After you configure an IPsec-VPN connection on Alibaba Cloud, you must load the configuration of the IPsec-VPN connection to the gateway device deployed in the on-premises data center.
Alibaba Cloud VPN gateways support the standard IKEv1 and IKEv2 protocols. Gateway devices that support these two protocols can connect to VPN gateways on Alibaba Cloud, such as gateway devices from Huawei, H3C, Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia.
Parameter | Example | |
---|---|---|
VPC | CIDR blocks of the VSwitches | 192.168.10.0/24 and 192.168.11.0/24 |
Public IP address of the VPN gateway | 47.xx.xx.10 | |
On-premises data center | Private CIDR block | 10.10.10.0/24 |
Public IP address of the firewall | 124.xx.xx.215/26 | |
Outbound port (external) | 10GE1/0/0 | |
Inbound port (internal) | 10GE1/0/1 |
Configure IKEv1 VPN
-
An IPsec-VPN connection is created in a VPC on Alibaba Cloud. For more information, see Create an IPsec-VPN connection.
-
The configuration of the IPsec-VPN connection is downloaded.The configuration in the following table is used in this example.
Protocol Parameter Example IKE Authentication algorithm SHA-1 Encryption algorithm AES-128 DH group group 2 IKE version IKE v1 Lifecycle 86400 Negotiation mode main PSK 123456 IPsec Authentication algorithm SHA-1 Encryption algorithm AES-128 DH group group 2 IKE version IKE v1 Lifecycle 86400 Negotiation mode esp
Perform the following operations to load the configuration of the customer gateway to the Huawei firewall device:
- Go to the Huawei firewall management page, choose untrust security zone and set the public IP address. Add the inbound port 10GE1/0/1 to the trust security zone and set the private IP address. . Add the outbound port 10GE1/0/0 to the
- Choose to create a security policy.
- Choose
-
Local Interface: Select the outbound port. In this example, 10GE1/0/0 is selected.
-
Peer Address: Enter the public IP address of the VPN gateway on Alibaba Cloud. In this example, 47.xx.xx.10 is entered.
-
The pre-shared key must be the same as that used at the Alibaba Cloud side. In this example, 123456 is entered.
, and configure the gateway device based on the following information:
-
- On the Data Flow to Be Encrypted page, click Add. Add the data flow to be encrypted for all VSwitch CIDR blocks in the VPC based on
the following information:
-
Source Address/Address-Set: Enter the private CIDR block of the on-premises data center. In this example, 10.10.10.0/24 is entered.
-
Destination Address/Address-Set: Enter the CIDR blocks of the VSwitches that are deployed in the VPC on Alibaba Cloud. In this example, 192.168.10.0/24 and 192.168.11.0/24 are entered.
-
- On the IKE/IPSec Protocol page, click Advanced. Configure the IKE protocol parameters based on the IPsec-VPN configuration that you downloaded.
- On the IPsec Parameters page, configure the IPsec protocol parameters based on the IPsec configuration that you downloaded.
- Choose to configure static routes for the firewall. When you add a default route, the next hop is the public IP address of the firewall. When you add a route that points to the VPC on Alibaba Could, the next hop is the public IP address of the VPN gateway in the VPC.
Configure IKEv2 VPN
-
An IPsec-VPN connection is created in a VPC on Alibaba Cloud.
-
The configuration of the IPsec-VPN connection is downloaded. The configuration in the following table is used in this example.
Protocol Parameter Example IKE Authentication algorithm SHA-1 Encryption algorithm AES-128 DH group group 2 IKE version IKE v2 Lifecycle 86400 PRF algorithm SHA-1 PSK 123456 IPsec Authentication algorithm SHA-1 Encryption algorithm AES-128 DH group group 2 IKE version IKE v2 Lifecycle 86400 Negotiation mode esp
Procedure
Perform the following operations to load the configuration of the customer gateway to the Huawei firewall device.
- Go to the Huawei firewall management page. Choose untrust security zone and set the public IP address. Add the inbound port 10GE1/0/1 to the trust security zone and set the private IP address. . Add the outbound port 10GE1/0/0 to the
- Choose to create a security policy.
- Choose
-
Local Interface: Select the firewall outbound port. In this example, 10GE1/0/0 is selected.
-
Peer Address: Enter the public IP address of the VPN gateway on Alibaba Cloud. In this example, 47.xx.xx.10 is entered.
-
The pre-shared key must be the same as that used at the Alibaba Cloud side. In this example, 123456 is entered.
, and configure the gateway device based on the following information:
-
- On the Data Flow to Be Encrypted page, click Add. Add the data flow to be encrypted for all VSwitch CIDR blocks in the VPC based on
the following information:
-
Source Address/Address-Set: Enter the private CIDR block of the on-premises data center. In this example, 10.10.10.0/24 is entered.
-
Destination Address/Address-Set: Enter the CIDR blocks of the VSwitches in the VPC. In this example, 192.168.10.0/24 and 192.168.11.0/24 are entered.
-
- On the IKE/IPSec Protocol page, click Advanced. Configure the IKE parameters based on the IPsec-VPN configuration that you downloaded.
- On the IPsec Parameters page, configure the IPsec protocol parameters based on the IPsec-VPN connection that you downloaded.
- Choose to configure static routes for the firewall. When you add a default route, the next hop is the public IP address of the firewall. When you add a route that points to a VPC, the next hop is the public IP address of the VPN gateway.