This topic describes how to use IPsec-VPN to connect a data center to a virtual private cloud (VPC). After you establish an IPsec-VPN connection, the data center and the VPC can communicate with each other.

Prerequisites

  • An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account,create one.
  • The gateway device in the data center supports the IKEv1 and IKEv2 protocols. All gateway devices that support these protocols can connect to the VPN gateway.
  • A static public IP address is assigned to the gateway device in the data center.
  • The CIDR block of the data center does not overlap with the CIDR block of the VPC.
  • You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see Query security group rules and Add a security group rule.

Background information

The following scenario is used as an example. An enterprise has created a VPC on Alibaba Cloud. The CIDR block of the VPC is 192.168.0.0/16. The CIDR block of the data center is 172.16.0.0/12. The static public IP address of the gateway device in the data center is 211.XX.XX.68. To meet business requirements, the enterprise needs to connect the data center to the VPC. You can establish an IPsec-VPN connection between the data center and the VPC, as shown in the following figure. This way, the data center can communicate with the VPC.

Procedure

Step 1: Create a VPN gateway

  1. Log on to the VPN gateway console.
  2. On the VPN Gateways page, click Create VPN Gateway.
  3. On the buy page, set the following parameters, click Buy Now, and then complete the payment.
    Parameter Description
    Name Enter a name for the VPN gateway.

    In this example, VPN Gateway 1 is used.

    Region Select the region where you want to deploy the VPN gateway.
    Note The VPN gateway must belong to the same region as the VPC.
    Network Type Select the network type of the VPN gateway.

    In this example, Public is selected.

    VPC Select the VPC with which you want to associate the VPN gateway.
    Specify VSwitch Specify whether to deploy the VPN gateway in a specified vSwitch of the VPC.
    Maximum Bandwidth Specify a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
    Traffic Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.

    For more information, see Pay-as-you-go.

    IPsec-VPN Specify whether to enable IPsec-VPN.

    In this example, Enable is selected.

    SSL-VPN Specify whether to enable SSL-VPN.

    In this example, Disable is selected.

    Duration

    Specify the billing cycle. Default value: By Hour.

    Service-linked Role Click Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn.

    For more information about how a VPN gateway assumes the role to access other cloud resources, see AliyunServiceRoleForVpn.

    If Created is displayed, the service-linked role is created and you do not need to create it again.

    For more information, see Create a VPN gateway.
  4. Return to the VPN Gateways page to view the VPN gateway.
    A newly created VPN gateway is in the Preparing state. The VPN gateway enters the Normal state after about 1 to 5 minutes. After the VPN gateway enters the Normal state, the VPN gateway is ready for use.

Step 2: Create a customer gateway

  1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.
  2. In the top navigation bar, select the region where you want to create the customer gateway.
    Note Make sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.
  3. On the User Gateway page, click Create Customer Gateway.
  4. In the Create Customer Gateway panel, configure the customer gateway based on the following information and click OK:
    • Name: Enter a name for the customer gateway.

      In this example, Customer Gateway 1 is used.

    • IP Address: Enter the public IP address of the gateway device in the data center that you want to connect to the VPC.

      In this example, 211.XX.XX. 68 is used.

    For more information, see Create a customer gateway.

Step 3: Create an IPsec-VPN connection

  1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  2. In the top navigation bar, select the region where you want to create the IPsec-VPN connection.
    Note Make sure that the IPsec-VPN connection and the VPN gateway to be connected are deployed in the same region.
  3. On the IPsec Connections page, click Create an IPsec connection.
  4. On the Create IPsec Connection page, set the following parameters for the IPsec-VPN connection, and click OK.
    Parameter Description
    Name Enter a name for the IPsec-VPN connection.

    In this example, IPsec Connection 1 is used.

    VPN Gateway Select the VPN gateway that you created.

    In this example, VPN Gateway 1 is selected.

    Customer Gateway Select the customer gateway that you created.

    In this example, Customer Gateway 1 is selected.

    Routing Mode Select a routing mode.

    In this example, Destination Routing Mode is selected.

    Effective Immediately Specify whether to immediately start negotiations for the connection.
    • Yes: starts negotiations after the configuration is completed.
    • No: starts negotiations when inbound traffic is detected.

    Yes is selected in this example.

    Pre-Shared Key Enter a pre-shared key.

    If you do not enter a value, the system generates a random 16-bit string as the pre-shared key.

    Notice Make sure that the on-premises device and the IPsec-VPN connection use the same pre-shared key.

    Use the default settings for the other parameters. For more information, see Create an IPsec-VPN connection.

Step 4: Load the configuration of the IPsec-VPN connection to the gateway device in the data center

  1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  2. On the IPsec Connections page, find the IPsec-VPN connection that you want to manage, and choose More > Download Configuration in the Actions column.
  3. Load the configuration of the IPsec-VPN connection to the gateway device in the data center. For more information, see Configure on-premises gateway devices..

Step 5: Configure routes for the VPN gateway

  1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.
  2. On the VPN Gateway page, find the VPN gateway that you want to manage and click its ID.
  3. On the Destination-based Routing tab, click Add Route Entry.
  4. In the Add Route Entry panel, set the following parameters and click OK.
    Parameter Description
    Destination CIDR Block Enter the destination CIDR block to be connected.

    In this example, 172.16.0.0/12 is used.

    Next Hop Type Select the next hop type.

    In this example, IPsec Connection is selected.

    Next Hop Select the IPsec-VPN connection that you created.
    Publish to VPC Specify whether to advertise the route to the route table of the VPC that is associated with the VPN gateway.

    Yes is selected in this example.

    Weight Select a weight for the route. Valid values:
    • 100: specifies a high priority for the route.
    • 0: specifies a low priority for the route.

    The default value 100 is used in this example.

Step 6: Test the network connectivity

  1. Log on to an Elastic Compute Service (ECS) instance that is not assigned a public address in the VPC. For more information about how to log on to an ECS instance, see Connection methods.
  2. Run the ping command to ping a server in the data center to test the network connectivity.
    If you can receive echo reply packets, the connection is established.