All Products
Search
Document Center

VPN Gateway:Connect a VPC to a data center in single-tunnel mode

Last Updated:Nov 06, 2023

This topic describes how to create an IPsec-VPN connection in single-tunnel mode between a virtual private cloud (VPC) and a data center by using a public VPN gateway. The IPsec-VPN connection can enable private communication between the VPC and the data center.

Prerequisites

  • Before you associate an IPsec-VPN connection with a public VPN gateway, make sure that a public IP address is assigned to the gateway device in the data center.

  • The on-premises gateway device must support IKEv1 or IKEv2 to establish IPsec-VPN connections with a VPN gateway.

  • The CIDR block of the data center does not overlap with the CIDR block of the VPC.

Examples

The following scenario is used as an example in this topic. An enterprise has created a VPC on Alibaba Cloud. The CIDR block of the VPC is 192.168.0.0/16. The CIDR block of the data center is 172.16.0.0/12. The static public IP address of the gateway device in the data center is 211.XX.XX.68. To meet business requirements, the enterprise needs to connect the data center to the VPC. You can create an IPsec-VPN connection to enable encrypted communication between the VPC and the data center.

IPsec快速入门

Preparations

  • A VPC is created and applications are deployed on Elastic Compute Service (ECS) instances in the VPC. For more information, see Create an IPv4 VPC.

  • You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see View security group rules and Add a security group rule.

Step 1: Create a VPN gateway

  1. Log on to the VPN gateway console.
  2. In the top navigation bar, select the region where you want to create the VPN gateway.

    The VPN gateway and the VPC to be associated must belong to the same region.

  3. On the VPN Gateways page, click Create VPN Gateway.

  4. On the buy page, set the following parameters, click Buy Now, and then complete the payment.

    Parameter

    Description

    Name

    Enter a name for the VPN gateway.

    In this example, VPN Gateway 1 is used.

    Region

    Select the region where you want to deploy the VPN gateway.

    Note

    The VPN gateway must belong to the same region as the VPC.

    Gateway Type

    Select a VPN gateway type.

    Default value: Standard.

    Network Type

    Select the network type of the VPN gateway.

    In this example, Public is selected.

    Tunnels

    The system displays the tunnel modes supported in this region.

    • Single-tunnel

    • Dual-tunnel

    For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

    VPC

    Select the VPC with which you want to associate the VPN gateway.

    VSwitch

    Select a vSwitch from the selected VPC.

    • If you select Single-tunnel, you need to specify one vSwitch.
    • If you select Dual-tunnel, you need to specify two vSwitches.
    Note
    • The system selects a vSwitch by default. You can change or use the default vSwitch.
    • After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.

    vSwitch 2

    Ignore this parameter if you select Single-tunnel.

    Maximum Bandwidth

    Specify a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.

    Traffic

    Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.

    For more information, see Billing.

    IPsec-VPN

    Specify whether to enable IPsec-VPN.

    In this example, Enable is selected.

    SSL-VPN

    Specify whether to enable SSL-VPN.

    In this example, Disable is selected.

    Duration

    Select a billing cycle. Default value: By Hour.

    Service-linked Role

    Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn.

    The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.

    If Created is displayed, it indicates that the service-linked role is created and you do not need to create it again.

    For more information about the parameters, see Create a VPN gateway.

  5. Return to the VPN Gateways page to view the VPN gateway that you created.

    A newly created VPN gateway is in the Preparing state and changes to the Normal state in about 1 to 5 minutes. After the status changes to Normal, the VPN gateway is ready for use.

Step 2: Create a customer gateway

  1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.

  2. In the top navigation bar, select the region of the customer gateway.

    Note

    Make sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.

  3. On the Customer Gateway page, click Create Customer Gateway.

  4. In the Create Customer Gateway panel, set the following parameters and click OK.

    • Name: Enter a name for the customer gateway.

      In this example, Customer Gateway 1 is used.

    • IP Address: Enter the public IP address of the gateway device in the data center that you want to connect to the VPC.

      In this example, 211.XX.XX.68 is used.

    For more information about the parameters, see Create a customer gateway.

Step 3: Create an IPsec-VPN connection

  1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  2. In the top navigation bar, select the region of the IPsec-VPN connection.

    Note

    Make sure that the IPsec-VPN connection and the VPN gateway to be connected are deployed in the same region.

  3. On the IPsec Connections page, click Create IPsec Connection.

  4. On the Create IPsec-VPN Connection page, set the parameters for the IPsec-VPN connection, and click OK.

    Parameter

    Description

    Name

    Specify a name for the IPsec-VPN connection.

    In this example, IPsec Connection 1 is used.

    Associate Resource

    Select the type of network resource to be associated with the IPsec-VPN connection.

    In this example, VPN Gateway is selected.

    VPN Gateway

    Select the VPN gateway that you created.

    In this example, VPN Gateway 1 is selected.

    Customer Gateway

    Select the customer gateway that you created.

    In this example, Customer Gateway 1 is selected.

    Routing Mode

    Select a routing mode.

    In this example, Destination Routing Mode is selected.

    Effective Immediately

    Specify whether the configuration immediately takes effect.

    • Yes: starts negotiations when the configuration is complete.

    • No: starts connection negotiations when traffic is received.

    In this example, Yes is selected.

    Pre-Shared Key

    Enter a pre-shared key.

    • The pre-shared key must be 1 to 100 characters in length, and can contain digits, letters, and the following characters: ~`!@#$%^&*()_-+={}[]\|;:',.<>/?.

    • If you do not specify a pre-shared key, the system generates a random 16-bit string as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection.

    Important

    The IPsec-VPN connection and the peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.

    Encryption Configuration

    In this example, IKEv1 is used and the other parameters use the default values. For more information, see Create and manage an IPsec-VPN connection in single-tunnel mode.

Step 4: Load the configuration of the IPsec-VPN connection to the gateway device in the data center

  1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  2. On the IPsec Connections page, find the IPsec-VPN connection and Click Generate Peer Configuration in the Actions column.

  3. Load the configuration of the IPsec-VPN connection to the gateway device in the data center. For more information, see Configure an on-premises gateway..

Step 5: Configure routes for the VPN gateway

  1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.

  2. On the VPN Gateway page, find the VPN gateway that you want to manage and click its ID.

  3. On the Destination-based Route Table tab, click Add Route Entry.

  4. In the Add Route Entry panel, set the following parameters and click OK.

    Parameter

    Description

    Destination CIDR Block

    Enter the destination CIDR block.

    In this example, 172.16.0.0/12 is entered.

    Next Hop Type

    Select a next hop type.

    In this example, IPsec Connection is selected.

    Next Hop

    Select the IPsec-VPN connection that you created.

    Publish to VPC

    Specify whether to advertise the route to the VPC that is associated with the VPN gateway.

    In this example, Yes is selected.

    Weight

    Select a weight for the route. Valid values:

    • 100: specifies a high priority for the route.

    • 0: specifies a low priority for the route.

    In this example, the default value 100 is used.

Step 6: Test the network connectivity

  1. Log on to an ECS instance that is not assigned a public IP address in the VPC. For more information about how to log on to an ECS instance, see Connection methods.

  2. Run the ping command to ping a server in the data center to test the network connectivity.

    If you can receive echo reply packets, the connection is established.