This document illustrates how to create a site-to-site connection to connect a VPC with a local data center.
Prerequisites
You must meet the following requirements before creating an IPsec connection:
The gateway device in the local data center supports IKEv1 and IKEv2 protocols.
IPsec connections support IKEv1 and IKEv2 protocols. Any device that supports these two protocols can connect to Alibaba Cloud VPN Gateway. Supported devices include: Huawei, H3C, Cisco, ASN, Juniper, SonicWall, Nokia, IBM, and Ixia.
A static IP address is configured for the local gateway.
The IP address ranges of the VPC and local data center to be connected do not conflict with each other.
Step 1: Create a VPN Gateway
Log on to the VPC console.
In the left-side navigation pane, click VPN > VPN Gateways.
On the VPN Gateways page, click Create VPN Gateway.
Configure the VPN Gateway. In this tutorial, the VPN Gateway uses the following configurations:
For more information about the configurations of IPsec connections, see Manage VPN Gateways.
Region: Select China East 1 (Hangzhou).
Note: Make sure that the region of the VPC to be connected and the region of the VPN Gateway are the same.
VPC: Select the VPC to be connected.
Bandwidth specification: Select a bandwidth specification. In this tutorial, 10Mbps is selected.
IPsec-VPN: Select Enable.
SSL-VPN:Select Disable
Go back to the VPN Gateways page, click China East 1 (Hangzhou) region to view the created VPN Gateway.
Note: It usually takes 1-5 minutes to create a VPN Gateway.
The initial status of a VPN Gateway is Preparing. When the status changes to Normal, it indicates that the VPN Gateway is ready to use.
Step 2: Create a customer gateway
In the left-side navigation pane, click VPN > Customer Gateways.
Click the China East 1 (Hangzhou) region, and then click Create Customer Gateway.
Configure the customer gateway, and then click OK
Name: Enter a customer gateway name.
IP Address: Enter the static public IP configured for the local gateway. In this tutorial, 211.167.68.68 is used.
Step 3: Create an IPsec connection
In the left-side navigation pane, click VPN > IPsec Connections.
Click the China East 1 (Hangzhou) region, and then click Create IPsec Connection.
Configure the IPsec connection, and then click OK.
For more information about the configurations of IPsec connections, see Manage an IPsec connection.
Name: Enter a name for the IPsec connection.
VPN Gateway: Select the created VPN Gateway.
Customer Gateway: Select the created customer gateway.
Local Network: Enter the IP address range of the VPC. In this tutorial, 192.168.0.0/16 is used.
Remote Network: Enter the IP address of the local data center. In this tutorial, 172.16.0.0/12 is used.
Pre-Shared Key: Enter a pre-shared key. This value must be the same as the one configured in the local gateway. In this tutorial, 123456 is used.
Step 4: Configure the local gateway
In the left-side navigation pane, click VPN > IPsec Connections.
Click the China East 1 (Hangzhou) region and find the target IPsec connection.
Click Download Config to copy the IPsec connection configurations.
Configure the local gateway accordingly.
For more information, see Local Gateway configuration.
Note: The RemoteSubnet and LocalSubnet in the download configuration are the opposite of the local network and the remote network when creating an IPsec connection. From the perspective of VPN Gateway, the remote network is the local IDC and the local network is the VPC. From the perspective of local IDC, the remote network is the VPC and the local network is the local IDC.
Step 5: Configure routing
In the left-side navigation panel, click Route Tables.
Click the China East 1 (Hangzhou) region and find the route table of the connected VPC.
Click Add Route Entry.
Configure the route entry, and then click OK.
Destination CIDR Block: Enter the IP address range of the local IDC. In this tutorial, 172.16.0.0/12 is used.
Next Hop Type: Select VPN Gateway.
VPN Gateway: Select the created VPN Gateway.
Step 6: Verify the connection
Log on to an ECS instance (without a public IP) in the connected VPC network. Ping the private IP address of a server in the local data center to check whether the connection is established.