When you use IPsec-VPN to connect a data center to Alibaba Cloud, you must configure the VPN gateway on Alibaba Cloud, and then add VPN configurations to the gateway device in the data center. This topic uses an H3C firewall device as an example to describe how to add VPN configurations to an on-premises gateway device.

Scenarios

ScenarioThe preceding scenario is used as an example in this topic. A company has deployed a virtual private cloud (VPC) on Alibaba Cloud. The CIDR block of the VPC is 192.168.10.0/24. Applications are deployed on Elastic Compute Service (ECS) instances in the VPC. The company has a data center whose CIDR block is 192.168.66.0/24. Due to business development, the company wants to connect the data center to the VPC. The company decides to use a VPN gateway to establish an IPsec-VPN connection between the data center and the VPC. This way, the data center can communicate with the VPC.
The following table describes the network configurations in this example.
Parameter Example
VPC Private CIDR block that needs to communicate with the data center 192.168.10.0/24
VPN gateway Public IP address of the VPN gateway 101.XX.XX.127
Data center Private CIDR block that needs to communicate with the VPC 192.168.66.0/24
Public IP address of the on-premises gateway device 122.XX.XX.248
Interface used by the on-premises gateway to connect to the Internet Reth1
Interface used by the on-premises gateway to connect to the data center G2/0/10

Prerequisites

  • A VPN gateway, a customer gateway, and an IPsec-VPN connection are created on Alibaba Cloud. Routes are configured for the VPN gateway. For more information, see Connect a data center to a VPC.
  • The configuration of the IPsec-VPN connection is downloaded. For more information, see Download the configuration file of an IPsec-VPN connection.
    The following table describes the configuration of the IPsec-VPN connection in this example.
    Parameter Example
    Pre-shared key ff123TT****
    IKE configurations IKE version ikev1
    Negotiation mode main
    Encryption algorithm aes
    Note If the encryption algorithm of the IPsec-VPN connection is Advanced Encryption Standard (AES), the encryption algorithm of the H3C firewall device must be AES-CBC-128.
    Authentication algorithm sha1
    DH group group2
    SA life cycle (seconds) 86400
    IPsec configurations Encryption algorithm aes
    Note If the encryption algorithm of the IPsec-VPN connection is AES, the encryption algorithm of the H3C firewall device must be AES-CBC-128.
    Authentication algorithm sha1
    DH group group2
    SA life cycle (seconds) 86400

Configure the H3C firewall device

Note The following content is for reference only. For actual operations, refer to the manual of the device.
  1. Log on to the web console of the H3C firewall device.
  2. In the left-side navigation pane, choose Network > VPN > IPsec > Policies. On the Create IPsec Policy page, configure the IPsec policy based on the configuration of the IPsec-VPN connection that you downloaded.

    Set Source IP Address to the private CIDR block of the data center, which is 192.168.66.0/24 in this example. Set Destination IP Address to the private CIDR block of the VPC, which is 192.168.10.0/24 in this example.

  3. In the left-side navigation pane, choose Network > VPN > IPsec > IKE Proposal, and click Create to add IKE configurations.
  4. In the left-side navigation pane, choose Network > VPN > IPsec > Policies. Find the IPsec policy that you created and click Advanced Settings to add IPsec configurations.
  5. In the left-side navigation pane, choose Network > VPN > IPsec > Policies > Security Policies > Create to create an upstream security policy and a downstream security policy.
    • The upstream security policy controls traffic from the data center to the VPC.
    • The downstream security policy controls traffic from the VPC to the data center.
  6. In the left-side navigation pane, choose Network > Routes > Static Routes. On the Create IPv4 Static Route page, add a static route.
    • Add a static route to route traffic from the data center to the VPC.
    • Add a static route to route traffic from the VPC to the data center.
      Note In this example, this route is not required because a direct route is used. You can add a static route based on your business requirements.