Manage single-tunnel IPsec-VPN connections attached to a transit router - VPN Gateway

IPsec-VPN connections attached to a transit router have been upgraded to dual-tunnel mode. You can no longer create single-tunnel IPsec-VPN connections. This topic describes how to manage and modify existing single-tunnel IPsec-VPN connections.

Modify an IPsec-VPN connection

If an IPsec-VPN connection is attached to a transit router, you cannot modify the associated transit router, the zone, or the gateway type. You can modify the associated customer gateway, routing mode, pre-shared key, and encryption configurations.
If the IPsec-VPN connection is not attached to any resource, you cannot modify the gateway type. You can modify the customer gateway, routing mode, pre-shared key, and encryption configurations.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click Edit in the Actions column.

On the Modify IPsec-VPN Connection page, modify the name, encryption configurations, and CIDR blocks of the IPsec-VPN connection, and then click OK.

Basic configurations

Configuration item	Description
Routing Mode	Select a routing mode for the IPsec-VPN connection. Destination Routing Mode(default): Routes and forwards traffic based on the destination IP address. Protected Data Flows: Precisely routes and forwards traffic based on the source and destination IP addresses. If you select Protected Data Flows, you must configure Local Network and Remote Network. After the IPsec-VPN connection is configured, the system automatically adds a destination-based route to the route table of the IPsec-VPN connection. The route is advertised to the route table of the transit router that is associated with the IPsec-VPN connection by default.
Local Network	If you set Routing Mode to Protected Data Flows, enter the CIDR block on the Alibaba Cloud side that needs to communicate with the data center. During Phase 2 negotiation, we recommend that the Local Network on the Alibaba Cloud side is the same as the remote CIDR block on the data center side. Click the icon to the right of the text box to add multiple CIDR blocks on the Alibaba Cloud side that need to communicate with the data center. Note If you configure multiple CIDR blocks, you must set the IKE version to ikev2.
Remote Network	If you set Routing Mode to Protected Data Flows, enter the CIDR block of the data center that needs to communicate with Alibaba Cloud. During Phase 2 negotiation, we recommend that the Remote Network on the Alibaba Cloud side is the same as the local CIDR block on the data center side. Click the icon to the right of the text box to add multiple CIDR blocks of the data center that need to communicate with Alibaba Cloud. Note If you configure multiple CIDR blocks, you must set the IKE version to ikev2.
Effective Immediately	Specifies whether the configurations of the IPsec-VPN connection take effect immediately. Yes (default): The system immediately starts IPsec negotiation after the configurations are complete. No: The system starts IPsec negotiation only when traffic is detected.
Customer Gateway	Select the customer gateway to associate with the IPsec-VPN connection.
Pre-Shared Key	Enter the authentication key for the IPsec-VPN connection. The key is used for identity authentication between the transit router instance and the data center. The key can be 1 to 100 characters in length and can contain digits, letters, and the following special characters: ~`!@#$%^&()_-+={}[]\\|;:',.<>/?. It cannot contain spaces. Important* The pre-shared keys on both sides of the IPsec-VPN connection must be the same. Otherwise, the IPsec-VPN connection cannot be established.
Enable BGP	If you want to use BGP dynamic routing for the IPsec-VPN connection, turn on this switch. BGP is disabled by default. Before you use BGP dynamic routing, we recommend that you understand how it works and its limits. For more information, see Configure BGP dynamic routing.
Local ASN	The autonomous system number (ASN) of the IPsec-VPN connection on the Alibaba Cloud side. This parameter is required if you enable Border Gateway Protocol (BGP). Default value: 45104. Value range: 1 To 4294967295. You can enter the ASN in two segments and separate the first 16 bits from the following 16 bits with a period (.). Enter the number in each segment in the decimal format. For example, if you enter 123.456, the ASN is: 123 × 65536 + 456 = 8061384. Note We recommend that you use a private AS number to establish a BGP connection with Alibaba Cloud. For information about the private AS number ranges, see the relevant documentation.

