This topic describes how to establish IPsec-VPN connections between two virtual private clouds (VPCs) to enable resources in the VPCs to access each other.

Architecture
This example shows how to establish IPsec-VPN connections between two VPCs that belong to the same Alibaba Cloud account. You can also establish IPsec-VPN connections between two VPCs that belong to different Alibaba Cloud accounts by following the same procedure. In this case, make sure that you have the public IP address of the peer VPN gateway that belongs to the other Alibaba Cloud account. The public IP address of the peer VPN gateway is used to create a customer gateway.
VPC name VPC CIDR block VPC ID Elastic Compute Service (ECS) instance name
VPC1 172.16.0.0/12 vpc-xxxxz0 ECS1
VPC2 10.0.0.0/8 vpc-xxxxut ECS2
Note VPN gateways are used to enable encrypted data transmission over the Internet. The communication performance depends on the quality of the Internet connection. If you require higher communication quality, we recommend that you use Cloud Enterprise Network (CEN) to connect your networks. For more information, see Plan CEN.

Prerequisites

Make sure that the private CIDR blocks of the two VPCs do not overlap with each other.

Step 1: Create a VPN gateway

Perform the following operations to create a VPN gateway:

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose VPN > VPN Gateways.
  3. On the VPN Gateways page, click Create VPN Gateway.
  4. On the buy page, set the following parameters, click Buy Now, and complete the payment.
    • Name: Enter a name for the VPN gateway.
    • Region: Select the region where you want to deploy the VPN gateway.
      Note Make sure that the VPN gateway and the VPC are deployed in the same region.
    • Gateway Type: Select the type of the NAT gateway that you want to create. Standard is selected in this example.
    • VPC: Select the VPC to be associated with the VPN gateway.
    • Specify vSwitch: Select whether to specify a vSwitch for the VPN gateway. No is selected in this example.

      If you select Yes, you must also specify a vSwitch.

    • Peak Bandwidth: Specify a maximum bandwidth value for the VPN gateway. The bandwidth is used for data transfer over the Internet.
    • IPsec-VPN: Enable IPsec-VPN for the VPN gateway.
    • SSL-VPN: Specify whether to enable SSL-VPN for the VPN gateway. SSL-VPN allows you to connect a client to a VPC regardless of the location.
    • SSL Connections: Specify the maximum number of concurrent SSL connections that the VPN gateway supports.
      Note You can set this parameter only after SSL-VPN is enabled.
    • Duration: By default, the VPN gateway is billed on an hourly basis.
  5. Repeat the preceding operations to create a VPN gateway for the other VPC.
    A newly created VPN gateway is in the Preparing state. After about two minutes, its state changes to Normal. If a VPN gateway is in the Normal state, it indicates that the VPN gateway is initialized and ready for use. After the VPN gateways are created, two public IP addresses are automatically assigned.
    Note It takes about 1 to 5 minutes to create a VPN gateway.
    VPN gateways
    In this example, the public IP addresses 121.xxx.xx.143 and 118.xxx.xx.149 are assigned to the VPN gateways, as described in the following table.
    VPC VPN gateway IP address

    Name: VPC 1

    ID: vpc-xxxxz0

    CIDR block: 172.16.0.0/12

    vpn-xxxxxqwj 118.xxx.xx.149

    Name: VPC 2

    ID: vpc-xxxxut

    CIDR block: 10.0.0.0/8

    vpn-xxxxxl5z 121.xxx.xx.143

Step 2: Create a customer gateway

Perform the following operations to create a customer gateway.

  1. In the left-side navigation pane, choose VPN > Customer Gateways.
  2. Select the region where you want to create the customer gateway.
  3. On the Customer Gateways page, click Create Customer Gateway.
  4. On the Create Customer Gateway page, set the following parameters and click OK.
    • Name: Enter a name for the customer gateway.
    • IP Address: Enter the public IP address of the gateway device of the date center that you want to connect to the VPC.
    • Description: Enter a description for the customer gateway.
  5. Repeat the preceding operations to create a customer gateway with another public IP address.
    The following table lists the details of the VPCs, VPN gateways, and customer gateways.
    VPC VPN gateway IP address Customer gateway

    Name: VPC 1

    ID: vpc-xxxxz0

    CIDR block: 172.16.0.0/12

    vpn-xxxxxqwj 121.xxx.xx.143 user_VPC1

    Name: VPC 2

    ID: vpc-xxxxut

    CIDR block: 10.0.0.0/8

    vpn-xxxxxl5z 118.xxx.xx.149 user_VPC2

Step 3: Create an IPsec-VPN connection

After you create the VPN gateways and customer gateways, you can create IPsec-VPN connections to connect the VPN gateways with customer gateways.

  1. In the left-side navigation pane, choose VPN > IPsec Connections.
  2. Select the region where you want to create an IPsec-VPN connection.
  3. On the IPsec Connections page, click Create IPsec Connection.
  4. On the Create IPsec Connection page, set the following parameters for the IPsec-VPN connection, and click OK.
    • Name: Enter a name for the IPsec-VPN connection.
    • VPN Gateway: Select the VPN gateway that you created. In this example, the vpn-xxxxxqwj VPN gateway of VPC 1 is selected.
    • Customer Gateway: Select the customer gateway that you want to connect. In this example, the user_VPC 2 customer gateway is selected.
    • Routing Mode: Select a routing mode. Protected Data Flows is selected in this example.

      After you select Protected Data Flows, you must set Local Network and Remote Network. After you complete the configurations, the system automatically adds policy-based routes to the route table of the VPN gateway.

    • Source CIDR Block: Enter the CIDR block of the VPC with which the selected VPN gateway is associated. In this example, 172.16.0.0/12 is used.
    • Destination CIDR Block: Enter the CIDR block of the VPC to be connected. In this example, the CIDR block of VPC 2, which is 10.0.0.0/8, is used.
    • Effective Immediately: Specify whether to immediately start negotiations.
      • Yes: immediately negotiates after the configuration is completed.
      • No: negotiates when data transfer is detected.
    • Pre-shared Key: Enter the pre-shared key. In this example, 1234567 is entered. You must set the same pre-shared key for both IPsec-VPN connections.
    • Health Check: Enable health checks, and enter the destination IP address, source IP address, retry interval, and number of retries.

      Use the default settings for other parameters.

  5. Repeat the preceding operations to create an IPsec-VPN connection for VPC 2.

Step 4: Configure routes for each VPN gateway

Perform the following operations to configure a route for each VPN gateway.

  1. In the left-side navigation pane, choose VPN > VPN Gateways.
  2. Select the region where the VPN gateway is deployed.
  3. On the VPN Gateways page, find the VPN gateway that you want to manage, and click its ID in the Instance ID/Name column.
  4. On the Destination-based routing tab, click Add Route Entry.
  5. In the Add Route Entry dialog box, set the following parameters, and click OK.
    • Destination CIDR Block: Enter the private CIDR block of VPC 2.
    • Next Hop Type: Select the next hop type. IPsec Connection is selected in this example.
    • Next Hop: Select one of the IPsec-VPN connections.
    • Publish to VPC: Specify whether to automatically advertise this route to the route table of the VPC. In this example, Yes is selected.
    • Weight: Select a weight. In this example, 100 is selected.
  6. Repeat the preceding operations to configure a route for the other VPN gateway.

Step 5: Test the connectivity

Log on to ECS 1 in VPC 1, and then ping the private IP address of ECS 2 in VPC 2 to test the connectivity.

Test the connectivity