All Products
Search
Document Center

VPN Gateway:Connect a VPC to a data center by using an IPsec-VPN connection in single-tunnel mode and enable BGP routing

Last Updated:Feb 28, 2024

This topic describes how to establish an IPsec-VPN connection in single-tunnel mode between a virtual private cloud (VPC) and a data center by using a public VPN gateway, and how to configure Border Gateway Protocol (BGP) dynamic routing for the VPC and the data center to automatically learn routes. This way, the VPC and the data center can share resources with each other. This reduces network maintenance costs and network configuration errors.

Prerequisites

  • A public IP address is assigned to the gateway device in the data center before you associate an IPsec-VPN connection with a public VPN gateway.

  • The on-premises gateway device must support IKEv1 or IKEv2 to establish IPsec-VPN connections with a VPN gateway.

  • The CIDR block of the data center does not overlap with the CIDR block of the VPC.

Regions that support BGP dynamic routing

Area

Region

Asia Pacific

China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and India (Mumbai)

Europe and Americas

Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley)

Middle East and India

UAE (Dubai)

Scenario

The following figure shows the scenario that is used in this topic. An enterprise has created a VPC in the Germany (Frankfurt) region. The private CIDR block of the VPC is 10.0.0.0/8 and the autonomous system number (ASN) is 65530. The enterprise has a data center in Frankfurt. The public IP address of the data center is 2.XX.XX.2, the private CIDR block is 172.17.0.0/16, and the ASN is 65531. The enterprise wants to establish a connection between the VPC and the data center for business development.

You can use IPsec-VPN to establish a connection between the VPC and the data center, and configure BGP dynamic routing. After the configuration is complete, the VPC and the data center can automatically learn routes and communicate with each other by using BGP dynamic routing. This reduces network maintenance costs and network configuration errors.

Note

An autonomous system (AS) is a small unit that independently determines the routing protocol to be used in the system. This unit is an independent and manageable network unit. It may consist of a simple network or a network group that is controlled by one or more network administrators. Each AS has a globally unique identifier called ASN.

架构图

Preparations

  • A VPC is created in the Germany (Frankfurt) region and cloud services are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

  • You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see View security group rules and Add a security group rule.

Procedure

本地数据中心和VPC(BGP)-配置流程

Step 1: Create a VPN gateway

  1. Log on to the VPN gateway console.
  2. On the VPN Gateways page, click Create VPN Gateway.

  3. On the buy page, configure the following parameters, click Buy Now, and then complete the payment.

    Parameter

    Description

    Name

    Enter a name for the VPN gateway. In this example, VPN is used.

    Resource Group

    Select the resource group to which the VPN gateway belongs. If you leave this parameter empty, the VPN gateway belongs to the default resource group.

    In this example, this parameter is left empty.

    Region

    Select the region in which you want to create the VPN gateway.

    Make sure that the VPN gateway and the VPC are deployed in the same region. In this example, Germany (Frankfurt) is selected.

    Gateway Type

    Select a gateway type.

    Default value: Standard.

    Network Type

    Select a network type. In this example, Public is selected.

    Tunnels

    The system displays the tunnel modes supported in this region.

    • Single-tunnel

    • Dual-tunnel

    For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

    VPC

    Select the VPC in which you want to create the VPN gateway. In this example, the VPC that is created in the Germany (Frankfurt) region is selected.

    VSwitch

    Select a vSwitch from the selected VPC.

    • If you select Single-tunnel, you need to specify one vSwitch.
    • If you select Dual-tunnel, you need to specify two vSwitches.
    Note
    • The system selects a vSwitch by default. You can change or use the default vSwitch.
    • After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.

    vSwitch 2

    Ignore this parameter if you select Single-tunnel.

    Maximum Bandwidth

    Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.

    The maximum bandwidth value is used to limit the data transfer rate over the Internet. In this example, 5 Mbit/s is selected.

    Traffic

    By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Billing rules.

    IPsec-VPN

    Specify whether to enable IPsec-VPN. In this example, Enable is selected.

    SSL-VPN

    Specify whether to enable SSL-VPN. In this example, Disable is selected.

    Duration

    Select a billing cycle. Default value: By Hour.

    Service-linked Role

    Click Create Service-linked Role. The system automatically creates the service-linked role AliyunServiceRoleForVpn. A VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.

    If Created is displayed, the service-linked role is created and you do not need to create it again.

The newly created VPN gateway is in the Preparing state and changes to the Normal state after about 1 to 5 minutes. After the status changes to Normal, the VPN gateway is ready for use. After the VPN gateway is created, a public IP address is automatically assigned to the gateway for establishing VPN connections.VPN网关公网IP地址

Note

If you want to use an existing VPN gateway, make sure that it is updated to the latest version. By default, if the existing VPN gateway does not use the latest version, you cannot use BGP dynamic routing.

