This topic describes how to use IPsec-VPN to connect a data center to a virtual private cloud (VPC). After you establish an IPsec-VPN connection, the data center and the VPC can communicate with each other.
Prerequisites
- An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create one.
- The gateway device in the data center supports the IKEv1 and IKEv2 protocols. All gateway devices that support these protocols can connect to a VPN gateway.
- A static public IP address is assigned to the gateway device in the data center.
- The CIDR block of the data center does not overlap with the CIDR block of the VPC.
- You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see Query security group rules and Add a security group rule.
Background information
The following scenario is used as an example in this topic. An enterprise has created a VPC on Alibaba Cloud. The CIDR block of the VPC is 192.168.0.0/16. The CIDR block of the data center is 172.16.0.0/12. The static public IP address of the gateway device in the data center is 211.XX.XX.68. To meet business requirements, the enterprise needs to connect the data center to the VPC. You can establish an IPsec-VPN connection between the data center and the VPC, as shown in the following figure. This way, the data center can communicate with the VPC.

Step 1: Create a VPN gateway
Step 2: Create a customer gateway
Step 3: Create an IPsec-VPN connection
Step 4: Load the configuration of the IPsec-VPN connection to the gateway device in the data center
- In the left-side navigation pane, choose .
- On the IPsec Connections page, find the IPsec-VPN connection that you want to manage, and choose in the Actions column.
- Load the configuration of the IPsec-VPN connection to the gateway device in the data center. For more information, see Configure on-premises gateway devices. .