Configure routing for an IPsec-VPN connection to forward traffic - VPN Gateway

After you attach an IPsec-VPN connection to a transit router, configure routes to your data center for the IPsec-VPN connection. The IPsec-VPN connection uses these routes to forward traffic from the transit router to your data center, enabling communication between your data center and the transit router.

Background information

To connect a data center to a transit router using an IPsec-VPN connection, you must add routes on the transit router, the IPsec-VPN connection, and in the data center. These routes enable traffic between the data center and the transit router.

This topic focuses on route configuration for the IPsec-VPN connection and does not describe route configurations for the transit router or the data center in detail. IPsec-VPN connections support static routing and automatic route learning through the Border Gateway Protocol (BGP).

Click to view the routing configuration checklist for different methods.

Routing configuration method	Traffic direction	Transit router	IPsec-VPN connection	Data center
Static routing	To the data center	Create a route learning relationship for the IPsec-VPN connection. After the route learning relationship is established between the transit router's route table and the IPsec-VPN connection, the system automatically propagates routes from the IPsec-VPN connection's destination-based route table to the transit router's route table. The tunnels of the IPsec-VPN connection must have successfully completed Phase 2 negotiations. For more information, see Route learning.	Add routes to the data center. For more information, see Configure destination-based routes.	No configuration is required.
Static routing	To the transit router	Create an association for the IPsec-VPN connection. After an association is created between the transit router's route table and the IPsec-VPN connection, the system forwards traffic from the IPsec-VPN connection by looking up routes in the transit router's route table. For more information, see Associations.	No configuration is required. By default, the IPsec-VPN connection forwards traffic from the data center to the transit router.	Add routes to the transit router. Set the next hop to the IPsec-VPN connection.
BGP dynamic routing	To the data center	Create a route learning relationship for the IPsec-VPN connection. After the route learning relationship is established between the transit router's route table and the IPsec-VPN connection, the system automatically propagates routes from the IPsec-VPN connection's BGP route table to the transit router's route table. For more information, see Route learning.	Configure the BGP dynamic routing protocol. After BGP is configured, the IPsec-VPN connection automatically learns routes from the data center and propagates routes from the transit router to the data center. For more information, see Configure BGP dynamic routing.	Configure the BGP dynamic routing protocol. After BGP is configured, the data center can propagate its routes to the IPsec-VPN connection and automatically learn routes from the transit router.
BGP dynamic routing	To the transit router	Create an association for the IPsec-VPN connection. After an association is created between the transit router's route table and the IPsec-VPN connection, the system forwards traffic from the IPsec-VPN connection by looking up routes in the transit router's route table. For more information, see Associations. Enable route synchronization for the IPsec-VPN connection. After you enable route synchronization, the system automatically syncs routes from the transit router's route table to the IPsec-VPN connection's BGP route table. For more information, see Route synchronization.

How to choose a routing configuration method

Check whether the region of the IPsec-VPN connection supports the BGP dynamic routing protocol. If the region does not support BGP, you must use static routing.

Click to view the regions that support the BGP dynamic routing protocol.

Area	Region
Asia-Pacific	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta)
Europe and Americas	Germany (Frankfurt), UK (London), US (Virginia), US (Silicon Valley)
Middle East	UAE (Dubai)

Important

In a region that does not support the BGP dynamic routing protocol, if you previously created a single-tunnel IPsec-VPN connection, that connection still does not support BGP. If you create a new IPsec-VPN connection in that region, the new connection is in dual-tunnel mode by default and supports BGP.

Check if your on-premises gateway device supports the BGP dynamic routing protocol. If your device supports BGP, you can use BGP dynamic routing. If not, you must use static routing.

If your scenario supports both static routing and BGP dynamic routing, see the following information to choose a method.

Routing configuration method

Scenarios

Configuration complexity

Route maintenance cost

Static routing

Suitable for scenarios where the data center has few routes and routes do not change often.

Easy

Medium

If routes in the data center change, you must manually change the route configuration on the VPN Gateway.

BGP dynamic routing

Suitable for scenarios where the data center has many routes and routes change often.

Easy

Low

If routes in the data center change, no action is needed on the VPN Gateway. The BGP dynamic routing protocol automatically distributes and learns routes based on BGP advertisement rules.

Routing configuration recommendations

Use only one routing configuration method for an IPsec-VPN connection. Do not use destination-based routes and BGP dynamic routing at the same time.
For dual-tunnel IPsec-VPN connections, use BGP dynamic routing. If you must use static routing, make sure your on-premises gateway device supports static ECMP routes. Otherwise, traffic from your data center to Alibaba Cloud cannot be transmitted over ECMP paths, but traffic from Alibaba Cloud can be transmitted to your data center over ECMP paths. This may cause traffic to take an unexpected path.
When you use a dual-tunnel IPsec-VPN connection, follow these principles to configure routes and improve the stability of the connection:
- For the two tunnels of an IPsec-VPN connection, configure the same routing protocol. This means you either configure only static routing for the IPsec-VPN connection or configure BGP dynamic routing for both tunnels.
- If you configure BGP for an IPsec-VPN connection, the Local ASN for both tunnels must be the same. The BGP AS numbers for the peers of the two tunnels can be different, but we recommend that you keep them the same.

Route matching principles

When an IPsec-VPN connection forwards traffic to a data center, it matches the traffic with a destination-based route or a BGP route based on the longest prefix match rule by default.

Note

If multiple IPsec-VPN connections propagate both destination-based routes and BGP routes to a transit router, and the destination CIDR blocks are the same, the transit router prioritizes the BGP routes by default. For more information, see Transit router route priorities.

