When you use IPsec-VPN to establish a site-to-site connection, you must configure the gateway device in the data center after you configure the VPN gateway on Alibaba Cloud. The following example shows you how to load the configuration of a VPN gateway to a data center. strongSwan is used in the example.

Prerequisites

  • An IPsec-VPN connection is created. For more information, see Connect on-premises data centers to VPC networks.
  • The configuration of the IPsec-VPN connection is downloaded. For more information, see Download the configuration file of an IPsec-VPN connection.
    The following table shows the configuration of the IPsec-VPN connection in this example.
    Protocol Parameter Example
    IKE Authentication algorithm sha1
    Encryption algorithm aes
    DH group group2
    IKE version ikev1
    Lifecycle 86400
    Negotiation mode main
    Pre-shared key (PSK) 123456
    IPsec Authentication algorithm sha1
    Encryption algorithm aes
    DH group group2
    Lifecycle 86400

Description

The following scenario is used as an example in this topic. The data center and Alibaba Cloud VPC are connected by using IPSec VPN:

  • The CIDR block of the Alibaba Cloud VPC is 192.168.10.0/24.

  • The CIDR block of the data center is 172.16.2.0/24.

  • The public IP address of strongSwan is 59.XX.XX.70.

Step 1: Install strongSwan

  1. Run the following command to install strongSwan:
    # yum install strongswan
  2. Run the following command to query the version of strongSwan that you installed:
    # strongswan version

Step 2: Configure strongSwan

  1. Run the following command to open the ipsec.conf file:
    # vi /etc/strongswan/ipsec.conf
  2. Refer to the following configuration to modify the ipsec.conf file:
    # ipsec.conf - strongSwan IPsec configuration file
    # basic configuration
     config setup
         uniqueids=never
     conn %default
         authby=psk                  # enables pre-shared key authentication
         type=tunnel
     conn tomyidc
         keyexchange=ikev1           # the version of the IKE protocol that is used by the IPsec-VPN connection
         left=59.XX.XX.70
         leftsubnet=172.16.2.0/24    # the CIDR block of the data center
         leftid=59.XX.XX.70          # the public IP address of the gateway in the data center
         right=119.XX.XX.125
         rightsubnet=192.168.10.0/24 # the CIDR block of the VPC
         rightid=119.XX.XX.125       # the IP address of the VPN gateway
         auto=route
         ike=aes-sha1-modp1024       # the encryption algorithm, authentication algorithm, and DH group of the IKE protocol
         ikelifetime=86400s          # the lifecycle of the IKE protocol
         esp=aes-sha1-modp1024       # the encryption algorithm, authentication algorithm, and DH group of the IPsec protocol
         lifetime=86400s             # the lifecycle of the IPsec protocol
         type=tunnel
  3. Configure the ipsec.secrets file.
    1. Run the following command to open the configuration file:
      # vi /etc/strongswan/ipsec.secrets
    2. Add the following configuration in the code:
      59.XX.XX.70 119.XX.XX.125 : PSK 123456   # 123456 is the pre-shared key for the IPsec-VPN connection. The data center and the VPN gateway must use the same pre-shared key.
  4. Enable system forwarding:
    # echo 1 > /proc/sys/net/ipv4/ip_forward

    For more information, see Configurations for different scenarios.

  5. Run the following command to start the strongSwan service:
    # systemctl enable strongswan
    # systemctl start strongswan
  6. Configure two routes in the data center. One route is used to transmit data from the data center client to the strongSwan gateway. The other route is used to transmit data from the strongSwan gateway to the data center client.
Note If you have created more than three IPsec-VPN connections by using strongSwan, you must modify the configuration in /etc/strongswan/strongswan.d/charon.conf. You must delete the annotator before the max_ikev1_exchanges = 3 command to enable the command, and modify the parameter in the command to a value that is greater than the number of connections you have created.

For example, if you have created four connections using strongSwan, you can change the command to max_ikev1_exchanges = 5 .