IPsec-VPN lets you create an encrypted tunnel between your on-premises data center and an Alibaba Cloud VPC. This guide walks you through the end-to-end setup when the IPsec-VPN connection is associated with a VPN gateway.
Alibaba Cloud IPsec-VPN supports two deployment modes:
Dual-tunnel mode — Two tunnels for high availability. If one tunnel goes down, traffic automatically fails over to the other. Recommended for production workloads.
Single-tunnel mode — One tunnel. Simpler to set up, suitable for development or non-critical environments.
Before you begin
Make sure your environment meets the following requirements:
Your on-premises gateway device has a public IP address. Dual-tunnel mode works with a single public IP, but for higher availability you can optionally use two public IPs or two gateway devices. For supported regions, see Associate an IPsec-VPN connection with a VPN gateway.
Your on-premises gateway device supports IKEv1 or IKEv2.
The CIDR blocks of your data center and VPC do not overlap.
The security group rules on your ECS instances allow traffic from your on-premises gateway device. For more information, see Use security groups.
Workflow
Step | Action | Description |
1 | Create a VPN gateway with IPsec-VPN enabled. | |
2 | Register your on-premises gateway device on Alibaba Cloud by providing its public IP address and BGP ASN (if applicable). | |
3 | Create an encrypted tunnel between your data center and VPC. Set Associate Resource to VPN Gateway. | |
4 | Add VPN configurations to your on-premises device so it can negotiate and establish the IPsec tunnel. | |
5 | Add a route pointing to your data center and advertise it to the VPC route table. | |
6 | Test connectivity | Log on to an ECS instance in the VPC and ping a private IP address in your data center. |
Step-by-step tutorials
Follow one of these end-to-end tutorials based on your chosen deployment mode:
Dual-tunnel mode
Single-tunnel mode