You can check whether your VPN gateway uses the latest version based on the status of the Upgrade button. If your VPN gateway does not use the latest version, you can click upgrade to update your VPN gateway. For more information, see Upgrade a VPN gateway.

Step 2: Enable BGP dynamic routing

BGP is used to exchange routing information between different ASs. To use BGP dynamic routing, you must enable BGP dynamic routing for the VPN gateway.

  1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.

  2. In the top navigation bar, select the region of the VPN gateway.

  3. On the VPN Gateways page, find the VPN gateway that you create, move the pointer over the 更多 icon in the Actions column, and then click Enable Automatic BGP Propagation.

    开启路由自动传播

  4. In the Enable Automatic BGP Propagation message, click OK.

    The VPN gateway automatically advertises BGP routes to the VPC.

Step 3: Create a customer gateway

You can create a customer gateway to register and update information about the data center to Alibaba Cloud, and then connect the customer gateway to the VPN gateway.

  1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.

  2. In the top navigation bar, select the region in which you want to create the customer gateway.

    Note

    Make sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.

  3. On the Customer Gateway page, click Create Customer Gateway.

  4. In the Create Customer Gateway panel, configure the following parameters and click OK.

    The following table describes only the parameters that are relevant to this topic. You can use the default values for other parameters or leave them empty. For more information, see Create and manage a customer gateway.

    Parameter

    Description

    Name

    Enter a name for the customer gateway. In this example, CGW is used.

    IP Address

    Enter the public IP address of the gateway device in the data center. In this example, 2.XX.XX.2 is used.

    ASN

    Enter the ASN of the data center. In this example, 65531 is used.

    Description

    Enter a description for the customer gateway.

Step 4: Create an IPsec-VPN connection

  1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  2. In the top navigation bar, select the region in which you want to create the IPsec-VPN connection.

    Note

    Make sure that the IPsec-VPN connection and the VPN gateway to be connected are deployed in the same region.

  3. On the IPsec Connections page, click Create IPsec-VPN Connection.

  4. On the Create IPsec-VPN Connection page, configure the following parameters and click OK.

    The following table describes only the key parameters. The default values are used for the other parameters. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.

    Parameter

    Description

    Name

    Enter a name for the IPsec-VPN connection. In this example, VPCTOIDC is used.

    Resource Group

    Select the resource group to which the VPN gateway belongs.

    In this example, the default resource group is selected.

    Associate Resource

    Select the type of network resource to be associated with the IPsec-VPN connection.

    In this example, VPN Gateway is selected.

    VPN gateway

    Select the VPN gateway that you want to connect.

    In this example, the VPN gateway that is created in Step 1 is selected.

    Routing Mode

    Select a routing mode.

    Valid values: Destination Routing Mode or Protected Data Flows. If the IPsec-VPN connection uses BGP dynamic routing, we recommend that you select Destination Routing Mode. In this example, Destination Routing Mode is selected.

    Effective Immediately

    Specify whether to immediately start negotiations for the connection. Valid values:

    • Yes: starts negotiations after the configuration is complete.

    • No: starts negotiations when traffic is detected.

    In this example, Yes is selected.

    Customer Gateway

    Select the customer gateway that you want to connect.

    In this example, the customer gateway that is created in Step 3 is selected.

    Pre-Shared Key

    Enter a pre-shared key.

    Make sure that the VPC and the data center use the same pre-shared key. In this example, 123456**** is used.

    Enable BGP

    If you want to use Border Gateway Protocol (BGP) routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off.

    In this example, Enable BGP is turned on.

    Local ASN

    Enter the ASN on the VPC side. Default value: 45104.

    In this example, 65530 is used.

    Version

    Select an IKE version. In this example, ikev2 is selected.

    Encryption Algorithm

    Select an encryption algorithm. In this example, aes is selected.

    Authentication Algorithm

    Select an authentication algorithm. In this example, sha1 is selected.

    DH Group

    Select a DH group. In this example, group2 is selected.

    Tunnel CIDR Block

    Enter the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. In this example, 169.254.10.0/30 is used.

    Local BGP IP address

    Enter the BGP IP address on the VPC side. The IP address must fall within the CIDR block of the IPsec tunnel. In this example, 169.254.10.1 is used.

    Note

    Make sure that the BGP IP addresses on the VPC side and on the data center side do not conflict with each other.

  5. In the Created message, click OK.

Step 5: Add VPN configurations to the gateway device in the data center

After you create an IPsec-VPN connection, you need to add the VPN configurations to the gateway device in the data center to establish a VPN connection between the VPC and the data center.

The following example shows how to add VPN configurations to the gateway device in the data center. In this example, a Cisco firewall device that runs the Cisco IOS XE system is used.

Note

The following content contains third-party product information, which is for reference only. Alibaba Cloud does not make guarantees or other forms of commitments for the performance and reliability of the third-party tools, and potential impacts of operations on these tools.

The commands may vary with different vendors. Contact the vendor to obtain the information about specific commands.

  1. Log on to the command-line interface (CLI) of the Cisco firewall device.

  2. Run the following commands to configure the IKEv2 proposal and policy:

    crypto ikev2 proposal alicloud  
    encryption aes-cbc-128          // Specify the encryption algorithm. In this example, aes-cbc-128 is used. 
    integrity sha1                  // Specify the authentication algorithm. In this example, sha1 is used. 
    group 2                         // Specify the DH group. In this example, group 2 is used. 
    exit
    !
    crypto ikev2 policy Pureport_Pol_ikev2
    proposal alicloud
    exit
    !
  3. Run the following command to configure an IKEv2 keyring:

    crypto ikev2 keyring alicloud
    peer alicloud
    address 1.XX.XX.1                // Specify the public IP address of the VPN gateway on the VPC side. In this example, 1.XX.XX.1 is used. 
    pre-shared-key 123456****          // Specify the pre-shared key. In this example, 123456**** is used. 
    exit
    !
  4. Run the following command to configure an IKEv2 profile:

    crypto ikev2 profile alicloud
    match identity remote address 1.XX.XX.1 255.255.255.255    // Match the public IP address of the VPN gateway on the VPC side. In this example, 1.XX.XX.1 is used. 
    identity local address 2.XX.XX.2    // Specify the public IP address of the data center. In this example, 2.XX.XX.2 is used. 
    authentication remote pre-share   // Specify the authentication mode for the VPC to PSK. 
    authentication local pre-share    // Specify the authentication mode for the data center to PSK. 
    keyring local alicloud            // Invoke the IKEv2 keyring. 
    exit
    !
  5. Run the following command to configure a transform set:

    crypto ipsec transform-set TSET esp-aes esp-sha-hmac
    mode tunnel
    exit
    !
  6. Run the following command to configure an IPsec profile, and invoke the transform set, Perfect Forward Secrecy (PSF), and the IKEv2 profile:

    crypto ipsec profile alicloud
    set transform-set TSET
    set pfs group2
    set ikev2-profile alicloud
    exit
    !
  7. Run the following command to configure the IPsec tunnel:

    interface Tunnel100
    ip address 169.254.10.2 255.255.255.252    // Specify the tunnel address on the data center side. In this example, 169.254.10.2 is used. 
    tunnel source GigabitEthernet1
    tunnel mode ipsec ipv4
    tunnel destination 1.XX.XX.1                 // Specify the public IP address of the VPN gateway on the Alibaba Cloud side. In this example, 1.XX.XX.1 is used. 
    tunnel protection ipsec profile alicloud
    no shutdown
    exit
    !
    interface GigabitEthernet1
    ip address 2.XX.XX.2 255.255.255.0
    negotiation auto
    !
  8. Run the following command to configure BGP:

    router bgp 65531                         // Enable BGP routing and specify the ASN of the data center. In this example, 65531 is used. 
    bgp router-id 169.254.10.2               // Specify the BGP router ID. In this example, 169.254.10.2 is used. 
    bgp log-neighbor-changes
    neighbor 169.254.10.1 remote-as 65530    // Specify the ASN of the BGP peer. 
    neighbor 169.254.10.1 ebgp-multihop 10   // Set the EBGP hop-count to 10.   
    !
    address-family ipv4
    network 172.17.0.0 mask 255.255.0.0      // Advertise the CIDR block of the data center. In this example, 172.17.0.0/16 is used. 
    neighbor 169.254.10.1 activate           // Activate the BGP peer. 
    exit-address-family
    !

After you establish the IPsec-VPN connection, the VPN gateway of the VPC and the gateway device in the data center advertise the following routes:

  • The gateway device in the data center automatically learns routes from the CIDR block of the data center by using BGP, and then advertises the routes to the VPN gateway of the VPC. The VPN gateway of the VPC automatically advertises the learned routes to the system route table of the VPC. You can view route information about the system route table on the Dynamic Route tab.

  • The VPN gateway on Alibaba Cloud automatically learns system routes and custom routes from the system route table of the VPC, and then advertises the routes to the customer VPN gateway.本地网关路由表

Step 6: Test the network connectivity

  1. Log on to an ECS instance that is not assigned a public IP address in the VPC. For more information about how to log on to an ECS instance, see Connection method overview.

  2. Run the ping command to access a client in the data center and check the connectivity.

    The result shows that the ECS instance in the VPC can access the client in the data center.VPC 访问本地IDC

  3. Log on to the client in the data center.

  4. Run the ping command to access the ECS instance in the VPC and check the connectivity.

    The result shows that the client in the data center can access the ECS instance in the VPC.本地IDC访问VPC