This tutorial illustrates how to create an IPsec connection over the IPsec-VPN tunnel to connect two VPCs.
| VPC name | VPC name | VPC ID | VPC ID |
|---|---|---|---|
| VPC1 | 172.16.0.0/12 | vpc-xxxxz0 | ECS 1 |
| VPC2 | 10.0.0.0/8 | vpc-xxxxut | ECS2 |
Prerequisites
The IP address ranges of these two VPCs are not in conflict.
Step 1: Create two VPN Gateways
- Log on to the VPC console.
- In the left-side navigation pane, click .
- On the VPN Gateways page, click Create VPN Gateway.
- On the purchase page, configure the VPN gateway and complete the payment. In this tutorial, the VPN gateway uses the following configurations:
-
Region: Select the region of the VPN gateway. In this operation, select China (Hangzhou).Note Make sure that the region of the VPC to be connected and the region of the VPN Gateway are the same.
-
VPC: Select the VPC to be connected.
-
Bandwidth specification: Select a bandwidth specification. The bandwidth specification is the Internet bandwidth of the VPN gateway.
-
IPsec-VPN: Select whether to enable the IPsec-VPN feature.
-
SSL-VPN: Select whether to enable the SSL-VPN feature. The SSL-VPN feature allows you to connect to a VPC from a single computer anywhere.
-
Concurrent SSL Connections: Select the maximum number of clients you want to connect to simultaneously.Note You can only configure this option after you enables the SSL-VPN feature.
-
- Repeat the preceding steps to create a VPN gateway for the other VPC.
The initial status of a VPN Gateway is Preparing. It changes to Normal in about 2 minutes. When it changes to Normal, it indicates that the VPN Gateway is ready to use. VPN After the gateway is created, the system automatically assigns two Internet IPs.Note It usually takes 1-5 minutes to create a VPN gateway.
In this tutorial, the public IP address assigned is 121. XXX. XX.143 and 118. XXX. XX.149, as shown in the following table.VPC VPN Gateway IP address Name: VPC1
ID: vpc-xxxxz0
IP address range: 172.16.0.0/12
vpn-xxxxxqwj 118.xxx.xx.149 Name: vpc2
ID: vpc-xxxxut
IP address range: 10.0.0.0/8
vpn-xxxxxl5z 121. x
Step 2: Create two customer Gateways
- In the left-side navigation pane, click .
- Select the China (Hangzhou) region.
- On the Customer Gateways page, click Create Customer Gateway.
- Configure the customer gateway according to the following information:
-
Name: Enter the name of the customer gateway.
-
IP Address: Enter the public IP address of the VPN gateway of the peer VPC.
-
Description: Enter the description of the customer gateway.
-
- Repeat these steps to create another customer gateway using the public IP address of the other VPN Gateway.
After creating two customer Gateways in this tutorial, the relationship between VPC, VPN Gateways and customer Gateways are as follows:
VPC VPN Gateway IP address Customer Gateway Name: VPC1
ID: vpc-xxxxz0
IP address range: 172.16.0.0/12
vpn-xxxxxqwj 121.xxx.xx.143 user_VPC1 Name: VPC2
ID: vpc-xxxxut
IP address range: 10.0.0.0/8
vpn-xxxxxl5z 118.xxx.xx.149 user_VPC
Step 3: Create two IPsec connections
- In the left-side navigation pane, click .
- Select the China (Hangzhou) region.
- On the IPsec Connections page, click Create IPSec Connection.
- Configure the IPsec connection according to the following information:
-
Name: Enter a name for the IPsec connection.
-
VPN Gateway: Select the created VPN Gateway. In this tutorial, the VPN gateway vpn-xxxxxqwj of VPC1 is selected.
-
Customer Gateway: Select the customer gateway created by using the public IP address of the peer VPN gateway. In this tutorial, the customer gateway user_VPC2 of VPC2 is selected.
.
-
Local Network: Enter the IP address range of the VPC to which the selected VPN gateway belongs. In this tutorial, the IP address range 172.16.0.0/12 of VPC1 is entered.
-
Remote Network: Enter the IP address range of the peer VPC. In this tutorial, the IP address range 10.0.0.0/8 of VPC2 is entered.
-
Pre-Shared Key: Enter a pre-shared key. In this tutorial, 123456 is entered. This value must be the same as configured in the other IPsec connection.
-
- Repeat these steps to create another IPsec connection.
In this tutorial, the IPsec connection configurations of VPC1 is as follows:
In this tutorial, the IPsec connection configurations of VPC2 is as follows:
Step 4: Configure routes
- In the left-side navigation pane, click Route Tables.
- Select the region to which the connected VPC belongs. In this tutorial, the China (Hangzhou) region is selected.
- Find VPC1 and click Manage.
- On the Route Tables page, click Add Route Entry.
- Configure the route entry according to the following information and then click OK.
-
Destination CIDR Block: Enter the IP address range of the peer VPC. In this tutorial, the IP address range 10.0.0.0/8 of VPC2 is entered.
-
Next Hop Type: Select VPN Gateway.
-
VPN Gateway: Select the VPN gateway deployed in the local VPC. In this tutorial, the VPN gateway created for VPC1 is selected.
-
- Repeat these steps to add a route entry for VPC2. In the route entry, the destination CIDR block is 172.16.0.0/12, and the next hop is the VPN gateway of VPC2.
In this tutorial, the route configurations are as follows:
VPC Destination CIDR block Next hop type Next hop VPC1 10.0.0.0/8 VPN Gateway The VPN Gateway created in this tutorial for VPC1 is vpn-xxxxxqwj. VPC2 172.16.0.0/12 VPN Gateway The VPN Gateway created in this tutorial for VPC2 is vpn-xxxxxl5z.
Step 5: Verify the connection
Log on to the ECS1, and then Ping the private IP address of the ECS2 to check whether the connection is established.
