When you use IPsec-VPN to establish a site-to-site connection, you must add VPN configurations to the gateway device in the data center after you configure the VPN gateway on Alibaba Cloud. This way, an IPsec-VPN connection between the data center and Alibaba Cloud is established. This topic describes how to add VPN configurations to the gateway device in the data center. In this example, strongSwan is used.
Scenario
The preceding scenario is used in this example. A company has deployed a virtual private cloud (VPC) on Alibaba Cloud. The CIDR block of the VPC is 192.168.10.0/24. Applications are deployed on Elastic Compute Service (ECS) instances in the VPC. The company has a data center whose CIDR block is 172.16.2.0/24. Due to business development, the company wants to connect the data center to the VPC. The company decides to use a VPN gateway to establish an IPsec-VPN connection between the data center and the VPC. This way, the data center can communicate with the VPC.
The following table describes the network configurations.
Item | Example | |
VPC | Private CIDR block of the VPC to be connected to the data center | 192.168.10.0/24 |
VPN gateway | Public IP address of the VPN gateway | 119.XX.XX.125 |
Data center | Private CIDR block of the data center to be connected to the VPC | 172.16.2.0/24 |
Public IP address of the gateway device in the data center | 59.XX.XX.70 |
If strongSwan is configured for a gateway device in the data center, you can use the private IP address of the gateway device to establish IPsec-VPN connections.
If the gateway devices in your data center use the same egress to access the Internet, the gateway devices are not assigned public IP addresses and you can use the private IP addresses of the gateway devices to establish IPsec-VPN connections.
Prerequisites
A VPN gateway, a customer gateway, and an IPsec-VPN connection are created on Alibaba Cloud. Routes are configured for the VPN gateway. For more information, see Connect a VPC to a data center in single-tunnel mode.
NoteIf you use the private IP address of a gateway device to establish an IPsec-VPN connection, you must specify the private IP address of the gateway device when you create a customer gateway.
The configuration file of the IPsec-VPN connection is downloaded. For more information, see Download the configuration file of an IPsec-VPN connection.
The following table describes the configurations of the IPsec-VPN connection.
Item
Example
Pre-shared key
ff123TT****
Internet Key Exchange (IKE) configurations
IKE version
ikev1
Negotiation mode
main
Encryption algorithm
aes
Authentication algorithm
sha1
Diffie-Hellman (DH) group
group2
Security association (SA) lifecycle (seconds)
86400
IPsec configurations
Encryption algorithm
aes
Authentication algorithm
sha1
DH group
group2
SA lifecycle (seconds)
86400
Step 1: Install strongSwan
The commands in this step and Step 2 are for reference only. For more information about the actual commands, see the manual of your gateway device.
Open the CLI of your gateway device.
Run the following command to install strongSwan:
yum install strongswan
Optional. Run the following command to view the version of strongSwan that is automatically installed by the system:
strongswan version
Step 2: Configure strongSwan
Run the following command to open the ipsec.conf file:
vi /etc/strongswan/ipsec.conf
Modify the ipsec.conf file based on the following information:
# ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup uniqueids=never conn %default authby=psk # Enables authentication based on pre-shared keys. type=tunnel conn tomyidc keyexchange=ikev1 # The version of the IKE protocol that is used by the IPsec-VPN connection. left=59.XX.XX.70 # The public IP address of the gateway device. If you use the private IP address of a gateway device to establish an IPsec-VPN connection, set this parameter to the private IP address of the gateway device. leftsubnet=172.16.2.0/24 # The private CIDR block of the data center to be connected to the VPC. leftid=59.XX.XX.70 # The identifier of the gateway device. If you use the private IP address of a gateway device to establish an IPsec-VPN connection, we recommend that you use the private IP address of the gateway device as the identifier. right=119.XX.XX.125 # The public IP address of the VPN gateway. rightsubnet=192.168.10.0/24 # The private CIDR block of the VPC to be connected to the data center. rightid=119.XX.XX.125 # The identifier of the VPN gateway. auto=route ike=aes-sha1-modp1024 # The encryption algorithm, authentication algorithm, and DH group of the IKE protocol. ikelifetime=86400s # The SA lifecycle of the IKE protocol. esp=aes-sha1-modp1024 # The encryption algorithm, authentication algorithm, and DH group of the IPsec protocol. lifetime=86400s # The SA lifecycle of the IPsec protocol. type=tunnel
Configure the ipsec.secrets file.
Run the following command to open the ipsec.secrets file:
vi /etc/strongswan/ipsec.secrets
Add the following configuration to the file.
NoteYou can use one of the following configuration methods.
Method 1:
59.XX.XX.70 119.XX.XX.125 : PSK ff123TT**** # ff123TT**** is the pre-shared key of the IPsec-VPN connection. The data center and the VPN gateway must use the same pre-shared key.
Method 2:
119.XX.XX.125 : PSK ff123TT**** # ff123TT**** is the pre-shared key of the IPsec-VPN connection. The data center and the VPN gateway must use the same pre-shared key.
Run the following command to enable system forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
For more information, see strongSwan documentation.
Run the following command to start strongSwan:
systemctl enable strongswan systemctl start strongswan
Configure a route to transmit data from clients in the data center to strongSwan. Configure another route to transmit data from strongSwan to clients in the data center.
If you establish more than three IPsec-VPN connections by using strongSwan, you must modify the configurations in the /etc/strongswan/strongswan.d/charon.conf file.
Delete the comment delimiter before the
max_ikev1_exchanges = 3
command to make this command take effect, and then set the max_ikev1_exchanges parameter in the command to a value greater than the number of IPsec-VPN connections that you establish.For example, if you establish four IPsec-VPN connections by using strongSwan, you can modify the command to
max_ikev1_exchanges = 5
.