Configure routes

Configure destination-based routes

When you configure a destination-based route, you must specify the destination CIDR block and next hop information. The IPsec-VPN connection matches traffic based on the destination IP address and then forwards the traffic based on the matched route.

Prerequisites

The IPsec-VPN connection is attached to a transit router instance. You can create the attachment in one of the following ways:

Attach the IPsec-VPN connection to a transit router instance when you create the connection. For more information, see IPsec-VPN connection (TR-dual-tunnel).
If you have an IPsec-VPN connection that is not attached to any resource, you can attach it to a transit router in the Cloud Enterprise Network (CEN) console. For more information, see Create a VPN connection.
Note
If an IPsec-VPN connection is already attached to a VPN Gateway instance, you cannot attach it to a transit router instance.

Limits

You cannot add a destination-based route with the destination CIDR block set to 0.0.0.0/0.
Do not add destination-based routes whose destination CIDR block is 100.64.0.0/10, a subnet of 100.64.0.0/10, or a CIDR block that contains 100.64.0.0/10. Such routes may prevent the console from displaying the status of the IPsec-VPN connection or cause connection negotiation to fail.
When you create a dual-tunnel IPsec-VPN connection and add a destination-based route, the system propagates the route to the transit router's route table only when the tunnel status is Phase 2 negotiation succeeded.

Configuration steps

Add a destination-based route

Log on to the VPN Gateway console.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click its ID.
On the Destination-based Route Table tab, click Add Route Entry.
In the Add Route Entry panel, configure the destination-based route based on the following information and click OK.
Configuration
Description
Destination CIDR Block
Enter the CIDR block of your data center.
Next Hop Type
Select IPsec-VPN Connection.
Next Hop
Select the IPsec-VPN connection instance.

Delete a destination-based route

Log on to the VPN Gateway console.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click its ID.
On the Destination-based Route Table tab, find the route that you want to delete and click Delete in the Actions column.
In the Delete Route Entry dialog box, click OK.

References

Configure BGP dynamic routing

BGP is a dynamic routing protocol based on TCP that exchanges routing and network reachability information between autonomous systems. Configure BGP on the IPsec-VPN connection and in your data center to establish a BGP peer relationship. After the BGP peer relationship is established, the IPsec-VPN connection and your data center automatically learn routes from each other. This reduces network maintenance costs and configuration risks.

BGP advertisement rules

After you configure BGP dynamic routing for the IPsec-VPN connection and the data center, BGP routes are advertised based on the following rules:

From on-premises to the cloud
After the data center advertises its local routes through BGP, the routes are automatically propagated to the IPsec-VPN connection in the cloud. After a route learning relationship is established between the IPsec-VPN connection and the transit router's route table, the system automatically propagates routes from the IPsec-VPN connection's BGP route table to the transit router's route table.
From the cloud to on-premises
After you enable route synchronization for the IPsec-VPN connection on the transit router, the system propagates routes from the transit router's route table to the IPsec-VPN connection's BGP route table. The IPsec-VPN connection then automatically propagates the routes in its BGP route table to the data center.

BGP limits

For a dual-tunnel IPsec-VPN connection, the BGP route table of one IPsec-VPN connection can receive up to 2,000 routes from the peer. Each tunnel can receive up to 1,000 routes. This quota cannot be increased.
For a single-tunnel IPsec-VPN connection, the BGP route table of one IPsec-VPN connection can receive up to 50 routes from the peer. To increase the quota, submit a ticket. The quota can be increased to a maximum of 200.
After an IPsec-VPN connection is attached to a transit router instance, you can use BGP to propagate routes with the destination CIDR block of 0.0.0.0/0 between the on-premises gateway device and the transit router instance.
If you use an Express Connect circuit and an IPsec-VPN connection in active/standby mode to connect your data center to a transit router, make sure that the autonomous system number of the data center configured for the virtual border router and the IPsec-VPN connection are the same. This prevents route flapping in your data center network.

Steps to configure BGP dynamic routing

Specify the autonomous system number of your data center in the customer gateway instance. For more information, see Customer gateways.
- If you did not specify the autonomous system number when you created the customer gateway, you must delete the customer gateway and create a new one.
- You cannot modify a customer gateway after it is created. To change the autonomous system number of your data center, delete the customer gateway and create a new one.

Enable BGP for the IPsec-VPN connection and add a BGP configuration. For more information, see IPsec-VPN connection (TR-dual-tunnel).

The following table lists only the parameters that are highly relevant to BGP dynamic routing.

Important

For the Routing Mode of the IPsec-VPN connection, use Destination-based Route Mode.

Configuration Item	Description
Customer Gateway	Select the customer gateway instance that contains the autonomous system number of your data center.
Enable BGP	Select to enable the BGP feature.
Local ASN	Enter the local autonomous system number (ASN) for the tunnel. The default value is 45104. The valid range is 1 To 4294967295.
Tunnel CIDR Block	Enter the CIDR block for the tunnel. The tunnel CIDR block must be a /30 CIDR block within 169.254.0.0/16. It cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30. Note The tunnel CIDR blocks of the two tunnels in an IPsec-VPN connection cannot be the same.
Local BGP IP address	Enter the BGP IP address for the Alibaba Cloud side of the tunnel. This address must be an IP address within the tunnel CIDR block.

BGP dynamic routing tutorials

Establish an IPsec-VPN connection to enable communication between an on-premises data center and multi-region VPCs (dual-tunnel)

Configuration	Description
Destination CIDR Block	Enter the CIDR block of your data center.
Next Hop Type	Select IPsec-VPN Connection.
Next Hop	Select the IPsec-VPN connection instance.