IPsec-VPN connections (VPN Gateway) - VPN Gateway - Alibaba Cloud Documentation Center

After you create a VPN Gateway, you must configure an IPsec-VPN connection in both Alibaba Cloud and your on-premises data center to connect the data center to your VPC.

New VPN gateway support only dual-tunnel mode.
Existing single-tunnel VPN gateway support only single-tunnel IPsec-VPN connections. To ensure high availability, we recommend upgrading to dual-tunnel mode. After the upgrade, the VPN gateway will no longer support single-tunnel connections.

How it works

By default, IPsec-VPN connections use a dual-tunnel mode to ensure high availability and business continuity.

Tunnel roles: The system uses two different public IP addresses of the VPN gateway to establish two tunnels. Tunnel roles are fixed.
- Tunnel 1 (using IP address 1) is the active tunnel by default and carries all service traffic.
- Tunnel 2 (using IP address 2) is the standby tunnel and remains on standby.
Health checks and failover: The system automatically performs health checks on the active tunnel. If the active tunnel fails, the VPN gateway automatically switches traffic to the standby tunnel. After the active tunnel recovers, traffic automatically switches back.
Zone-disaster recovery:
- The two tunnels of an IPsec-VPN connection are deployed in different zones by default. If one zone fails, the tunnel in the other zone remains available. This provides cross-zone disaster recovery.
- In regions that support only one zone, both tunnels are deployed in the same zone. These deployments do not support zone-level disaster recovery but still provide link redundancy.

Create an IPsec-VPN connection

Prerequisites

Before you begin, make sure that you have created a VPN gateway and a customer gateway.

1. Configure the IPsec-VPN connection

Console

Go to the IPsec Connections page in the VPC console, click Bind VPN Gateway, and configure the following parameters:

