This topic describes how to create IPsec-VPN connections on VPN gateways to connect
an on-premises data center to a Virtual Private Cloud (VPC) network.
Prerequisites
Before you start, make sure that the following requirements are met:
- An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account,
click Create an Alibaba Cloud account.
- Check the gateway device in the on-premises data center. Alibaba Cloud VPN gateways
support the standard IKEv1 and IKEv2 protocols. Any gateway device that supports these
two protocols can connect to Alibaba Cloud VPN gateways, such as gateway devices manufactured
by Huawei, H3C, Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and
Ixia.
- Make sure that you have set a static public IP address for the gateway device in the
on-premises data center.
- The CIDR block of the on-premises data center must not overlap with that of the VPC
network.
Background information
For example, a company creates a VPC network on Alibaba Cloud. The CIDR block of the
VPC network is 192.168.0.0/16. The CIDR block of the on-premises data center is 172.16.0.0/12.
The static public IP address for the gateway device in the on-premises data center
is 211.xx.xx.68. To meet business requirements, the company needs to connect the on-premises
data center to the VPC network.

The preceding figure displays that the on-premises data center is connected to the
VPC network through IPsec-VPN. Cloud resources can be shared with on-premises data
centers.
Step 1: Create a VPN gateway
Take the following steps to create a VPN gateway:
- Log on to the VPN gateway console.
- In the left-side navigation pane, choose .
- On the VPN Gateways page, click Create VPN Gateway.
- On the buy page, set the following parameters, click Buy Now, and complete the payment.
- Name: Enter a name for the VPN gateway.
- Region: Select the region where you want to deploy the VPN gateway.
Note Make sure that the VPC network and the VPN gateway associated with the VPC network
are deployed in the same region.
- VPC: Select the VPC network to be associated with the VPN gateway.
- Bandwidth: Specify the maximum bandwidth of the VPN gateway. The bandwidth is provided for
data transfer over the Internet.
- IPsec-VPN: Specify whether to enable IPsec-VPN for the VPN gateway.
- SSL-VPN: Specify whether to enable SSL-VPN. SSL-VPN allows you to connect a client to a VPC
network from any places.
- SSL Connections: Specify the maximum number of concurrent SSL connections that the VPN gateway supports.
Note This parameter is available only after SSL-VPN is enabled.
- Billing Cycle: Specify the subscription duration.
- Go to the VPN Gateways page to view the newly created VPN gateway.
The newly created VPN gateway is in the Preparing state. Its status changes to Normal
after about two minutes. The Normal state indicates that the VPN gateway is initialized
and ready for use.
Note It takes about one to five minutes to create a VPN gateway.
Step 2: Create a customer gateway
Take the following steps to create a customer gateway.
- In the left-side navigation pane, choose .
- Select the region where you want to deploy the customer gateway
- On the Customer Gateways page, click Create Customer Gateway.
- On the Create Customer Gateway page, set the following parameters, and then click Submit.
- Name: Enter a name for the customer gateway.
- IP Address: Enter the public IP address of the gateway device in the on-premises data center
that is to be connected to the VPC network. In this example, enter 211.xx.xx.68.
- Description: Enter a description for the customer gateway.
Step 3: Create an IPsec-VPN connection
Take the following steps to create an IPsec-VPN connection:
- In the left-side navigation pane, choose .
- Select the region where you want to create an IPsec-VPN connection.
- On the IPsec Connections page, click Create IPsec Connection.
- On the Create IPsec Connection page, set the following parameters for the IPsec-VPN connection, and click Submit.
Step 4: Load the configurations of the IPsec-VPN connection to the customer gateway
device
Take the following steps to load the configurations of the IPsec-VPN connection to
the customer gateway device:
- In the left-side navigation pane, choose .
- Select the region where the IPsec-VPN connection is established.
- On the IPsec Connections page, find the target IPsec-VPN connection, and then choose in the Actions column.
- Load the configurations of the IPsec-VPN connection to the customer gateway device
by following the instructions described in Configure customer gateways. .
RemotSubnet and LocalSubnet in the downloaded configurations are opposite to RemotSubnet
and LocalSubnet that you specify when you create an IPsec-VPN connection. For a VPN
gateway, RemotSubnet refers to the CIDR block of the on-premises data center and LocalSubnet
refers to the CIDR block of the VPC network. For a customer gateway, LocalSubnet refers
to the CIDR block of the on-premises data center and RemoteSubnet refers to the CIDR
block of the VPC network.
Step 5: Configure routes for the VPN gateway
Take the following steps to configure routes for the VPN gateway:
- In the left-side navigation pane, choose .
- Select the region where the VPN gateway is deployed.
- On the VPN Gateways page, find the target VPN gateway, and then click the instance ID in the Instance ID/Name column.
- In the Destination-based routing tab, click Add Route Entry.
- In the Add Route Entry dialog box, set the following parameters and click OK.
- Destination CIDR Block: Enter the CIDR block of the on-premises data center. In this example, enter 172.16.0.0/12.
- Next Hop Type: Select IPsec Connection.
- Next Hop: Select an IPsec instance.
- Publish to VPC: Specify whether to automatically publish new route entries to the VPC route table.
In this example, select Yes.
- Weight: Select a weight. In this example, select 100.
Step 6: Verify the settings
Log on to an Elastic Compute Service (ECS) instance that is not assigned a public
IP address in the VPC network. Run the ping command to ping the private IP address of a server that resides in the on-premises data center, and
test the connectivity.