When you use IPsec-VPN to establish a site-to-site connection, you must configure the gateway device in the data center after you configure the VPN gateway on Alibaba Cloud. The following example shows you how to load the configuration of a VPN gateway to a data center. strongSwan is used in the example.
Prerequisites
- An IPsec-VPN connection is created. For more information, see Connect on-premises data centers to VPC networks.
- The configuration of the IPsec-VPN connection is downloaded. For more information,
see Download the configuration file of an IPsec-VPN connection.
The following table shows the configuration of the IPsec-VPN connection in this example.
Protocol Parameter Example IKE Authentication algorithm sha1 Encryption algorithm aes DH group group2 IKE version ikev1 Lifecycle 86400 Negotiation mode main Pre-shared key (PSK) 123456 IPsec Authentication algorithm sha1 Encryption algorithm aes DH group group2 Lifecycle 86400
Description
The following scenario is used as an example in this topic. The data center and Alibaba Cloud VPC are connected by using IPSec VPN:
-
The CIDR block of the Alibaba Cloud VPC is 192.168.10.0/24.
-
The CIDR block of the data center is 172.16.2.0/24.
-
The public IP address of strongSwan is 59.XX.XX.70.
Step 1: Install strongSwan
- Run the following command to install strongSwan:
# yum install strongswan - Run the following command to query the version of strongSwan that you installed:
# strongswan version
Step 2: Configure strongSwan
- Run the following command to open the ipsec.conf file:
# vi /etc/strongswan/ipsec.conf - Refer to the following configuration to modify the ipsec.conf file:
# ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup uniqueids=never conn %default authby=psk # enables pre-shared key authentication type=tunnel conn tomyidc keyexchange=ikev1 # the version of the IKE protocol that is used by the IPsec-VPN connection left=59.XX.XX.70 leftsubnet=172.16.2.0/24 # the CIDR block of the data center leftid=59.XX.XX.70 # the public IP address of the gateway in the data center right=119.XX.XX.125 rightsubnet=192.168.10.0/24 # the CIDR block of the VPC rightid=119.XX.XX.125 # the IP address of the VPN gateway auto=route ike=aes-sha1-modp1024 # the encryption algorithm, authentication algorithm, and DH group of the IKE protocol ikelifetime=86400s # the lifecycle of the IKE protocol esp=aes-sha1-modp1024 # the encryption algorithm, authentication algorithm, and DH group of the IPsec protocol lifetime=86400s # the lifecycle of the IPsec protocol type=tunnel - Configure the ipsec.secrets file.
- Run the following command to open the configuration file:
# vi /etc/strongswan/ipsec.secrets - Add the following configuration in the code:
59.XX.XX.70 119.XX.XX.125 : PSK 123456 # 123456 is the pre-shared key for the IPsec-VPN connection. The data center and the VPN gateway must use the same pre-shared key.
- Run the following command to open the configuration file:
- Enable system forwarding:
# echo 1 > /proc/sys/net/ipv4/ip_forwardFor more information, see Configurations for different scenarios.
- Run the following command to start the strongSwan service:
# systemctl enable strongswan # systemctl start strongswan - Configure two routes in the data center. One route is used to transmit data from the data center client to the strongSwan gateway. The other route is used to transmit data from the strongSwan gateway to the data center client.
max_ikev1_exchanges = 3 command to enable the command, and modify the parameter in the command to a value
that is greater than the number of connections you have created.
For example, if you have created four connections using strongSwan, you can change
the command to max_ikev1_exchanges = 5 .