This topic describes how to use IPsec-VPN to establish a private network connection between a data center and a virtual private cloud (VPC).
Select the resource with which you want to associate the IPsec-VPN connection
You can associate a VPN gateway or a transit router with an IPsec-VPN connection. Both a VPN gateway and a transit router can be used to connect an on-premises data center to a VPC. However, the features supported are different, as described in the following table. You can select a VPN gateway or a transit router based on your business requirements.
Item | Associated with a VPN gateway | Associated with transit router |
---|---|---|
Associated resource | You must purchase a VPN gateway and associate the VPN gateway with a VPC to create
an IPsec VPN connection.
Your data center or office network can communicate with the associated VPC or with other networks through the associated VPC. |
You do not need to purchase a VPN gateway or associate the VPN gateway with a VPC
to create an IPsec VPN connection. You must create a Cloud Enterprise Network (CEN)
instance and create a transit router on the CEN instance.
Your data center or office network can communicate with all VPCs connected to the transit router or with other networks through the transit router. |
Supported encryption algorithm |
Commercial cryptographic algorithms that comply with international standards |
Commercial cryptographic algorithms that comply with international standards |
Maximum bandwidth supported by each IPsec-VPN connection | 1,000 Mbit/s.
Note The maximum bandwidth supported by VPN gateways in some regions is 200 Mbit/s. For
more information about the regions, see Limits on VPN gateways.
|
1 Gbit/s by default. The maximum bandwidth can be modified based on business requirements. |
Supported network type |
|
|
Method used to implement high availability | Active/standby connections as shown in Figure 1_Active/standby connection | Equal-cost multi-path (ECMP) routing as shown in Figure 2_Equal-cost multi-path (ECMP) connection |


Limits
- You can associate an IPsec-VPN connection with a transit router in specific regions.
For more information about the supported regions, see Regions that support different features of VPN Gateway.
If you want to associate an IPsec-VPN connection with a transit router in China (Nanjing - Local Region), China (Ulanqab), China (Heyuan), China (Guangzhou), China (Chengdu), Japan (Tokyo), Australia (Sydney), Malaysia (Kuala Lumpur), South Korea (Seoul), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), India (Mumbai), Germany (Frankfurt), or UK (London), contact your sales manager or submit a ticket to apply for the required permissions. You do not need to apply for permissions in other regions.
- Only an Enterprise Edition transit router can be associated with an IPsec-VPN connection.
Prerequisites
- The IKEv1 and IKEv2 protocols are supported by the gateway device in the data center.
The IKEv1 and IKEv2 protocols are supported by IPsec-VPN. All gateway devices that support these protocols can be used to establish an IPsec-VPN connection to a VPC.
- The CIDR block of the data center does not overlap with the CIDR block of the VPC.
- Make sure that the security group rules applied to the Elastic Compute Service (ECS) instances in the VPC allow gateway devices in the data center to access cloud resources. For more information, see Query security group rules and Add a security group rule.
Procedure
The procedure for configuring IPsec-VPN varies based on the instance that is associated with the IPsec-VPN connection. The following section describes the procedures for different scenarios.
Procedure for the scenario in which a VPN gateway is used

Sequence number | Reference | Description |
---|---|---|
1 | Create a VPN gateway | Create a VPN gateway and enable IPsec-VPN. |
2 | Create a customer gateway | Create a customer gateway and load the configuration of the gateway device in the data center to the customer gateway on Alibaba Cloud. |
3 | Create an IPsec-VPN connection | An IPsec-VPN connection is an encrypted VPN tunnel between a VPN gateway and a gateway
device in the data center.
Note When you create an IPsec-VPN connection, select VPN Gateway for Associate Resource.
|
4 | Configure local gateways | To connect the data center to the VPN gateway, you must add the configuration of IPsec-VPN to the gateway device in the data center. |
5 | Configure a route for the VPN gateway | You must configure a route that points to the data center for the VPN gateway and advertise the route to the VPC route table. This way, the data center can be connected to the VPC. |
6 | Test the network connectivity | Log on to an ECS instance that is not assigned a public IP address in the VPC. Then, run the ping command to ping the private IP address of a server in the data center. |
Procedure for the scenario in which a transit router is used

Sequence number | Reference | Description |
---|---|---|
1 | Create a CEN instance | Before you create a transit router, you must first create a CEN instance. |
2 | Create a transit router | A transit router is used to forward data. You must create a transit router in the region where the data center is deployed or in a region near the data center. |
3 | Create a customer gateway | Create a customer gateway and load the configuration of the gateway device in the data center to the customer gateway on Alibaba Cloud. |
4 | Create an IPsec-VPN connection | An IPsec-VPN connection is an encrypted VPN tunnel between Alibaba Cloud and a gateway
device in the data center.
After you associate a transit router with the IPsec-VPN connection, traffic from the data center can be forwarded to the transit router over the IPsec-VPN connection. Note When you create an IPsec-VPN connection, select CEN or Do Not Associate for Associate Resource.
|
5 | Configure local gateways | To connect the data center to Alibaba Cloud, you must add the configuration of IPsec-VPN to the gateway device in the data center. |
6 | Configure a route for an IPsec-VPN connection | You must configure a route that points to the data center for the IPsec-VPN connection and advertise the route to the route table of the transit router. This way, the data center can be connected to the VPC. |
7 | Test the network connectivity | Log on to an ECS instance that is not assigned a public IP address in the VPC. Then, run the ping command to ping the private IP address of a server in the data center. |