This topic describes how to establish an IPsec-VPN connection between a virtual private cloud (VPC) and a data center, and how to configure Border Gateway Protocol (BGP) dynamic routing for the VPC and the data center to automatically learn routes. This way, the VPC and the data center can share resources with each other. This reduces network maintenance costs and network configuration errors.

Scenarios

The following scenario is used in this topic. An enterprise created a VPC in the Germany (Frankfurt) region. The private CIDR block of the VPC is 10.0.0.0/8 and the autonomous system number (ASN) is 65530. The enterprise has a data center in Frankfurt. The public IP address of the data center is 2.XX.XX.2, the private CIDR block is 172.17.0.0/16, and the ASN is 65531. The enterprise wants to establish a connection between the VPC and the data center for business development.
You can use IPsec-VPN to establish a connection between the VPC and the data center, and configure BGP dynamic routing. After the configuration is completed, the VPC and the data center can automatically learn routes and communicate with each other by using BGP. This reduces network maintenance costs and network configuration errors.
Note An autonomous system (AS) is a small unit that independently decides which routing protocol to use in the system. This unit is an independent and manageable network unit. It may consist of a simple network or a network group that is controlled by one or more network administrators. Each AS has a globally unique identifier called ASN.
Architecture

Regions that support BGP dynamic routing

Area Region
Asia Pacific China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and India (Mumbai)
Europe & Americas Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley)
Middle East & India UAE (Dubai)

Prerequisites

  • An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create one.
  • A VPC is created in the Germany (Frankfurt) region and cloud services are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
  • The gateway device in the data center supports the IKEv1 and IKEv2 protocols. All gateway devices that support these protocols can connect to a VPN gateway.
  • A static public IP address is assigned to the gateway device in the data center.
  • The CIDR block of the data center does not overlap with the CIDR block of the VPC.
  • You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see Query security group rules and Add a security group rule.

Procedure

Procedure

Step 1: Create a VPN gateway

  1. Log on to the VPN gateway console.
  2. On the VPN Gateways page, click Create VPN Gateway.
  3. On the buy page, set the following parameters, click Buy Now, and then complete the payment.
    Parameter Description
    Name Enter a name for the VPN gateway. In this example, VPN is used.
    Region Select the region where you want to create the VPN gateway.

    Make sure that the VPN gateway and the VPC are deployed in the same region. In this example, Germany (Frankfurt) is selected.

    Network Type Select a network type. In this example, the default value Public is used.
    VPC Select the VPC where you want to create the VPN gateway. In this example, the VPC that is created in the Germany (Frankfurt) region is selected.
    Specify VSwitch Specify whether to select a vSwitch for the VPN gateway. In this example, No is selected.

    If you select Yes, you must also specify a vSwitch.

    Maximum Bandwidth Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.

    The maximum bandwidth value is used to limit the data transfer rate over the Internet. In this example, 5 M is selected.

    Traffic By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Pay-as-you-go.
    IPsec-VPN Specify whether to enable the IPsec-VPN feature. In this example, Enable is selected.
    SSL-VPN Specify whether to enable the SSL-VPN feature. In this example, Disable is selected.
    Service-linked Role Click Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn. For more information about how a VPN gateway assumes the role to access other cloud resources, see AliyunServiceRoleForVpn.

    If Created is displayed, the service-linked role is created and you do not need to create it again.

    Duration By default, the VPN gateway is billed on an hourly basis. For more information, see Pay-as-you-go.
The newly created VPN gateway is in the Preparing state and changes to the Normal state after about 1 to 5 minutes. After the VPN gateway changes to the Normal state, the VPN gateway is ready for use. After the VPN gateway is created, a public IP address is automatically assigned to the gateway for establishing VPN connections. The public IP address of the VPN gateway
Note If you want to use an existing VPN gateway, make sure that it is updated to the latest version. If the existing VPN gateway does not use the latest version, you cannot use BGP dynamic routing by default.

You can check whether your VPN gateway uses the latest version based on the status of the Upgrade button. If your VPN gateway does not use the latest version, you can click upgrade to update your VPN gateway. For more information, see Upgrade a VPN gateway.

Step 2: Enable BGP dynamic routing

BGP is used to exchange routing information between different ASs. To use BGP dynamic routing, you must enable BGP dynamic routing for the VPN gateway.
Note After you enable BGP dynamic routing, you cannot disable this feature.
  1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.
  2. In the top navigation bar, select the region of the VPN gateway.
  3. On the VPN Gateways page, find the VPN gateway that you created and choose More > Enable Automatic BGP Propagation in the Actions column.
    Enable automatic BGP advertising
  4. In the Enable Automatic BGP Propagation message, click OK.
    After you enable automatic BGP advertising, the VPN gateway automatically advertises BGP routes to the VPC.

Step 3: Create a customer gateway

You can create a customer gateway to register and update information about the data center to Alibaba Cloud, and then connect the customer gateway to the VPN gateway.

  1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.
  2. In the top navigation bar, select the region where you want to create the customer gateway.
    Note Make sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.
  3. On the User Gateway page, click Create Customer Gateway.
  4. In the Create Customer Gateway panel, set the following parameters and click OK.
    Parameter Description
    Name Enter a name for the customer gateway. In this example, CGW is used.
    IP Address Enter the static public IP address of the gateway device in the data center. In this example, 2.XX.XX. 2 is used.
    ASN Enter the ASN of the data center. In this example, 65531 is used.
    Description Enter a description for the customer gateway.
    For more information about the parameters, see Create a customer gateway.