IPsec Settings: Select the Region where the VPN gateway is deployed.
Gateway Settings: Select the VPN gateway that you want to attach.
Route Settings:
- Routing Mode:
  - Destination Routing Mode (Default): Traffic is forwarded based on the destination IP address. Recommended for scenarios where routes are learned via BGP or configured statically.
  - Protected Data Flows: Traffic is forwarded based on source and destination IP addresses. Recommended for scenarios where you need to limit communication to specific CIDR blocks.
    - You must specify the Local Network (VPC CIDR block) and Remote Network (on-premises CIDR block).
    - The system automatically generates a policy-based route. In this route, the Source CIDR Block is the connection's Local Network, the Destination CIDR Block is the connection's Remote Network, and the next hop is the IPsec-VPN connection. The route can be published to a VPC route table but is not published by default.
    - Ensure that the interesting traffic configuration on your on-premises gateway mirrors these settings (local and remote networks swapped).
    - To add multiple network segments, click the Add icon. Multiple segments require IKEv2.
- Effective Immediately: Select Yes to enable the connection quickly or avoid traffic delays. Select No if you want to save resources and traffic is infrequent.
Dual-Tunnel Settings:
- Enable BGP: Specifies whether to use BGP dynamic routing.
  - Disabled (Default): Uses static routing. Recommended for simple network topologies.
  - Enabled: Use dynamic routing for automatic route distribution and learning. Prerequisite: You must configure an ASN for the associated customer gateway.
- Local ASN: The Autonomous System Number (ASN) for the Alibaba Cloud side (used by both tunnels).
  - Default: 45104
  - Range: 1 to 4294967295
  - Recommendation: Use a private ASN when configuring the ASN for your on-premises device.
Tunnel 1 (Primary) and Tunnel 2 (Backup) configurations:
- Customer Gateway: Select the customer gateway associated with your on-premises device. You can associate the same customer gateway with both tunnels.
- Pre-Shared Key: Enter the pre-shared key used for identity authentication.
  - Requirement: The key must match the configuration on your on-premises gateway.
  - Consistency: The keys for both tunnels must be identical.
  - Default: If left blank, the system automatically generates a random key.
Click to view Encryption Configuration
- IKE Configurations:
  - Version: Recommend ikev2. It simplifies SA negotiation and provides better support for multi-segment scenarios.
  - Negotiation Mode: Both modes provide the same security level for data transmission after successful negotiation.
    main (Default): Identity information is encrypted during negotiation, offering higher security.
    aggressive: Provides faster negotiation and a higher success rate.
  - Encryption Algorithm: Select the encryption algorithm for Phase 1 negotiation.
    Requirement: Must match the configuration on the on-premises gateway.
    Supported algorithms: aes128 (default), aes192, aes256, des, and 3des.
    Recommendation: Use AES algorithms (aes128, aes192, aes256), especially for connections with bandwidth ≥ 200 Mbps.
    AES: Provides strong encryption with efficient performance (low impact on latency and throughput).
    3des: Not recommended. It is computationally intensive and limits forwarding performance compared to AES.
  - Authentication Algorithm: Select the authentication algorithm for Phase 1 negotiation.
    Requirement: Must match the configuration on the on-premises gateway.
    Supported algorithms: sha1 (default), md5, sha256, sha384, and sha512.
    Note: If your on-premises device requires a Pseudo-Random Function (PRF) algorithm, ensure it matches the selected authentication algorithm.
  - DH Group (Perfect Forward Secrecy): Select the Diffie-Hellman key exchange algorithm for Phase 1 negotiation.
    group1, group2 (default), group5, and group14 represent DH1, DH2, DH5, and DH14 of the DH group, respectively.
  - SA Life Cycle (seconds): Specifies the lifetime of the Phase 1 Security Association (SA). The default value is 86400. The value range is 0 to 86400.
  - LocalId: The identifier for the Alibaba Cloud side of the tunnel.
    Default: The tunnel's IP address.
    Format: Supports IP address or FQDN (e.g., example.aliyun.com). Spaces are not allowed.
    Recommendation: Use a private IP address.
    FQDN requirement: If you use an FQDN, ensure the peer ID on the on-premises gateway matches this value, and set Negotiation Mode to aggressive.
  - RemoteId: The identifier for the on-premises side of the tunnel.
    Default: The IP address of the associated customer gateway.
    Format: Supports IP address or FQDN (e.g., example.aliyun.com). Spaces are not allowed.
    Recommendation: Use a private IP address.
    FQDN requirement: If you use an FQDN, ensure the local ID on the on-premises gateway matches this value, and set Negotiation Mode to aggressive.
- IPsec Configurations:
  - Encryption Algorithm: Select the encryption algorithm for Phase 2 negotiation.
    Supported algorithms: aes128 (default), aes192, aes256, des, and 3des.
    Recommendation: We recommend using AES algorithms (aes128, aes192, aes256), especially for connections with bandwidth ≥ 200 Mbps.
    AES: Provides high-strength encryption with efficient performance (low impact on latency and throughput).
    3des: Not recommended. It is computationally intensive and limits forwarding performance compared to AES.
  - Authentication Algorithm: Select the authentication algorithm for Phase 2 negotiation. Supported algorithms: sha1 (default), md5, sha256, sha384, and sha512.
  - DH Group (Perfect Forward Secrecy): Select the Diffie-Hellman key exchange algorithm for Phase 2 negotiation.
    disabled: Disables PFS. Select this if the client does not support Perfect Forward Secrecy (PFS).
    group1, group2 (default), group5, and group14: Enables PFS (DH1, DH2, DH5, DH14).
    Requirement: If enabled, keys are updated during each renegotiation. You must also enable PFS on the corresponding client.
  - SA Life Cycle (seconds): Specifies the lifetime of the Phase 2 Security Association (SA). The default value is 86400. The value range is 0 to 86400.
  - DPD: Dead Peer Detection.
    Recommendation: Always enable DPD (Default). It detects peer failures within 30 seconds and triggers automatic failover, ensuring high availability.
    Mechanism: The system sends DPD probes. If no response is received, the peer is considered disconnected, and the tunnel is torn down. The system then attempts to re-establish the connection.
    Note: Legacy VPN gateways using IKEv2 may have timeouts of 130 or 3600 seconds. Upgrade to the latest version for the standard 30-second timeout.
- NAT Traversal:
  - Recommendation: Enable this feature (Default).
  - Function: Allows IKE negotiation to traverse NAT devices by skipping UDP port verification, ensuring connectivity across NAT boundaries.
Click to view BGP Configuration
If you have enabled BGP, you must complete the BGP configuration for each tunnel.

Confirm the configuration

Review the configuration and then click OK at the bottom of the page.
In the dialog box that appears, click Cancel. You can configure the routing later.
In the Actions column of the target IPsec-VPN connection, click Generate Peer Configuration. In the IPsec-VPN Connection Configuration dialog box, copy the configuration and save it locally to configure the on-premises gateway device.

API

Call the CreateVpnConnection operation to create an IPsec-VPN connection.

2. Configure VPN gateway and VPC routes

Configure the routes as described in Configure routes for a VPN gateway.

