Attach an IPsec-VPN connection to a transit router - Cloud Enterprise Network

Limits

Only Enterprise Edition transit routers support VPN connections.
IPsec-VPN connections only in some regions can be attached to transit routers. For more information about the regions that support IPsec-VPN connections, see Regions that support different features of VPN Gateway.
If you need to attach an IPsec-VPN connection in the China (Nanjing - Local Region), China (Ulanqab), China (Heyuan), China (Guangzhou), China (Chengdu), Japan (Tokyo), Australia (Sydney), Malaysia (Kuala Lumpur), South Korea (Seoul), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), India (Mumbai), Germany (Frankfurt), or UK (London) region to a transit router, contact your sales manager or submit a ticket.
After you attach an IPsec-VPN connection to an Enterprise Edition transit router, the transit router automatically adds a routing policy whose direction is Import to Regional Gateway, priority is 5000, and action is Deny to all the route tables of the transit router. This routing policy disables network communication among the IPsec-VPN connection, virtual border routers (VBRs), and Cloud Connect Network (CCN) instances.
If you directly connect your data center to a transit router by using an IPsec-VPN connection when the data center is already connected to the transit router over an IPsec-VPN connection and a VPC connection, the VPC connection and the IPsec-VPN connections do not support load balancing.

The following table lists the resource quotas.


Item	Default quota	Adjustable
The maximum number of IPsec-VPN connections for equal-cost multipath (ECMP) supported by a transit router	16	Not supported
The maximum number of transit routers supported by an IPsec-VPN connection	1	Not supported

Billing methods

After you attach an IPsec-VPN connection to a transit router, the billable items include transit router connections, transit router data forwarding, IPsec-VPN connections, data transfer, and outbound data transfer. The billable items vary based on the network type of the IPsec-VPN connection. The following table describes the billing rules for connections between transit routers and IPsec-VPN connections.

Billing rules for Internet connections between transit routers and IPsec-VPN connections


No.	Billable item	Description	References
①	Transit router connection	The connection between the transit router and the IPsec-VPN connection	Transit router billing rules VPN gateway billing rules
②	Transit router data forwarding	Data forwarding from the IPsec-VPN connection to the transit router
③	IPsec-VPN connection	The IPsec-VPN connection
④	Data transfer	Data transfer from the IPsec-VPN connection to the data center

Billing rules for private connections between transit routers and IPsec-VPN connections


No.	Billable item	Description	References
①	Transit router connection	The connections between the VBR and IPsec-VPN connection	Transit router billing rules VPN gateway billing rules Express Connect billing rules
②	Transit router data forwarding	Data forwarding from the VBR to the transit router
③	IPsec-VPN connection	The IPsec-VPN connection
④	Outbound data transfer fees	Data transfer from the VBR to the data center

Procedure

Before you can attach an IPsec-VPN connection to a transit router, you must create an IPsec-VPN connection. You can attach the IPsec-VPN connection to the transit router to allow your data center to access Alibaba Cloud. The data center is also connected to the transit router over the IPsec-VPN connection and can communicate with other networks that are attached to the transit router.

You can create IPsec-VPN connections in the Cloud Enterprise Network (CEN) console or in the VPN Gateway console. You can create IPsec-VPN connections that belong to a different Alibaba Cloud account. The following figure shows how to attach an IPsec-VPN connection that belongs to your Alibaba Cloud account or a different Alibaba Cloud account to a transit router in the CEN or VPN Gateway console.

Note

When you create an IPsec-VPN connection, you must specify a customer gateway. Make sure that a customer gateway is deployed before you create an IPsec-VPN connection.
If you create an IPsec-connection in the VPN Gateway console, set Associate Resource to Do Not Associate.

