VPN Gateway allows you to connect on-premises data centers, corporate networks, individual clients to Alibaba Cloud Virtual Private Cloud (VPC) networks through encrypted tunnels. This topic describes how to connect an on-premises data center to a VPC by using an IPsec-VPN tunnel.

Prerequisites

  • The gateway device that you use to connect to Alibaba Cloud supports the standard IKEv1 and IKEv2 protocols. In this example, IKEv2 must be supported because multiple subnets are configured. Compatible devices include certain models manufactured by Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia.
  • The gateway device has a static public IP address assigned.
  • The IP address ranges of the on-premises network do not overlap the IP address ranges of the VPC.

Background information

You can select User-created database connected over Express Connect, VPN Gateway, or Smart Access Gateway when you create a replication task in data migration, data synchronization, or change tracking mode, and then enter the private IP address of your on-premises database.

Precautions

If you have already connected your on-premises networks to Alibaba Cloud, you can skip the steps of VPN tunnel setup. However, you need to whitelist DTS servers in your VPN settings and create several static routes. To do this, follow these steps:

  1. Add the CIDR blocks of DTS servers to the IPsec-VPN connection. For more information, see Modify an IPsec-VPN connection.
    Note Click + Add CIDR Block and enter the CIDR blocks of DTS servers for the corresponding region. For more information, see Add the CIDR blocks of DTS servers to the security settings of on-premises databases.
  2. Configure static routes on your customer gateway. For more information, see Step 4: Configure an IPsec-VPN connection and a static route on the on-premises gateway.

Billing

VPN Gateway is a paid service. For more information, see Pay-as-you-go.

Step 1: Create a VPN gateway

  1. Log on to the VPC console.
  2. In the upper-left corner of the page, select a region.
  3. In the left-side navigation pane, click Interconnections > VPN > VPN Gateways.
  4. On the VPN Gateways page, click Create VPN Gateway.
  5. Complete the VPN gateway settings as follows:
    • Name: Enter a name for the VPN gateway.
    • Region:Select the region where you want to deploy the VPN gateway.
      Note Make sure that the VPC and the VPN gateway are deployed in the same region.
    • VPC:Select the VPC to be associated with the VPN gateway.
    • Specify vSwitch: Specify whether to create the VPN gateway in a vSwitch of the VPC. In this example, No is selected.

      If you select Yes, you must also specify a vSwitch.

    • Peak Bandwidth: Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
    • Traffic: By default, the VPN gateway uses the pay-by-data-transfer billing method.
    • IPsec-VPN: Specify whether to enable IPsec-VPN for the VPN gateway. In this example, Enable is selected.
    • SSL-VPN: Specify whether to enable SSL-VPN. In this example, Disable is selected.
    • Duration: By default, the VPN gateway is billed on an hourly basis.
  6. Click Buy Now and follow the instructions to complete the payment.

Step 2: Create a customer gateway

  1. Log on to the VPC console.
  2. In the upper-left corner of the page, select the region where the VPN gateway resides.
  3. In the left-side navigation pane, click Interconnections > VPN > Customer Gateways.
  4. Click Create Customer Gateway.
  5. Complete the customer gateway settings as follows:
    Parameter Description
    Name Enter a name for the customer gateway.
    IP Address Enter the static public IP address of the gateway device of the on-premises data center.
    ASN Enter the autonomous system number (ASN) of the gateway device in the data center.
    Description The description must be 2 to 256 characters in length and cannot start with http:// or https://.
  6. Click OK.

Step 3: Create an IPsec-VPN connection and configure a route

  1. Log on to the VPC console.
  2. In the upper-left corner of the page, select the region to which the VPN gateway belongs.
  3. In the left-side navigation pane, click Interconnections > VPN > IPsec Connections.
  4. Click Create IPsec Connection.
  5. In the Create IPsec Connection pane, complete the settings as follows:
    Parameter Description
    Name

    Enter a name for the IPsec-VPN connection.