Encryption configurations

Configuration	Description
Encryption Configurations: IKE Configurations
Version	Select the IKE version. ikev1 ikev2 (default) Compared with IKEv1, IKEv2 simplifies the security association (SA) negotiation process and provides better support for multiple CIDR blocks. We recommend that you use IKEv2.
Negotiation Mode	Select a negotiation mode. main (default): Main mode provides high security during negotiation. aggressive: Aggressive mode is faster and has a higher success rate. Both modes provide the same security for data transmission after a successful negotiation.
Encryption Algorithm	Select the encryption algorithm for Phase 1 negotiation. The following encryption algorithms are supported: aes (aes128, default), aes192, aes256, des, and 3des. Note Use the aes128, aes192, or aes256 algorithms. Do not use the des or 3des algorithms. Advanced Encryption Standard (AES) is a symmetric-key cryptography algorithm that provides strong encryption and decryption. AES ensures secure data transmission and has little impact on network latency, throughput, and forwarding performance. 3des is the Triple Data Encryption Algorithm. It requires a long encryption time, has high algorithmic complexity, and uses significant computing resources. Compared with AES, 3des reduces forwarding performance.
Authentication Algorithm	Select the authentication algorithm for Phase 1 negotiation. The following authentication algorithms are supported: sha1 (default), md5, sha256, sha384, and sha512.
DH Group (Perfect Forward Secrecy)	Select the Diffie-Hellman key exchange algorithm for Phase 1 negotiation. group1: DH1 in the DH group. group2 (default): DH2 in the DH group. group5: DH5 in the DH group. group14: DH14 in the DH group.
SA Life Cycle(seconds)	Specify the lifetime of the SA after Phase 1 negotiation succeeds. Unit: seconds. Default value: 86400. Valid range: 0 To 86400.
LocalId	The identifier of the Alibaba Cloud side of the IPsec-VPN connection. It is used for Phase 1 negotiation. The default value is the gateway IP address of the IPsec-VPN connection. This parameter serves only as an identifier for Alibaba Cloud in IPsec-VPN connection negotiation and has no other purpose. It can be an IP address or a Fully Qualified Domain Name (FQDN) and cannot contain spaces. We recommend that you use a private IP address as the identifier for the Alibaba Cloud side. If you use an FQDN for LocalId, such as example.aliyun.com, the remote ID of the IPsec-VPN connection on the data center side must be the same as the value of LocalId. We recommend that you set the negotiation mode to aggressive.
RemoteId	The identifier of the data center side of the IPsec-VPN connection. It is used for Phase 1 negotiation. The default value is the IP address of the customer gateway. This parameter serves only as an identifier for the data center in IPsec-VPN connection negotiation and has no other purpose. It can be an IP address or an FQDN and cannot contain spaces. We recommend that you use a private IP address as the identifier for the data center side. If you use an FQDN for RemoteId, such as example.aliyun.com, the local ID of the IPsec-VPN connection on the data center side must be the same as the value of RemoteId. We recommend that you set the negotiation mode to aggressive.
Encryption Configurations: IPsec Configurations
Encryption Algorithm	Select the encryption algorithm for Phase 2 negotiation. The following encryption algorithms are supported: aes (aes128, default), aes192, aes256, des, and 3des. Note Use the aes128, aes192, or aes256 algorithms. Do not use the des or 3des algorithms. Advanced Encryption Standard (AES) is a symmetric-key cryptography algorithm that provides strong encryption and decryption. AES ensures secure data transmission and has little impact on network latency, throughput, and forwarding performance. 3des is the Triple Data Encryption Algorithm. It requires a long encryption time, has high algorithmic complexity, and uses significant computing resources. Compared with AES, 3des reduces forwarding performance.
Authentication Algorithm	Select the authentication algorithm for Phase 2 negotiation. The following authentication algorithms are supported: sha1 (default), md5, sha256, sha384, and sha512.
DH Group	Select the Diffie-Hellman key exchange algorithm for Phase 2 negotiation. disabled: The DH key exchange algorithm is not used. For clients that do not support Perfect Forward Secrecy (PFS), select disabled. If you select any group other than disabled, PFS is enabled by default. This requires the key to be updated during each re-negotiation. Therefore, the client must also have PFS enabled. group1: DH1 in the DH group. group2 (default): DH2 in the DH group. group5: DH5 in the DH group. group14: DH14 in the DH group.
SA Life Cycle (seconds)	Specify the lifetime of the SA after Phase 2 negotiations succeed. Unit: seconds. Default value: 86400. Valid range: 0 To 86400.
DPD	Specifies whether to enable Dead Peer Detection (DPD). DPD is enabled by default. After you enable DPD, the IPsec-VPN connection sends DPD messages to check whether the peer device is active. If no response is received within the specified period, the peer is considered disconnected. The IPsec-VPN connection then deletes the ISAKMP SA and the corresponding IPsec SA, and the security tunnel is also deleted. After a DPD timeout, the IPsec-VPN connection automatically re-initiates IPsec-VPN tunnel negotiation. The DPD timeout period is 30 seconds.
NAT Traversal	Specifies whether to enable Network Address Translation (NAT) traversal. NAT traversal is enabled by default. After you enable NAT traversal, the verification of the UDP port number is removed from the IKE negotiation process. This also helps you discover NAT gateway devices in the encrypted communication channel.

