IPsec-VPN allows you connect a data center to a VPC. This topic describes how to use IPsec-VPN.

Prerequisites

Before you use IPsec-VPN to connect a data center to a VPC, make sure that the following requirements are met:
  • The gateway device in the data center supports the IKEv1 and IKEv2 protocols.

    IPsec-VPN supports the IKEv1 and IKEv2 protocols. All gateway devices that support these two protocols can connect to VPN gateways on Alibaba Cloud.

  • A static public IP address is assigned to the gateway device in the data center
  • The CIDR block of the data center does not overlap with the CIDR block of the VPC.
  • You have read and understand the security group rules that apply to the Elastic Compute Service (ECS) instances in the VPC, and the security rules allow gateway devices in the data center to access cloud resources. For more information, see Query security group rules.

Procedure

Procedure
  1. Create a VPN gateway

    You must enable the IPsec-VPN feature for the VPN gateway. You can create multiple IPsec-VPN connections for each VPN gateway.

  2. Create a customer gateway

    A customer gateway registers the information about the gateway device in the data center to Alibaba Cloud.

  3. Create an IPsec-VPN connection

    An IPsec-VPN connection is a VPN channel between the VPN gateway and the gateway device in the data center. The data center can exchange encrypted data with Alibaba Cloud only after an IPsec-VPN connection is created.

  4. Configure the gateway device

    You must load the configuration of the VPN gateway on Alibaba Cloud to the gateway device in the data center. For more information, see Configure a gateway device in a data center.

  5. Configure routes for the VPN gateway

    You must configure routes for the VPN gateway and advertise these routes to the VPC route table. This way, the VPC and the data center can communicate with each other. For more information, see Route overview.

  6. Test the connectivity

    Log on to an Elastic Compute Service (ECS) instance that is not assigned a public IP address in the VPC. Run the ping command to ping the private IP address of a server that resides in the data center, and test the connectivity.

Basic scenarios