When using IPsec-VPN to create a site-to-site connection, you must configure the local gateway according to the IPsec connection configured for the Alibaba Cloud VPN gateway.
Alibaba Cloud IPsec connections support IKEv1 and IKEv2 protocols. Any device that supports these two protocols can connect to Alibaba Cloud VPN Gateway. This includes devices from Huawei, H3C, Cisco, ASN, Juniper, SonicWall, Nokia, IBM, and Ixia.
The H3C firewall is used as an example to show how to configure the VPN settings. The configurations used in this tutorial are as follows:
The IP address range of the Alibaba Cloud VPC is 192.168.10.0/24.
The IP address range of the local data center is 172.16.2.0/24.
The public IP address of the strongSwan is 184.108.40.206.
Make sure you have configured IPsec connections. For more information, seeConfigure a site-to-site connection.
Download the configurations of the created IPsec connection.
In this tutorial, the configurations of the IPsec connection are as shown in the following figure:
The following steps use Centos 7.3 for the tutorial:
Check the system version.
Linux version 3.10.0-514.26.2.el7.x86_64 (email@example.com) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)) #1 SMP Tue Jul 4 15:04:05 UTC 2017
CentOS Linux release 7.3.1611 (Core)
#yum install strongswan
Check the software version.
Linux strongSwan U5.5.3/K3.10.0-514.26.2.el7.x86_64 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'strongswan --copyright' for copyright information.
For more information on how to install strongSwan on other systems or compile it on your own, see strongSwan Installation Documentation.
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
220.127.116.11 18.104.22.168 : PSK yourpassword
Enable system forwarding.
#echo 1 > /proc/sys/net/ipv4/ip_forward
For more configuration examples for different scenarios, see Configuration Examples for Different Scenarios.
Start the strongSwan service by running the following commands:
#systemctl enable strongswan
#systemctl start strongswan
Configure two routings in strongSwan.
One is used to route the requests destined for the IDC client to strongSwan. The other one is used to route the requests destined for strongSwan to your IDC client.