This topic describes how to use IPsec-VPN to establish an IPsec-VPN connection between a data center and a virtual private cloud (VPC).

Select the resource with which you want to associate the IPsec-VPN connection

You can associate a VPN gateway or a transit router with an IPsec-VPN connection. Both a VPN gateway and a transit router can be used to connect a data center to a VPC. However, the features supported are different, as described in the following table. Select a VPN gateway or a transit router based on your requirements.

Instance Supported network type Supported encryption algorithm Supported method to implement high availability
VPN gateway
  • Public
  • Private
  • General algorithm
  • ShangMi (SM) algorithm
Active/standby connection (as shown in Figure 1)
Transit router
  • Public
  • Private
General algorithm Equal-cost multi-path (ECMP) routing (as shown in Figure 2)
Figure 1. Figure 1
Figure 2
Figure 2. Figure 2
Figure 3

Limits

  • You can associate a transit router with an IPsec-VPN connection only in the following regions: China (Beijing), China (Shanghai), Singapore (Singapore), Malaysia (Kuala Lumpur), Australia (Sydney), US (Silicon Valley), and US (Virginia). To associate a transit router with an IPsec-VPN connection, submit a ticket to apply for the required permissions.
  • Only an Enterprise Edition transit router can be associated with an IPsec-VPN connection.

Prerequisites

Before you use IPsec-VPN to connect a data center to a VPC, make sure that the following requirements are met:
  • The IKEv1 and IKEv2 protocols are supported by the gateway device in the data center.

    The IKEv1 and IKEv2 protocols are supported by IPsec-VPN. Devices that support these protocols can be used to establish an IPsec-VPN connection to a VPC.

  • The CIDR block of the data center does not overlap with the CIDR block of the VPC.
  • Make sure that the security group rules applied to the Elastic Compute Service (ECS) instances in the VPC allow gateway devices in the data center to access cloud resources.For more information, see Query security group rules and Add a security group rule.

Procedure

The procedure for configuring IPsec-VPN varies based on the instance associated with the IPsec-VPN connection. The following section describes the procedures in different scenarios.

Procedure for the scenario in which a VPN gateway is used

Procedure 1
Sequence number References Description
1 Create a VPN gateway When you create a VPN gateway, enable IPsec-VPN.
2 Create a customer gateway Create a customer gateway and load the configuration of the gateway device in the data center to the customer gateway on Alibaba Cloud.
3 Create an IPsec-VPN connection An IPsec-VPN connection is a VPN tunnel between a VPN gateway and a gateway device in the data center.
Note When you create an IPsec-VPN connection, select VPN Gateway for Associate Resource.
4 Configure the gateway device in the data center. To connect the data center to the VPN gateway, you must add the configuration of IPsec-VPN to the gateway device in the data center.
5 Configure a route for the VPN gateway You must configure a route that points to the data center for the VPN gateway and advertise the route to the VPC route table. This way, the data center can be connected to the VPC.
6 Test the connectivity Log on to an ECS instance that is not assigned a public IP address in the VPC. Then, run the ping command to ping the private IP address of a server in the data center.

Procedure for the scenario in which a transit router is used

Procedure 2
Sequence number References Description
1 Create a Cloud Enterprise Network (CEN) instance Before you create a transit router, you must first create a CEN instance.
2 Create a transit router A transit router is used to forward data. You must create a transit router in the region where the data center is deployed or in a region near the data center.
3 Create a customer gateway Create a customer gateway and load the configuration of the gateway device in the data center to the customer gateway on Alibaba Cloud.
4 Create an IPsec-VPN connection An IPsec-VPN connection is a VPN tunnel between Alibaba Cloud and a gateway device in the data center.

After you associate a transit router with the IPsec-VPN connection, traffic from the data center can be forwarded to the transit router over the IPsec-VPN connection.

Note When you create an IPsec-VPN connection, select CEN or Do Not Associate for Associate Resource.
5 Configure the gateway device in the data center. To connect the data center to Alibaba Cloud, you must add the configuration of IPsec-VPN to the gateway device in the data center.
6 Configure a route for an IPsec-VPN connection You must configure a route that points to the data center for the IPsec-VPN connection and advertise the route to the VPC route table. This way, the data center can be connected to the VPC.
7 Test the connectivity Log on to an ECS instance that is not assigned a public IP address in the VPC. Then, run the ping command to ping the private IP address of a server in the data center.