Connect a transit router to an IPsec-VPN connection - Procedure

Prerequisites

Select an ideal method to create an IPsec-VPN connection, and make sure that all prerequisites are met. For more information, see the following topics:

Create a customer gateway
Create and manage IPsec-VPN connections
Create a transit router

Important If you need to create a VPN connection in one of the Australia (Sydney), Germany (Frankfurt) and Indonesia (Jakarta) regions, you must also create a CIDR block for the transit router. An IP address is automatically allocated from the CIDR block to the IPsec-VPN connection. For more information about transit router CIDR blocks, see ᴺᵉʷTransit router CIDR blocks.
Grant the permissions on the IPsec-VPN connection to a transit router of another Alibaba Cloud account

Connect a transit router to an IPsec-VPN connection

Log on to the CEN console.
On the Instances page, find the CEN instance that you want to manage and click the instance ID.
On the Basic Settings > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, set the following parameters and click OK.

The parameters vary based on the method that you use. The following table describes all the parameters.

Basic settings


Parameter	Description
Instance Type	Select VPN.
Region	Select the region where the transit router is deployed.
Transit Router	The transit router in the selected region is displayed.
Resource Owner ID	Select whether the transit router and the IPsec-VPN connection belong to the same Alibaba Cloud account. You can attach IPsec-VPN connections that belong to the current or a different Alibaba Cloud account to transit routers. If the IPsec-VPN connection and the transit router belong to the same Alibaba Cloud account, select Your Account. If the IPsec-VPN connection and the transit router belong to different Alibaba Cloud accounts, select Different Account, and enter the ID of the Alibaba Cloud account to which the IPsec-VPN connection belongs.
Individual Resource	Select whether you want to create an IPsec-VPN connection or select an existing IPsec-VPN connection. Valid values: Create Resource: Create an IPsec-VPN connection. The system will create an IPsec-VPN connection and attach it to the transit router. You can find the IPsec-VPN connection in the VPN Gateway console and click Edit to view the information about the IPsec-VPN connection. For more information, see Modify an IPsec-VPN connection. Select Resource: Select an existing IPsec-VPN connection.
Attachment Name	Enter a name for the VPN connection.
Gateway Type	Select a network type for the IPsec-VPN connection. Valid values: Public: an encrypted connection over the Internet. This is the default value. Private: an encrypted private connection.
Zones	Select a zone. Resources are deployed in the selected zone.
Customer Gateway	Select the customer gateway to which the IPsec-VPN connection attaches.
Routing Mode	Select a routing mode for the IPsec-VPN connection. Valid values: Destination Routing: Traffic is forwarded based on the destination IP address. This is the default value. Flow Protection: Traffic is forwarded based on the source and destination IP addresses. After you select Flow Protection, you must set Local CIDR Block and Peer CIDR Block. After the settings of the attachment between the transit router and the IPsec-VPN connection are completed, the system automatically adds a destination-based route to the route table associated with the IPsec-VPN connection. By default, the destination-based route is advertised to the route table of the transit router.
Apply Immediately	Select whether to immediately apply the settings of the IPsec-VPN connection. Valid values: Yes: Immediately start IPsec negotiation after the settings are completed. No: Start IPsec negotiation only when traffic is received. This is the default value.
Pre-Shared Key	Enter the pre-shared key that is used for identity authentication between Alibaba Cloud and the data center. The key must be 1 to 100 characters in length. If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. You can find the IPsec-VPN connection in the VPN Gateway console and click Edit to view the pre-shared key of the IPsec-VPN connection. For more information, see Modify an IPsec-VPN connection. Important The pre-shared key set for the IPsec-VPN connection and in the data center must be the same. Otherwise, the IPsec-VPN connection fails.

