All Products
Search
Document Center

VPN Gateway:Overview of IPsec-VPN connections

Last Updated:Aug 28, 2023

You can enable encrypted communication between a virtual private cloud (VPC) and a data center by establishing an IPsec-VPN connection between the data center and VPC.

Background information

You can associate IPsec-VPN connections with VPN gateways and transit routers. This topic describes the procedure of using IPsec-VPN in scenarios where IPsec-VPN connections are associated with VPN gateways. For more information about the scenarios where IPsec-VPN connections are associated with transit routers, see IPsec-VPN configuration overview.

Requirements

Before you establish an IPsec-VPN connection between a VPC and a data center, make sure that the following requirements are met:
  • If the IPsec-VPN connection is associated with a public VPN gateway, a public IP address must be assigned to the on-premises gateway device.

    For regions that support the dual-tunnel mode, we recommend that you configure two public IP addresses for the on-premises gateway device. Alternatively, you can deploy two on-premises gateway devices in the data center and configure a public IP address for each gateway device. This way, you can create high-availability IPsec-VPN connections. For more information about the regions that support the dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

  • The on-premises gateway device must support IKEv1 or IKEv2 to establish an IPsec-VPN connection.

  • The CIDR block of the data center does not overlap with the CIDR block of the VPC.

  • The security group rules that are applied to the Elastic Compute Service (ECS) instances in the VPC allow gateway devices in the data center to access cloud resources. For more information, see View security group rules and Add a security group rule.

Procedure

IPsec-VPN流程
  1. Create a VPN gateway

    You need to enable the IPsec-VPN feature for the VPN gateway. Then, you can establish more than one IPsec-VPN connection to the VPN gateway.

  2. Create a customer gateway

    You need to load the configuration of the gateway device in the data center to the customer gateway on Alibaba Cloud.

  3. Create an IPsec-VPN connection

    An IPsec-VPN connection is a VPN tunnel between a VPN gateway and a gateway device in the data center. The data center can communicate with the VPC through an encrypted tunnel only after an IPsec-VPN connection is established.

  4. Configure the on-premises gateway device

    You need to add VPN configurations to the on-premises gateway device. For more information, see Configure on-premises gateways.

  5. Add routes to the VPN gateway

    You need to add routes to the VPN gateway and advertise these routes to the VPC route table. Then, the VPC can communicate with the data center. For more information, see Overview.

  6. Test the network connectivity

    Log on to an Elastic Compute Service (ECS) instance that is not assigned a public IP address in the VPC. Then, run the ping command to ping the private IP address of a server in the data center.

Use cases