BGP Configuration

If you enable BGP for the IPsec-VPN connection, you must specify the BGP tunnel CIDR block and the BGP tunnel IP address on the Alibaba Cloud side.

Configuration item

Description

Tunnel CIDR Block

Enter the CIDR block for the IPsec tunnel.

The tunnel CIDR block must be a /30 subnet within 169.254.0.0/16. It cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30.

Local BGP IP address

Enter the BGP IP address for the Alibaba Cloud side of the IPsec-VPN connection.

This address must be an IP address within the tunnel CIDR block.

Health check

Health check is disabled by default. Before you add a health check configuration, enable the health check feature.

Important

After you configure a health check for the IPsec-VPN connection, add a route entry on the data center side. Set the destination CIDR block to the Source IP Address with a 32 bit subnet mask, and set the next hop to the IPsec-VPN connection. This ensures that the health check feature works as expected.

Configuration item	Description
Destination IP Address	Enter the IP address of the data center that can be accessed from the Alibaba Cloud side through the IPsec-VPN connection. Note Make sure that the destination IP address supports ICMP acknowledgements.
Source IP Address	Enter the IP address on the Alibaba Cloud side that can be accessed from the data center through the IPsec-VPN connection.
Retry Interval	Select the interval for health check retries. Unit: seconds. Default value: 3.
Number of Retries	Select the number of health check retries. Default value: 3.
Switch Route	Specifies whether the system is allowed to revoke advertised routes after a health check fails. Default value: Yes. This means that after a health check fails, the system is allowed to revoke the advertised routes. If you clear the Yes check box, the system does not revoke the advertised routes after a health check fails.

Grant cross-account authorization from an IPsec-VPN connection to a transit router instance

If you select Cross-account Attachment for the Cloud Enterprise Network Option when you create an IPsec-VPN connection, you must grant authorization to the cross-account transit router after the connection is created. To do this, perform the following steps.

Note

Before you grant authorization, make sure that the IPsec-VPN connection is not attached to a transit router. If the IPsec-VPN connection is already attached to a transit router, detach it first. For more information, see Delete a network instance connection.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the target IPsec-VPN connection and click its ID.
On the IPsec-VPN connection product page, click the Cross-account Authorization tab, and then click Cross-account Authorization.

In the Attach to CEN dialog box, configure the following parameters and click OK.

Configuration item	Description
Peer Account UID	The ID of the Alibaba Cloud account to which the transit router instance belongs.
Peer CEN Instance ID	The ID of the CEN instance to which the transit router instance belongs.
Payer	Select the party who pays the fees. CEN Instance Owner (default): The account that owns the transit router instance pays the connection fee and data transfer fee for the transit router after the IPsec-VPN connection is attached. VPN Owner: The account that owns the IPsec-VPN connection pays the connection fee and data transfer fee for the transit router after the IPsec-VPN connection is attached. Important Select the payer with caution. Changing the payer may affect your services. For more information, see Change the payment account. The account that owns the IPsec-VPN connection still pays the instance fee and data transfer fee for the IPsec-VPN connection after it is attached to the transit router instance.

Record the IPsec-VPN connection ID and the ID of the Alibaba Cloud account to which the IPsec-VPN connection belongs. You need this information to create a VPN connection later. For more information, see Create a VPN connection.
You can view the account ID on the Account Management page.

Revoke cross-account authorization from an IPsec-VPN connection to a transit router instance

If the IPsec-VPN connection no longer needs to be attached to the cross-account transit router, you can revoke the authorization.

If the cross-account transit router is already attached to the IPsec-VPN connection, detach it first. For more information, see Delete a network instance connection.

Delete an IPsec-VPN connection

If the IPsec-VPN connection is attached to a transit router, make sure that the connection is detached from the transit router before you proceed. For more information, see Delete a network instance connection.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the target IPsec-VPN connection and click Delete in the Actions column.
In the dialog box that appears, confirm the information and click OK.

Manage IPsec-VPN connections by calling API operations

You can manage IPsec-VPN connections by calling API operations with tools such as Alibaba Cloud SDK (recommended), Alibaba Cloud CLI, Terraform, and Resource Orchestration Service. For more information about the API operations, see the following topics: