This topic describes how to use IPsec-VPN to establish a private network connection between a data center and a virtual private cloud (VPC).

Select the resource with which you want to associate the IPsec-VPN connection

You can associate a VPN gateway or a transit router with an IPsec-VPN connection. Both a VPN gateway and a transit router can be used to connect an on-premises data center to a VPC. However, the features supported are different, as described in the following table. You can select a VPN gateway or a transit router based on your business requirements.

Item Associated with a VPN gateway Associated with transit router
Associated resource You must purchase a VPN gateway and associate the VPN gateway with a VPC to create an IPsec VPN connection.

Your data center or office network can communicate with the associated VPC or with other networks through the associated VPC.

You do not need to purchase a VPN gateway or associate the VPN gateway with a VPC to create an IPsec VPN connection. You must create a Cloud Enterprise Network (CEN) instance and create a transit router on the CEN instance.

Your data center or office network can communicate with all VPCs connected to the transit router or with other networks through the transit router.

Supported encryption algorithm

Commercial cryptographic algorithms that comply with international standards

Commercial cryptographic algorithms that comply with international standards
Maximum bandwidth supported by each IPsec-VPN connection 1,000 Mbit/s.
Note The maximum bandwidth supported by VPN gateways in some regions is 200 Mbit/s. For more information about the regions, see Limits on VPN gateways.
1 Gbit/s by default. The maximum bandwidth can be modified based on business requirements.
Supported network type
  • Public

    Indicates an encrypted connection over the Internet.

  • Private

    Indicates an encrypted connection over an Express Connect circuit.

    Note Private VPN gateways are in invitational preview. To use a private VPN gateway, contact your sales manager or submit a ticket.
  • Public

    Indicates an encrypted connection over the Internet.

  • Private

    Indicates an encrypted connection over an Express Connect circuit.

Method used to implement high availability Active/standby connections as shown in Figure 1_Active/standby connection Equal-cost multi-path (ECMP) routing as shown in Figure 2_Equal-cost multi-path (ECMP) connection
Figure 1. Figure 1_Active/standby connection
Figure 2
Figure 2. Figure 2_Equal-cost multi-path (ECMP) connection
Figure 3

Limits

  • You can associate an IPsec-VPN connection with a transit router in specific regions. For more information about the supported regions, see Regions that support different features of VPN Gateway.

    If you want to associate an IPsec-VPN connection with a transit router in China (Nanjing - Local Region), China (Ulanqab), China (Heyuan), China (Guangzhou), China (Chengdu), Japan (Tokyo), Australia (Sydney), Malaysia (Kuala Lumpur), South Korea (Seoul), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), India (Mumbai), Germany (Frankfurt), or UK (London), contact your sales manager or submit a ticket to apply for the required permissions. You do not need to apply for permissions in other regions.

  • Only an Enterprise Edition transit router can be associated with an IPsec-VPN connection.

Prerequisites

Before you use IPsec-VPN to connect a data center to a VPC, make sure that the following requirements are met:
  • The IKEv1 and IKEv2 protocols are supported by the gateway device in the data center.

    The IKEv1 and IKEv2 protocols are supported by IPsec-VPN. All gateway devices that support these protocols can be used to establish an IPsec-VPN connection to a VPC.

  • The CIDR block of the data center does not overlap with the CIDR block of the VPC.
  • Make sure that the security group rules applied to the Elastic Compute Service (ECS) instances in the VPC allow gateway devices in the data center to access cloud resources. For more information, see Query security group rules and Add a security group rule.

Procedure

The procedure for configuring IPsec-VPN varies based on the instance that is associated with the IPsec-VPN connection. The following section describes the procedures for different scenarios.

Procedure for the scenario in which a VPN gateway is used

Procedure 1
Sequence number Reference Description
1 Create a VPN gateway Create a VPN gateway and enable IPsec-VPN.
2 Create a customer gateway Create a customer gateway and load the configuration of the gateway device in the data center to the customer gateway on Alibaba Cloud.
3 Create an IPsec-VPN connection An IPsec-VPN connection is an encrypted VPN tunnel between a VPN gateway and a gateway device in the data center.
Note When you create an IPsec-VPN connection, select VPN Gateway for Associate Resource.
4 Configure local gateways To connect the data center to the VPN gateway, you must add the configuration of IPsec-VPN to the gateway device in the data center.
5 Configure a route for the VPN gateway You must configure a route that points to the data center for the VPN gateway and advertise the route to the VPC route table. This way, the data center can be connected to the VPC.
6 Test the network connectivity Log on to an ECS instance that is not assigned a public IP address in the VPC. Then, run the ping command to ping the private IP address of a server in the data center.

Procedure for the scenario in which a transit router is used

Procedure 2
Sequence number Reference Description
1 Create a CEN instance Before you create a transit router, you must first create a CEN instance.
2 Create a transit router A transit router is used to forward data. You must create a transit router in the region where the data center is deployed or in a region near the data center.
3 Create a customer gateway Create a customer gateway and load the configuration of the gateway device in the data center to the customer gateway on Alibaba Cloud.
4 Create an IPsec-VPN connection An IPsec-VPN connection is an encrypted VPN tunnel between Alibaba Cloud and a gateway device in the data center.

After you associate a transit router with the IPsec-VPN connection, traffic from the data center can be forwarded to the transit router over the IPsec-VPN connection.

Note When you create an IPsec-VPN connection, select CEN or Do Not Associate for Associate Resource.
5 Configure local gateways To connect the data center to Alibaba Cloud, you must add the configuration of IPsec-VPN to the gateway device in the data center.
6 Configure a route for an IPsec-VPN connection You must configure a route that points to the data center for the IPsec-VPN connection and advertise the route to the route table of the transit router. This way, the data center can be connected to the VPC.
7 Test the network connectivity Log on to an ECS instance that is not assigned a public IP address in the VPC. Then, run the ping command to ping the private IP address of a server in the data center.