3. Configure the on-premises gateway device

Use the peer configuration that you downloaded in the "Configure the IPsec-VPN connection" step to complete the IPsec and BGP (if enabled) configurations on your on-premises gateway device, such as a firewall or router. For specific configuration instructions, see the documentation for your device. See Configure an on-premises gateway device for a reference example.

Manage IPsec-VPN connections

Enable or disable BGP

Before you enable BGP for an IPsec-VPN connection, make sure that the associated customer gateway has an ASN configured. If it does not, you must delete and recreate the IPsec-VPN connection and associate it with a customer gateway that has an ASN configured.

The following BGP configuration items are related to the IPsec-VPN connection:

Local ASN: The Autonomous System Number (ASN) for the Alibaba Cloud side (used by both tunnels).
- Default: 45104
- Range: 1 to 4294967295
- Recommendation: Use a private ASN when configuring the ASN for your on-premises device.
Tunnel CIDR Block: The /30 subnet within169.254.0.0/16 used for BGP peering.
- Uniqueness: Each tunnel on a VPN gateway must use a unique CIDR block.
- Excluded Blocks: The following blocks are reserved and cannot be used:
  - 169.254.0.0/30 through 169.254.5.0/30
  - 169.254.169.252/30
Local BGP IP address: The BGP IP address for the Alibaba Cloud side.
- Constraint: Must belong to the Tunnel CIDR Block.
- Example: If the CIDR block is 169.254.10.0/30, you can use 169.254.10.1.

For details on BGP limits and route advertisement, see Configure BGP dynamic routing.

Console

Enable BGP

When you create an IPsec-VPN connection, you can enable BGP by selecting Enable BGP and configuring the Local ASN, Tunnel CIDR Block, and Local BGP IP address.
For an existing IPsec-VPN connection, you can click Enable BGP in the IPsec Connections section on the instance details page.

Disable BGP

On the IPsec-VPN connection details page, in the IPsec Connections section, turn off the Enable BGP switch.

API

When creating a new IPsec-VPN connection, set the EnableTunnelsBgp parameter of the CreateVpnConnection operation to enable BGP, and configure BGP options for each tunnel by setting the TunnelOptionsSpecification -> TunnelBgpConfig parameter.
For an existing IPsec-VPN connection, set the EnableTunnelsBgp parameter of the ModifyVpnConnectionAttribute operation to enable or disable BGP, and configure BGP options for each tunnel by setting the TunnelOptionsSpecification -> TunnelBgpConfig parameter.

Modify tunnel configurations

Console

Go to the IPsec-VPN Connections page in the VPC console, switch to the target region, and click the target IPsec-VPN connection ID.
On the IPsec-VPN connection details page, find the target tunnel, and in the Actions column, click Edit.
On the edit page, modify the tunnel configuration and then click OK.

API

Call the ModifyTunnelAttribute operation to modify tunnel configurations.

Modify IPsec-VPN connection configurations

If an IPsec-VPN connection is attached to a VPN gateway, you cannot modify the associated VPN gateway. You can only modify the Routing Mode and Effective Immediately settings.

Console

Go to the IPsec-VPN Connections page in the VPC console, switch to the destination region, and click Edit in the Actions column of the target IPsec-VPN connection.
On the Modify IPsec-VPN Connection page, modify settings such as the IPsec-VPN connection name and remote CIDR block, and then click OK.
For detailed descriptions of the parameters, see Create an IPsec-VPN connection.

API

Call the ModifyVpnConnectionAttribute operation to modify IPsec-VPN connection configurations.

Delete an IPsec-VPN connection

Console

Go to the IPsec-VPN Connections page in the VPC console, switch to the destination region, and click Delete in the Actions column of the target IPsec-VPN connection.
In the dialog box that appears, confirm the information, and then click OK.

API

Call the DeleteVpnConnection operation to delete an IPsec-VPN connection.

Billing

An IPsec-VPN connection is free of charge. However, you are charged for the associated VPN gateway. For more information, see IPsec-VPN billing.

FAQ

Why does the tunnel status show "Phase 1 Negotiation Failed"?

If you have configured both sides, check for these common issues:

Pre-shared key mismatch: Verify the pre-shared keys on both the Alibaba Cloud and on-premises gateways. They must be identical, including case and special characters.
IKE parameter mismatch: Ensure all IKE parameters (Version, Negotiation Mode, Encryption/Authentication Algorithms, DH Group) match exactly on both sides.
Network connectivity: Confirm the public IP of your on-premises gateway is reachable. Ensure no firewall or ISP policies are blocking UDP ports 500 and 4500.

The tunnel status is normal, but I cannot ping the server on the other end. Why?

Successful Phase 2 negotiation confirms the encrypted tunnel is established but does not guarantee data transmission. Check the following configurations:

Route configuration: Verify that route tables in both the Alibaba Cloud VPC and your on-premises data center correctly direct traffic to the IPsec-VPN connection.
Security groups and network ACLs: Ensure that the security group rules for your ECS instances allow ICMP or service traffic from the on-premises CIDR block.
On-premises firewall policy: Confirm that your on-premises firewall allows traffic from the VPC CIDR block.

Why is the "Enable BGP" option unavailable?

The option is disabled if the associated customer gateway does not have an Autonomous System Number (ASN) configured.

Solution:

Delete the current IPsec-VPN connection.
Create a new customer gateway and ensure you configure an ASN.
Recreate the IPsec-VPN connection using the new customer gateway.

Can I set Tunnel 2 as the active tunnel?

No. Tunnel roles are fixed and cannot be changed:

Tunnel 1 (IP Address 1) is always the active tunnel.
Tunnel 2 (IP Address 2) is always the standby tunnel.

Can I create a single-tunnel IPsec-VPN connection?

It depends on your VPN Gateway type:

New VPN gateways: No. Newly purchased instances support only dual-tunnel IPsec-VPN connections.
Existing single-tunnel gateways: Yes. You can continue to create single-tunnel connections for these instances.
- Recommendation: Upgrade to dual-tunnel mode to ensure high availability.
- Note: After the upgrade, the instance will no longer support creating single-tunnel connections.

Create an IPsec-VPN connection for a single-tunnel VPN Gateway

1. Configure the IPsec-VPN connection

Before you begin, make sure that you have created a customer gateway.

Console

Go to the IPsec Connections page in the VPN console, click Bind VPN Gateway, and complete the following configurations:

IPsec Settings: Select the Region where the VPN gateway is deployed.
Gateway Settings: Select the VPN gateway that you want to attach.
Route Settings:
- Routing Mode:
  - Destination Routing Mode (Default): Traffic is forwarded based on the destination IP address. Recommended for scenarios where routes are learned via BGP or configured statically.
  - Protected Data Flows: Traffic is forwarded based on source and destination IP addresses. Recommended for scenarios where you need to limit communication to specific CIDR blocks.
    - You must specify the Local Network (VPC CIDR block) and Remote Network (on-premises CIDR block).
    - The system automatically generates a policy-based route. In this route, the Source CIDR Block is the connection's Local Network, the Destination CIDR Block is the connection's Remote Network, and the next hop is the IPsec-VPN connection. The route can be published to a VPC route table but is not published by default.
    - Ensure that the interesting traffic configuration on your on-premises gateway mirrors these settings (local and remote networks swapped).
    - To add multiple network segments, click the Add icon. Multiple segments require IKEv2.
- Effective Immediately: Select Yes to enable the connection quickly or avoid traffic delays. Select No if you want to save resources and traffic is infrequent.
Tunnel Settings:
- Enable BGP: Specifies whether to use Configure BGP dynamic routing.
  - Disabled (Default): Uses static routing. Recommended for simple network topologies.
  - Enabled: Use dynamic routing for automatic route distribution and learning. Prerequisite: You must configure an ASN for the associated customer gateway.
- Local ASN: The Autonomous System Number (ASN) for the Alibaba Cloud side (used by both tunnels).
  - Default: 45104
  - Range: 1 to 4294967295
  - Recommendation: We recommend using a private ASN when configuring the ASN for your on-premises device.
- Customer Gateway: Select the customer gateway associated with your on-premises device. You can associate the same customer gateway with both tunnels.
- Pre-Shared Key: Enter the pre-shared key used for identity authentication.
  - Requirement: The key must match the configuration on your on-premises gateway.
  - Consistency: The keys for both tunnels must be identical.
  - Default: If left blank, the system automatically generates a random key.
Click to view Encryption Configuration
- IKE Configurations:
  - Version: Recommend ikev2. It simplifies SA negotiation and provides better support for multi-segment scenarios.
  - Negotiation Mode: Both modes provide the same security level for data transmission after successful negotiation.
    main (Default): Identity information is encrypted during negotiation, offering higher security.
    aggressive: Provides faster negotiation and a higher success rate.
  - Encryption Algorithm: Select the encryption algorithm for Phase 1 negotiation.
    Requirement: Must match the configuration on the on-premises gateway.
    Supported algorithms: aes128 (default), aes192, aes256, des, and 3des.
    Recommendation: Use AES algorithms (aes128, aes192, aes256), especially for connections with bandwidth ≥ 200 Mbps.
    AES: Provides strong encryption with efficient performance (low impact on latency and throughput).
    3des: Not recommended. It is computationally intensive and limits forwarding performance compared to AES.
  - Authentication Algorithm: Select the authentication algorithm for Phase 1 negotiation.
    Requirement: Must match the configuration on the on-premises gateway.
    Supported algorithms: sha1 (default), md5, sha256, sha384, and sha512.
    Note: If your on-premises device requires a Pseudo-Random Function (PRF) algorithm, ensure it matches the selected authentication algorithm.
  - DH Group (Perfect Forward Secrecy): Select the Diffie-Hellman key exchange algorithm for Phase 1 negotiation.
    group1, group2 (default), group5, and group14 represent DH1, DH2, DH5, and DH14 of the DH group, respectively.
  - SA Life Cycle (seconds): Specifies the lifetime of the Phase 1 Security Association (SA). The default value is 86400. The value range is 0 to 86400.
  - LocalId: The identifier for the Alibaba Cloud side of the tunnel.
    Default: The tunnel's IP address.
    Format: Supports IP address or FQDN (e.g., example.aliyun.com). Spaces are not allowed.
    Recommendation: Use a private IP address.
    FQDN requirement: If you use an FQDN, ensure the peer ID on the on-premises gateway matches this value, and set Negotiation Mode to aggressive.
  - RemoteId: The identifier for the on-premises side of the tunnel.
    Default: The IP address of the associated customer gateway.
    Format: Supports IP address or FQDN (e.g., example.aliyun.com). Spaces are not allowed.
    Recommendation: Use a private IP address.
    FQDN requirement: If you use an FQDN, ensure the local ID on the on-premises gateway matches this value, and set Negotiation Mode to aggressive.
- IPsec Configurations:
  - Encryption Algorithm: Select the encryption algorithm for Phase 2 negotiation.
    Supported algorithms: aes128 (default), aes192, aes256, des, and 3des.
    Recommendation: Use AES algorithms (aes128, aes192, aes256), especially for connections with bandwidth ≥ 200 Mbps.
    AES: Provides strong encryption with efficient performance (low impact on latency and throughput).
    3des: Not recommended. It is computationally intensive and limits forwarding performance compared to AES.
  - Authentication Algorithm: Select the authentication algorithm for Phase 2 negotiation. Supported algorithms: sha1 (default), md5, sha256, sha384, and sha512.
  - DH Group (Perfect Forward Secrecy): Select the Diffie-Hellman key exchange algorithm for Phase 2 negotiation.
    disabled: Disables PFS. Select this if the client does not support Perfect Forward Secrecy (PFS).
    group1, group2 (default), group5, and group14: Enables PFS (DH1, DH2, DH5, DH14).
    Requirement: If enabled, keys are updated during each renegotiation. You must also enable PFS on the corresponding client.
  - SA Life Cycle (seconds): Specifies the lifetime of the Phase 2 Security Association (SA). The default value is 86400. The value range is 0 to 86400.
  - DPD: Dead Peer Detection.
    Recommendation: Always enable DPD (Default). It detects peer failures within 30 seconds and triggers automatic failover, ensuring high availability.
    Mechanism: The system sends DPD probes. If no response is received, the peer is considered disconnected, and the tunnel is torn down. The system then attempts to re-establish the connection.
    Note: Legacy VPN gateways using IKEv2 may have timeouts of 130 or 3600 seconds. Upgrade to the latest version for the standard 30-second timeout.
  - NAT Traversal:
    Recommendation: Enable this feature (Default).
    Function: Allows IKE negotiation to traverse NAT devices by skipping UDP port verification, ensuring connectivity across NAT boundaries.
Click to view BGP Configuration
If you have enabled BGP, you must complete the BGP configuration for the tunnel.
Click to view Health Check
This feature is disabled by default.
- Recommendation: Do not configure health checks for IPsec-VPN connections in non-active/standby scenarios.
- Configuration requirements: If you choose to enable this feature, you must meet the following criteria:
  - ICMP support: The destination IP address must support ICMP replies.
  - On-Premises route: You must add a specific route in your on-premises data center to ensure the probe works correctly.
    Destination CIDR: The source IP address of the health check.
    Subnet mask: 32-bit (/32).
    Next hop: The IPsec-VPN connection.

Confirm the configuration

Review the configuration and then click OK at the bottom of the page.
In the dialog box that appears, click Cancel to configure the routing later.
In the Actions column of the target IPsec-VPN connection, click Generate Peer Configuration, copy the configuration, and save it locally to configure the on-premises gateway device.