When using IPsec-VPN to create a site-to-site connection, you must configure the local gateway according to the IPsec connection configured for the Alibaba Cloud VPN Gateway.
Alibaba Cloud IPsec connections support IKEv1 and IKEv2 protocols. Any device that supports these two protocols can connect to Alibaba Cloud VPN Gateway. This includes devices from Huawei, H3C, Cisco, ASN, Juniper, SonicWall, Nokia, IBM, and Ixia.
The H3C firewall is used as an example to show how to configure the VPN settings. The configurations used in this tutorial are as follows:
The IP address range of the Alibaba Cloud VPC is 192.168.10.0/24.
The IP address range of the local data center is 192.168.66.0/24.
The public IP address of the H3C firewall is 188.8.131.52.
The public Ethernet port is Reth 1.
The private Ethernet port is G 2/0/10.
Make sure you have configured IPsec connections. For more information, seeConfigure a site-to-site connection.
Download the configurations of the created IPsec connection.
In this tutorial, the configurations of the IPsec connection are as follows:
Protocol Configuration Value IKE Authentication Algorithm sha1 Encryption Algorithm aes DH Group group2 IKE Version ikev1 SA Life Cycle (seconds) 86400 Negotiation Mode main PSK h3c IPsec Authentication Algorithm sha1 Encryption Algorithm aes DH Group group2 IKE Version ikev1 SA Life Cycle (seconds) 86400 Negotiation Mode esp
Configuration Value VPC Private IP address range 192.168.10.0/24 Public IP of VPN Gateway 101.xxx.xxx.127 Local data center Private IP address range 192.168.66.0/24 Public IP of VPN Gateway 122.xxx.xxx.248 Uplink Ethernet Ports Reth 1 Downlink Ethernet Ports G 2/0/10
Follow these steps to configure the H3C firewall:
Log on to the Console of the H3C firewall, and configure the IP address of the Internet interface and the intranet interface. Then add Internet and intranet configurations to the untrust zone and the trust zone respectively.
Click Network > VPN > IPsec > Policy > Create. In the Create IPSec Policy dialog, click Add in the Protected Data stream, set the network segment of the IDC and the VPC as the source network segment and the destination network segment.
Click IKE Proposal > Create, configure IKE proposal as the configuration downloaded in Step 1.
Click Network > VPN > IPsec > Policy, select the new IPsec policy, click Advanced Configuration, configure IPSec protocol as the configuration downloaded in the Step 1.
Click Policy > Security Policy > Create, set the network segment of the downlink security policy and the uplink security policy.
Click Network > Route > Static Route.
Add the default route, set the uplink interface as the next hop of the outbound traffic.