihop 10 //Set the EBGP hop-count to 10.  
    !
    address-family ipv4
    network 172.17.0.0 mask 255.255.0.0 //Advertise the CIDR block of the local network (on-premises data center). The CIDR block is 172.17.0.0/16 in this example.
    neighbor 169.254.10.1 activate //Activate the BGP neighbor.
    exit-address-family
    !
After the establishment of the IPsec connection, the following routes are advertised by VPN gateway instances of the VPC network and the on-premises data center.
  • The local VPN gateway instance automatically learns routes from the CIDR block of the on-premises data center through BGP, and then advertises the routes to the VPN gateway instance of the VPC network. The VPN gateway instance of the VPC network automatically propagates the learned routes to the VPC route table.VPC route table
  • The VPN gateway instance of the VPC network automatically learns routes from the CIDR block of the VPC network through BGP, and then advertises the routes to the VPN gateway instance of the on-premises data center.Local route table

Step 6: Test the network connection

After the IPsec connection is established, you can test the network connectivity between the VPC network and the on-premises data center.
Note Make sure that the firewall rules for the terminal in the on-premises data center allow remote connections.
  1. Log on to an ECS instance in the connected VPC network.
  2. Run the ping command to ping the IP address of the terminal in the on-premises data center to check whether the network connection is established.
    The ECS instance in the VPC network can access the terminal in the on-premises data center.Access the on-premises data center
  3. Log on to the terminal in the on-premises data center.
  4. Run the ping command to ping the IP address of the ECS instance in the VPC network to check whether the network connection is established.
    The terminal in the on-premises data center can access the ECS instance in the VPC network.Access the VPC network