VPN Gateway:Connect a VPC to a data center in single-tunnel mode

Prerequisites

• Before you associate an IPsec-VPN connection with a public VPN gateway, make sure that a public IP address is assigned to the gateway device in the data center.

• The on-premises gateway device must support IKEv1 or IKEv2 to establish IPsec-VPN connections with a VPN gateway.

• The CIDR block of the data center does not overlap with the CIDR block of the VPC.

Example

In this example, the following scenario is used. An enterprise has created a VPC on Alibaba Cloud. The CIDR block of the VPC is 192.168.0.0/16. The CIDR block of the data center is 172.16.0.0/12. The static public IP address of the gateway device in the data center is 211.XX.XX.68. To meet business requirements, the enterprise needs to connect the data center to the VPC. You can create an IPsec-VPN connection to enable encrypted communication between the VPC and the data center.

Preparations

• A VPC is created and applications are deployed on Elastic Compute Service (ECS) instances in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

• You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see View security group rules and Add a security group rule.

Step 1: Create a VPN gateway

1. Log on to the VPN gateway console.

2. In the top navigation bar, select the region in which you want to create the VPN gateway.

   The VPN gateway and the VPC to be associated must belong to the same region.

3. On the VPN Gateways page, click Create VPN Gateway.

4. On the buy page, configure the following parameters, click Buy Now, and then complete the payment.

   Parameter	Description
   Name	Enter a name for the VPN gateway. In this example, VPN Gateway 1 is used.
   Resource Group	Select the resource group to which the VPN gateway belongs. If you leave this parameter empty, the VPN gateway belongs to the default resource group. In this example, this parameter is left empty.
   Region	Select the region in which you want to create the VPN gateway. Note The VPN gateway must belong to the same region as the VPC.
   Gateway Type	Select a gateway type. Standard is selected by default.
   Network Type	Select a network type for the VPN gateway. In this example, Public is selected.
   Tunnels	The system displays the tunnel modes that are supported in this region. Valid values: Single-tunnel Dual-tunnel For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
   VPC	Select the VPC with which you want to associate the VPN gateway.
   VSwitch	Select a vSwitch from the selected VPC. If you select Single-tunnel, you need to specify one vSwitch. If you select Dual-tunnel, you need to specify two vSwitches. Note The system selects a vSwitch by default. You can change or use the default vSwitch. After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.
   vSwitch 2	Ignore this parameter if you select Single-tunnel for the Tunnels parameter.
   Maximum Bandwidth	Specify a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
   Traffic	Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer. For more information, see Billing rules.
   IPsec-VPN	Specify whether to enable IPsec-VPN. In this example, Enable is selected.
   SSL-VPN	Specify whether to enable SSL-VPN. In this example, Disable is selected.
   Duration	Select a billing cycle for the VPN gateway. By Hour is selected by default.
   Service-linked Role	Click Create Service-linked Role. The system automatically creates the service-linked role AliyunServiceRoleForVpn. The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn. If Created is displayed, the service-linked role is created and you do not need to create it again.

   For more information about the parameters, see the Create a VPN gateway section of the "Create and manage a VPN gateway" topic.

5. Return to the VPN Gateways page to view the VPN gateway that you created.

   A newly created VPN gateway is in the Preparing state and changes to the Normal state in about 1 to 5 minutes. After the status changes to Normal, the VPN gateway is ready for use.

Step 2: Create a customer gateway

1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.

2. In the top navigation bar, select the region in which you want to create the customer gateway.

   Note

   Make sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.

3. On the Customer Gateway page, click Create Customer Gateway.

4. In the Create Customer Gateway panel, configure the following parameters and click OK.

   This topic describes only the following required parameters. You can use the default values for other parameters or leave them empty. For more information, see Create and manage a customer gateway.

   • Name: Enter a name for the customer gateway.

     In this example, Customer Gateway 1 is used.

   • IP Address: Enter the public IP address of the gateway device in the data center that you want to connect to the VPC.

     In this example, 211.XX.XX.68 is used.

Step 3: Create an IPsec-VPN connection

1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

2. In the top navigation bar, select the region in which you want to create the IPsec-VPN connection.

   Note

   Make sure that the IPsec-VPN connection and the VPN gateway to be connected are deployed in the same region.

3. On the IPsec Connections page, click Create IPsec-VPN Connection.

4. On the Create IPsec-VPN Connection page, configure the parameters that are described in the following table and click OK.

   Parameter	Description
   Name	Enter the name of the IPsec-VPN connection. In this example, IPsec-VPN Connection 1 is used.
   Resource Group	Select the resource group to which the VPN gateway belongs. In this example, the default resource group is selected.
   Associate Resource	Select the type of network resource to be associated with the IPsec-VPN connection. In this example, VPN Gateway is selected.
   VPN Gateway	Select the VPN gateway that you created. In this example, VPN Gateway 1 is selected.
   Routing Mode	Select a routing mode. In this example, Destination Routing Mode is selected.
   Effective Immediately	Specify whether the configuration immediately takes effect. Yes: starts negotiations when the configuration is complete. No: starts connection negotiations when traffic is received. In this example, Yes is selected.
   Customer Gateway	Select the customer gateway that you created. In this example, Customer Gateway 1 is selected.
   Enable BGP	If you want to use Border Gateway Protocol (BGP) routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off. In this example, BGP is disabled.
   Pre-Shared Key	Enter a pre-shared key. The pre-shared key must be 1 to 100 characters in length, and can contain digits, letters, and the following characters: ~`!@#$%^&*()_-+={}[]\|;:',.<>/?. If you do not specify a pre-shared key, the system generates a random 16-bit string as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection. Important The IPsec-VPN connection and the peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.
   Encryption Configuration	In this example, the Version parameter is set to ikev1 and the other parameters use the default values. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.
   Health Check	In this example, the default value is used and no health check is configured for the IPsec-VPN connection.
   Tags	Add tag-key pairs to the IPsec-VPN connection. In this example, this parameter is left empty.

5. In the Created message, click OK.

Step 4: Load the configuration of the IPsec-VPN connection to the gateway device in the data center

1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

2. On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click Generate Peer Configuration in the Actions column.

3. Load the configuration of the IPsec-VPN connection to the gateway device in the data center. For more information, see Configure local gateways.

Step 5: Configure routes for the VPN gateway

1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.

2. On the VPN Gateway page, find the VPN gateway that you want to manage and click the ID of the VPN gateway.

3. On the Destination-based Route Table tab, click Add Route Entry.

4. In the Add Route Entry panel, configure the following parameters and click OK.

   Parameter	Description
   Destination CIDR block	Enter a destination CIDR block for the route. In this example, 172.16.0.0/12 is used.
   Next Hop Type	Select the type of next hop. In this example, IPsec-VPN connection is selected.
   Next Hop	Select the IPsec-VPN connection that you created.
   Advertise to VPC	Specify whether to advertise the route to the VPC that is associated with the VPN gateway. In this example, Yes is selected.
   Weight	Select a weight for the route. Valid values: 100: specifies a high priority for the route. 0: specifies a low priority for the route. In this example, the default value 100 is used.

Step 6: Test the network connectivity

1. Log on to an ECS instance that is not assigned a public IP address in the VPC. For more information, see Connection method overview.

2. Run the ping command to ping a server in the data center to test the network connectivity.

   If you can receive echo reply packets, the connection is established.