    The name must be 2 to 128 characters in length and can contain digits, hyphens (-), and underscores (_). It must start with a letter.

    VPN Gateway Select the standard VPN gateway to be connected through the IPsec-VPN connection.
    Customer Gateway Select the customer gateway to be connected through the IPsec-VPN connection.
    Routing Mode Select a routing mode. Default value: Destination Routing Mode.
    • Destination Routing Mode: forwards traffic to specified destination IP addresses.

      After you create an IPsec-VPN connection, you must add destination-based routes to the route table of the VPN gateway.

    • Protected Data Flows: forwards traffic based on source and destination IP addresses.

      If you select Protected Data Flows when you create an IPsec-VPN connection, you must configure Local Network and Remote Network. After you complete the configurations, the system automatically adds policy-based routes to the route table of the VPN gateway.

      After the system adds policy-based routes to the route table of the VPN gateway, the routes are not advertised by default. You must manually advertise the routes to the VPC.

    Note
    • If you use an earlier version of VPN Gateway, you do not need to select a routing mode. After you create an IPsec-VPN connection, you must manually add destination-based routes or policy-based routes to the VPN gateway.
    • Do not create a route that meets the following conditions: The destination CIDR block is 100.64.0.0/10 or one of its subnets. The next hop is an IPsec-VPN connection. If you create such a route, one of the following errors occurs: The status of the IPsec-VPN connection cannot be displayed in the console. The negotiations of the IPsec-VPN connection fail.
    Local Network Enter the CIDR block on the VPC side. The CIDR block is used in Phase 2 negotiations.
    Click Add next to the field to add multiple CIDR blocks on the VPC side.
    Note You can add multiple CIDR blocks only if IKEv2 is used.
    Remote Network Enter the CIDR block on the data center side. This CIDR block is used in Phase 2 negotiations.
    Click Add next to the field to add multiple CIDR blocks on the data center side.
    Note You can add multiple CIDR blocks only if IKEv2 is used.
    Effective Immediately Specify whether to immediately start negotiations.
    • Yes: starts connection negotiations after the configuration is completed.
    • No: starts negotiations when inbound traffic is detected.
    Pre-Shared Key Enter the pre-shared key that is used for identity authentication between the VPN gateway and the data center. The key must be 1 to 100 characters in length.

    If you do not specify a pre-shared key, the system randomly generates a 16-bit string as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system.

    Notice The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the data center. Otherwise, you cannot establish a connection between the data center and the VPN gateway.
    Advanced Configuration: IKE Configurations
    Version Select an IKE version.
    • ikev1
    • ikev2

    IKEv1 and IKEv2 are supported. Compared with IKEv1, IKEv2 simplifies the SA negotiation process and provides better support for scenarios in which multiple CIDR blocks are used. We recommend that you select IKEv2.

    Negotiation Mode Select a negotiation mode.
    • main: This mode offers higher security during negotiations.
    • aggressive: This mode is faster and has a higher success rate.

    Connections negotiated in both modes ensure the same level of security for data transmission.

    Encryption Algorithm Select the encryption algorithm that is used in Phase 1 negotiations. Supported algorithms are aes, aes192, aes256, des, and 3des.
    Authentication Algorithm Select the authentication algorithm that is used in Phase 1 negotiations. Supported algorithms are sha1, md5, sha256, sha384, and sha512.
    DH Group Select the DH key exchange algorithm that is used in Phase 1 negotiations. The following DH groups are supported:
    • group1: DH group 1
    • group2: DH group 2
    • group5: DH group 5
    • group14: DH group 14
    SA Life Cycle (seconds) Specify the lifecycle of the SA after Phase 1 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
    LocalId Specify the identifier of the VPN gateway that is used in Phase 1 negotiations. The default value is the public IP address of the VPN gateway. If you set LocalId to a fully qualified domain name (FQDN), we recommend that you set Negotiation Mode to aggressive.
    RemoteId Specify the identifier of the customer gateway that is used in Phase 1 negotiations. The default value is the public IP address of the customer gateway. If you set RemoteId to an FQDN, we recommend that you set Negotiation Mode to aggressive.
    Advanced Configuration: IPSec Configurations
    Encryption Algorithm Select the encryption algorithm that is used in Phase 2 negotiations. Supported algorithms are aes, aes192, aes256, des, and 3des.
    Authentication Algorithm Select the authentication algorithm that is used in Phase 2 negotiations. Supported algorithms are sha1, md5, sha256, sha384, and sha512.
    DH Group Select the DH key exchange algorithm that is used in Phase 2 negotiations. Standard VPN gateways support the following values:
    • disabled: does not use a DH key exchange algorithm.
      • For clients that do not support perfect forward secrecy (PFS), select disabled.
      • If you select a value other than disabled, the PFS feature is enabled by default, which requires a key update for every renegotiation. Therefore, you must also enable PFS for the client.
    • group1: DH group 1
    • group2: DH group 2
    • group5: DH group 5
    • group14: DH group 14
    SA Life Cycle (seconds) Specify the lifecycle of the SA after Phase 2 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
    DPD Specify whether to enable the DPD feature. This feature is enabled by default.
    NAT Traversal Specify whether to enable the NAT traversal feature. This feature is enabled by default.
    BGP Configuration
    Tunnel CIDR Block Enter the CIDR block of the IPsec tunnel.

    The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length.

    Local BGP IP address Enter the BGP IP address on the VPC side.

    This IP address must fall within the CIDR block of the IPsec tunnel.

    Note Make sure that the BGP IP addresses on the VPC side and on the data center side do not conflict with each other.
    Local ASN Enter the autonomous system number (ASN) on the VPC side. Valid values: 1 to 4294967295. Default value: 45104.
    Note We recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. Refer to the relevant documentation for the valid range of a private ASN.
    Health Check
    Destination IP Enter the IP address on the data center side that the VPC can communicate with through the IPsec-VPN connection.
    Source IP Enter the IP address on the VPC side that the data center can communicate with through the IPsec-VPN connection.
    Retry Interval Specify the interval between two consecutive health checks. Unit: seconds.
    Number of Retries Specify the maximum number of health check retries.
  6. Click OK.
  7. In the success message, click OK to configure routing for the VPN gateway.
  8. The VPN Gateway page appears. On the Destination-based Routing tab, click Add Route Entry.
  9. In the Add Route Entry pane, complete the settings as follows.
    Setting Description
    Destination CIDR block Enter the private CIDR block of the on-premises network. In this example, enter 192.168.10.0/24.
    Next Hop Type Select IPsec Connection.
    Next Hop Select the IPsec-VPN connection that you create.
    Publish to VPC Specify whether to publish the new route entry to the VPC routing table.
    • Yes(recommended): publish the new route entry to the VPC routing table.
    • No: do not publish the new route entry to the VPC routing table.
      Note If you select No, you must publish the route entry to the destination-based routing table after you add the destination-based route entry.
    Weight Select a weight:
    • 100: The highest weight
    • 0: The lowest weight
    Note If two static routes are based on the same destination CIDR block, you cannot set the weight of both route entries to 100.

Step 4: Configure an IPsec-VPN connection and a static route on the on-premises gateway

  1. Log on to the VPC console.
  2. In the upper-left corner of the page, select the region where the VPN gateway resides.
  3. In the left-side navigation pane, click Interconnections > VPN > IPsec Connections.
  4. Find the target IPsec-VPN connection and choose More icon > Download Configuration in the Actions column.
  5. In the IPsec Connection Configuration pane, the JSON notation of the peer configuration is displayed. Add the peer configuration to the on-premises gateway device. The configurations vary depending on the device manufacturer and model.
    Peer configuration
  6. Add a static route entry to the on-premises gateway device. The destination addresses are the CIDR blocks of DTS servers for the corresponding region. For more information, see Add the CIDR blocks of DTS servers to the security settings of on-premises databases. The next hop is the new IPsec-VPN tunnel interface.