This topic describes how to use IPsec-VPN to connect a data center to a virtual private
cloud (VPC). After you establish an IPsec-VPN connection, the data center and the
VPC can communicate with each other.
Prerequisites
- An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account,
create one.
- The gateway device in the data center support the IKEv1 and IKEv2 protocols. All gateway
devices that support these protocols can connect to the VPN gateway.
- A static public IP address is assigned to the gateway device in the data center.
- The CIDR block of the data center does not overlap with the CIDR block of the VPC.
- You have read and understand the security group rules that apply to the ECS instances
in the VPC, and the security rules allow gateway devices in the data center to access
cloud resources. For more information, see Query security group rules.
Background information
The following scenario is used as an example in this topic. An enterprise has created
a VPC on Alibaba Cloud. The CIDR block of the VPC is 192.168.0.0/16. The CIDR block
of the data center is 172.16.0.0/12. The static public IP address for the gateway
device in the data center is 211.XX.XX.68. To meet business requirements, the enterprise
needs to connect the data center to the VPC. You can establish an IPsec-VPN connection
between the data center and the VPC, as shown in the following figure. This way, the
data center and VPC can share resources with each other.
Step 1: Create a VPN gateway
- Log on to the VPN gateway console.
- On the VPN Gateways page, click Create VPN Gateway.
- On the buy page, set the following parameters, click Buy Now, and then complete the payment.
- Return to the VPN Gateways page to view the VPN gateway.
The newly created VPN gateway is in the Preparing state. The VPN gateway changes to the Normal state after about 1 to 5 minutes. After the status changes to Normal, the VPN gateway is ready for use.
Step 2: Create a customer gateway
- In the left-side navigation pane, choose .
- In the top navigation bar, select the region where you want to create the customer
gateway.
Note Make sure that the customer gateway and the VPN gateway to be connected belong to
the same region.
- On the User Gateway page, click Create Customer Gateway.
- On the Create Customer Gateway page, set the following parameters and click OK.
- Name: Enter a name for the customer gateway.
- IP Address: Enter the public IP address of the gateway device in the data center that you want
to connect to the VPC. In this example,211.XX.XX.68 is entered.
- Description: Enter a description for the customer gateway.
For more information about the related parameters, see
Create a customer gateway.
Step 3: Create an IPsec-VPN connection
- In the left-side navigation pane, choose .
- In the top navigation bar, select the region where you want to create the IPsec-VPN
connection.
Note Make sure that the IPsec-VPN connection and the VPN gateway to be connected belong
to the same region.
- On the IPsec Connections page, click Create IPsec Connection.
- On the Create IPsec Connection page, set the following parameters for the IPsec-VPN connection, and click OK.
Step 4: Load the configuration of the IPsec-VPN connection to the gateway device in
the data center
- In the left-side navigation pane, choose .
- On the IPsec Connections page, find the IPsec-VPN connection that you want to manage, and choose in the Actions column.
- Load the configuration of the IPsec-VPN connection to the gateway device in the data
center. For more information, see Configure on-premises gateway devices. .
Step 5: Configure routes for the VPN gateway
- In the left-side navigation pane, choose .
- On the VPN Gateway page, find the VPN gateway that you want to manage and click its ID.
- On the Destination-based Routing tab, click Add Route Entry.
- In the Add Route Entry panel, set the following parameters and click OK.
- Destination CIDR Block: Enter the CIDR block of the data center. In this example, 172.16.0.0/12 is entered.
- Next Hop Type: Select IPsec Connection.
- Next Hop: Select the IPsec-VPN connection that you created.
- Publish to VPC: Specify whether to automatically advertise new routes to the VPC route table. In
this example, Yes is selected.
- Weight: Select a weight for the route. In this example, 100 is selected.
- 100: specifies a high priority for the route.
- 0: specifies a low priority for the route.
Note If two destination-based routes are configured with the same destination CIDR block,
you cannot set the weights of the routes to 100.
Step 6: Test the connectivity
- Log on to an ECS instance that is not assigned a public address in the VPC. For more
information about how to log on to an ECS instance, see Methods used to connect to ECS instances.
- Run the ping command to access a server in the data center and test the connectivity.