This topic describes how to use IPsec-VPN to connect a data center to a virtual private cloud (VPC). After you establish an IPsec-VPN connection, the data center and the VPC can communicate with each other.

Prerequisites

  • An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create one.
  • The gateway device in the data center support the IKEv1 and IKEv2 protocols. All gateway devices that support these protocols can connect to the VPN gateway.
  • A static public IP address is assigned to the gateway device in the data center.
  • The CIDR block of the data center does not overlap with the CIDR block of the VPC.
  • You have read and understand the security group rules that apply to the ECS instances in the VPC, and the security rules allow gateway devices in the data center to access cloud resources. For more information, see Query security group rules.

Background information

The following scenario is used as an example in this topic. An enterprise has created a VPC on Alibaba Cloud. The CIDR block of the VPC is 192.168.0.0/16. The CIDR block of the data center is 172.16.0.0/12. The static public IP address for the gateway device in the data center is 211.XX.XX.68. To meet business requirements, the enterprise needs to connect the data center to the VPC. You can establish an IPsec-VPN connection between the data center and the VPC, as shown in the following figure. This way, the data center and VPC can share resources with each other.

Procedure

Step 1: Create a VPN gateway

  1. Log on to the VPN gateway console.
  2. On the VPN Gateways page, click Create VPN Gateway.
  3. On the buy page, set the following parameters, click Buy Now, and then complete the payment.
    • Name: Enter a name for the VPN gateway.
    • Region:Select the region where you want to deploy the VPN gateway.
      Note Make sure that the VPC and the VPN gateway are deployed in the same region.
    • VPC:Select the VPC to be associated with the VPN gateway.
    • Specify vSwitch: Specify whether to create the VPN gateway in a vSwitch of the VPC. In this example, No is selected.

      If you select Yes, you must also specify a vSwitch.

    • Peak Bandwidth: Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
    • Traffic: By default, the VPN gateway uses the pay-by-data-transfer billing method. For more information, see Pay-as-you-go.
    • IPsec-VPN: Specify whether to enable IPsec-VPN for the VPN gateway. In this example, Enable is selected.
    • SSL-VPN: Specify whether to enable SSL-VPN. In this example, Disable is selected.
    • Duration: By default, the VPN gateway is billed on an hourly basis. For more billing information, see Pay-as-you-go.
  4. Return to the VPN Gateways page to view the VPN gateway.
    The newly created VPN gateway is in the Preparing state. The VPN gateway changes to the Normal state after about 1 to 5 minutes. After the status changes to Normal, the VPN gateway is ready for use.

Step 2: Create a customer gateway

  1. In the left-side navigation pane, choose VPN > Customer Gateways.
  2. In the top navigation bar, select the region where you want to create the customer gateway.
    Note Make sure that the customer gateway and the VPN gateway to be connected belong to the same region.
  3. On the User Gateway page, click Create Customer Gateway.
  4. On the Create Customer Gateway page, set the following parameters and click OK.
    • Name: Enter a name for the customer gateway.
    • IP Address: Enter the public IP address of the gateway device in the data center that you want to connect to the VPC. In this example,211.XX.XX.68 is entered.
    • Description: Enter a description for the customer gateway.
    For more information about the related parameters, see Create a customer gateway.

Step 3: Create an IPsec-VPN connection

  1. In the left-side navigation pane, choose VPN > IPsec Connections.
  2. In the top navigation bar, select the region where you want to create the IPsec-VPN connection.
    Note Make sure that the IPsec-VPN connection and the VPN gateway to be connected belong to the same region.
  3. On the IPsec Connections page, click Create IPsec Connection.
  4. On the Create IPsec Connection page, set the following parameters for the IPsec-VPN connection, and click OK.
    • Name: Enter a name for the IPsec-VPN connection.
    • VPN Gateway: Select the VPN gateway that you created.
    • Customer Gateway: Select the customer gateway that you created.
    • Routing Mode: Select a routing mode. In this example, Destination Routing Mode is selected.
    • Effective Immediately: Select whether to immediately start connection negotiations. In this example, No is selected.
      • Yes: immediately starts negotiations after you complete the configuration.
      • No: starts negotiations when traffic is detected.
    • Pre-shared Key: Enter a pre-shared key (PSK). The pre-shared key must be the same as the pre-shared key of the gateway device in the data center.

      If you do not enter a value, the system generates a 16-bit random string by default.

    Use the default settings for other parameters. For more information, see Create an IPsec-VPN connection.

Step 4: Load the configuration of the IPsec-VPN connection to the gateway device in the data center

  1. In the left-side navigation pane, choose VPN > IPsec Connections.
  2. On the IPsec Connections page, find the IPsec-VPN connection that you want to manage, and choose More icon > Download Configuration in the Actions column.
  3. Load the configuration of the IPsec-VPN connection to the gateway device in the data center. For more information, see Configure on-premises gateway devices. .

Step 5: Configure routes for the VPN gateway

  1. In the left-side navigation pane, choose VPN > VPN Gateways.
  2. On the VPN Gateway page, find the VPN gateway that you want to manage and click its ID.
  3. On the Destination-based Routing tab, click Add Route Entry.
  4. In the Add Route Entry panel, set the following parameters and click OK.
    • Destination CIDR Block: Enter the CIDR block of the data center. In this example, 172.16.0.0/12 is entered.
    • Next Hop Type: Select IPsec Connection.
    • Next Hop: Select the IPsec-VPN connection that you created.
    • Publish to VPC: Specify whether to automatically advertise new routes to the VPC route table. In this example, Yes is selected.
    • Weight: Select a weight for the route. In this example, 100 is selected.
      • 100: specifies a high priority for the route.
      • 0: specifies a low priority for the route.
      Note If two destination-based routes are configured with the same destination CIDR block, you cannot set the weights of the routes to 100.

Step 6: Test the connectivity

  1. Log on to an ECS instance that is not assigned a public address in the VPC. For more information about how to log on to an ECS instance, see Methods used to connect to ECS instances.
  2. Run the ping command to access a server in the data center and test the connectivity.
    Test the connectivity of an IPsec-VPN connection