Encryption settings


Parameter	Description
IKE Settings
Version	Select an IKE version. Valid values: IKEv1 ikev2 IKEv1 and IKEv2 are supported. Compared with IKEv1, IKEv2 simplifies the security association (SA) negotiation process and provides better support for scenarios in which multiple CIDR blocks are used. We recommend that you select IKEv2. The default value is IKEv1.
Negotiation Mode	Select a negotiation mode. Valid values: main (default): This mode offers higher security during negotiations. aggressive: This mode is faster and has a higher success rate. Connections negotiated in both modes ensure the same security level of data transmission.
Encryption Algorithm	Select the encryption algorithm that is used in phase 1 negotiations. Supported algorithms are aes (default), aes192, aes256, des, and 3des.
Authentication Algorithm	Select the authentication algorithm that is used in phase 1 negotiation. Valid values: sha1 (default) and md5.
DH Group	Select the DH key exchange algorithm that is used in phase 1 negotiation. Valid values: group1: DH group 1 group2: DH group 2 (default) group5: DH group 5 group14: DH group 14
SA Lifetime (Seconds)	Enter a lifetime for the SA after phase 1 negotiation succeeds. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
LocalId	Enter the IPsec identifier on Alibaba Cloud. The IPsec identifier is used for phase 1 negotiation. The default identifier is the gateway IP address of the IPsec-VPN connection. LocalId supports fully qualified domain names (FQDNs). If you use an FQDN, we recommend that you set the negotiation mode to aggressive.
RemoteId	Enter the IPsec identifier in the data center. The IPsec identifier is used for phase 1 negotiation. The default identifier is the public IP address of the customer gateway. RemoteId supports FQDNs. If you use an FQDN, we recommend that you set the negotiation mode to aggressive.
IPsec Settings
Encryption Algorithm	Select the encryption algorithm that is used in phase 2 negotiation. Supported algorithms are aes (default), aes192, aes256, des, and 3des.
Authentication Algorithm	Select the authentication algorithm that is used in phase 2 negotiation. Valid values: sha1 (default) and md5.
DH Group	Select the DH key exchange algorithm that is used in phase 2 negotiations. Valid values: disabled: does not use a DH key exchange algorithm. For clients that do not support perfect forward secrecy (PFS), select disabled. If you select a value other than disabled, the PFS feature is enabled by default, which requires a key update for every renegotiation. Therefore, you must also enable PFS on the client. group1: DH group 1 group2: DH group 2 (default) group5: DH group 5 group14: DH group 14
SA Lifetime (seconds)	Enter a lifetime for the SA after phase 2 negotiation succeeds. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
DPD	Select whether to enable the dead peer detection (DPD) feature. After you enable DPD, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. The ISAKMP SA, IPsec SA, and IPsec tunnel are deleted. This feature is enabled by default.
NAT Traversal	Select whether to enable the network address translation (NAT) traversal feature. After you enable NAT traversal, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel. This feature is enabled by default.

Border Gateway Protocol (BGP) settings

After you enable BGP, IPsec-VPN connections can use BGP dynamic routing to automatically learn and advertise routes. This reduces IT maintenance costs and minimizes network configuration errors.

BGP is disabled by default. You must enable BGP before you can configure it.


Parameter	Description
Tunnel CIDR Block	Enter the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length.
Local BGP IP	Enter the IP address on Alibaba Cloud that the IPsec-VPN connection can access over BGP. This IP address must fall within the CIDR block of the IPsec tunnel.
Local ASN	Enter the autonomous system number (ASN) that the IPsec-VPN connection uses on Alibaba Cloud. Default value: 45104. Valid values: 1 to 4294967295. You can enter the ASN in two segments and separate the first 16 bits from the last 16 bits with a period (.). Enter the number in each segment in decimal format. For example, if you enter 123.456, the ASN is: 123 × 65536 + 456 = 8061384. Note We recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. Refer to the relevant documentation for the private ASN range.

Health check

After you enable the health check feature, the system automatically checks the connectivity of the IPsec-VPN connection between the data center and Alibaba Cloud. Routes are selected based on the health check result to ensure high network availability.

The health check feature is disabled by default. You must enable the health check feature before you can configure it.

Important After you complete the health check settings, add a route whose destination CIDR block is Source IP, subnet mask is 32 bits in length, and next hop is the IPsec-VPN connection. This ensures that health checks can run as expected.


Parameter	Description
Destination IP	Enter the IP address of the data center that Alibaba Cloud can access over the IPsec-VPN connection.
Source IP	Enter the IP address on Alibaba Cloud that the data center can access over the IPsec-VPN connection.
Retry Interval	Enter the interval between two consecutive health checks. Unit: seconds. Default value: 3.
Retries	Enter the number of health check retries.
Switch Route	Select whether to allow the system to withdraw routes if they fail health checks. Default value: Yes. If a route fails health checks, the route is withdrawn. If you clear Yes, routes are not withdrawn if they fail health checks.

Advanced configurations

When you attach the IPsec-VPN connection to the transit router, the following advanced features are selected by default.


Parameter	Description
Automatically Advertise Routes to VPN	If you enable this feature, the system automatically advertises the routes in the route table of the transit router to the BGP route table that is used by the IPsec-VPN connection. Note This feature takes effect only if BGP dynamic routing is enabled for the IPsec-VPN connection and data center. You can disable this feature by turning off Automatic Route Advertisement. For more information, see Manage automatic route advertising from the transit router to the IPsec-VPN connection.
Associate with Default Route Table of Transit Router	If you enable this feature, the attachment between the transit router and IPsec-VPN connection is associated with the default route table of the transit router. The transit router queries the default route table to forward traffic from the IPsec-VPN connection.
Propagate System Routes to Default Route Table of Transit Router	If you enable this feature, the attachment between the transit router and IPsec-VPN connection advertises the routes in the destination route table used by the IPsec-VPN connection and the routes in the BGP route table to the default route table of the transit router.

You can disable the preceding advanced features, and use the transit router to establish network communication based on business requirements. For more information, see Manage routes.

Manage automatic route advertising from the transit router to the IPsec-VPN connection

If BGP dynamic routing is enabled for the IPsec-VPN connection and data center, you can perform the following steps to specify whether the transit router automatically advertises routes that are learned from other network instances to the IPsec-VPN connection.

Log on to the CEN console.
On the Instances page, find the CEN instance that you want to manage and click the instance ID.
On the Basic Settings > Transit Router tab, click the ID of the transit router that you want to manage.
On the Intra-region Connections tab, find the connection that you want to manage and click the ID.
In the Attachment Details panel, find the Basic Information section and click Disable or Enable next to Automatic Route Advertisement.
- If you selected Automatically Advertise Routes to VBR when you created the connection, Automatic Route Advertisement is set to Yes. You can click Disable next to Automatic Route Advertisement to disable Automatic Route Advertisement. This way, the transit router cannot automatically advertise routes learned from other network instances to the IPsec-VPN connection.
  After you disable Automatic Route Advertisement, routes that are already advertised to the IPsec-VPN connection are automatically withdrawn.
- If you did not select Automatically Advertise Routes to VBR when you created the connection, Automatic Route Advertisement is set to No. You can click Enable next to Automatic Route Advertisement to enable Automatic Route Advertisement. This way, the transit router can automatically advertise routes learned from other network instances to the IPsec-VPN connection.

Associate the attachment with another transit router route table

Log on to the CEN console.
On the Instances page, find the CEN instance that you want to manage and click the instance ID.
On the Basic Settings > Transit Router tab, click the ID of the transit router that you want to manage.
On the Intra-region Connections tab, find the attachment that you want to manage and click the ID.
In the Attachment Details panel, find the Basic Information section and click Modify next to Associated Route Table.
In the Modify Route Table dialog box, select a route table and click OK.

References

CreateTransitRouterVpnAttachment: attaches an IPsec-VPN connection to a transit router.
UpdateTransitRouterVpnAttachmentAttribute: modifies the configuration of the attachment between a transit router and an IPsec-VPN connection.
UpdateTransitRouterRouteTable: associates the attachment between a transit router and an IPsec-VPN connection with another transit router route table.