    After the customer gateway is created, the customer gateway is displayed on the Customer Gateways page. The system automatically assigns a public IP address to the customer gateway. You can use the IP address to establish a connection between the customer gateway and the VPN gateway.

Step 4: Create an IPsec-VPN connection

  1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  2. In the top navigation bar, select the region where you want to create the IPsec-VPN connection.
    Note Make sure that the IPsec-VPN connection and the VPN gateway to be connected are deployed in the same region.
  3. On the IPsec Connections page, click Create IPsec Connection.
  4. On the Create IPsec Connection page, configure the IPsec-VPN connection based on the following information and click OK.

    The following table describes only the key parameters. The default values are used for the other parameters. For more information, see Create an IPsec-VPN connection.

    Parameter Description
    Name Enter a name for the IPsec-VPN connection. In this example, VPCTOIDC is used.
    VPN Gateway Select the VPN gateway that you want to connect.

    In this example, the VPN gateway that is created in Step 1 is selected.

    Customer Gateway Select the customer gateway that you want to connect.

    In this example, the customer gateway that is created in Step 3 is selected.

    Routing Mode Select a routing mode. In this example, Destination Routing Mode is selected.
    Effective Immediately Specify whether to immediately start negotiations for the connection.
    • Yes: starts negotiations after the configuration is completed.
    • No: starts negotiations when inbound traffic is detected.

    Yes is selected in this example.

    Pre-Shared Key Enter a pre-shared key.

    Make sure that the VPC and the data center use the same pre-shared key. 123456 is used in this example.

    Version Select an IKE version. In this example, ikev2 is selected.
    Encryption Algorithm Select an encryption algorithm. In this example, aes is selected.
    Authentication Algorithm Select an authentication algorithm. In this example, sha1 is selected.
    DH Group Select a DH group. In this example, group2 is selected.
    Tunnel CIDR Block Enter the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. In this example, 169.254.10.0/30 is used.
    Local BGP IP address Enter the BGP IP address on the VPC side. The IP address must fall within the CIDR block of the IPsec tunnel. In this example, 169.254.10.1 is used.
    Note Make sure that the BGP IP addresses on the VPC side and on the data center side do not conflict with each other.
    Local ASN Enter the ASN on the VPC side. In this example, 65530 is used.

Step 5: Add VPN configurations to the gateway device in the data center

To establish a connection between the VPC and the data center, you must add VPN configurations to the gateway device in the data center after you create the IPsec-VPN connection in the cloud.

The following example shows how to add VPN configurations to the gateway device in the data center. A Cisco firewall device that runs the Cisco IOS XE system is used in the example.

  1. Log on to the CLI of the Cisco firewall device.
  2. Run the following commands to set the IKEv2 proposal and policy:
    crypto ikev2 proposal alicloud  
    encryption aes-cbc-128          //Set the encryption algorithm. In this example, aes-cbc-128 is used. 
    integrity sha1                  //Set the authentication algorithm. In this example, sha1 is used. 
    group 2                         //Set the DH group. In this example, group 2 is used. 
    exit
    !
    crypto ikev2 policy Pureport_Pol_ikev2
    proposal alicloud
    exit
    !
  3. Run the following commands to set the IKEv2 keyring:
    crypto ikev2 keyring alicloud
    peer alicloud
    address 1.XX.XX.1                //Set the public IP address of the VPN gateway on the VPC side. In this example, 1.XX.XX.1 is used. 
    pre-shared-key 123456          //Set the pre-shared key. In this example, 123456 is used. 
    exit
    !
  4. Run the following commands to set the IKEv2 profile:
    crypto ikev2 profile alicloud
    match identity remote address 1.XX.XX.1 255.255.255.255    //Match the public IP address of the VPN gateway on the VPC side. The matched IP address is 1.XX.XX.1 in this example. 
    identity local address 2.XX.XX.2    //Set the public IP address of the data center. In this example, 2.XX.XX.2 is used. 
    authentication remote pre-share   //Set the authentication mode for the VPC to PSK. 
    authentication local pre-share    //Set the authentication mode for the data center to PSK. 
    keyring local alicloud            //Invoke the IKEv2 keyring. 
    exit
    !
  5. Run the following commands to set transform:
    crypto ipsec transform-set TSET esp-aes esp-sha-hmac
    mode tunnel
    exit
    !
  6. Run the following commands to set the IPsec profile and to invoke the transform, PFS, and IKEv2 profiles:
    crypto ipsec profile alicloud
    set transform-set TSET
    set pfs group2
    set ikev2-profile alicloud
    exit
    !
  7. Run the following commands to set the IPsec tunnel:
    interface Tunnel100
    ip address 169.254.10.2 255.255.255.252    //Set the tunnel address on the data center side. In this example, 169.254.10.2 is used. 
    tunnel source GigabitEthernet1
    tunnel mode ipsec ipv4
    tunnel destination 1.XX.XX.1                 //Set the public IP address of the VPN gateway on the Alibaba Cloud side. In this example, 1.XX.XX.1 is used. 
    tunnel protection ipsec profile alicloud
    no shutdown
    exit
    !
    interface GigabitEthernet1
    ip address 2.XX.XX.2 255.255.255.0
    negotiation auto
    !
  8. Run the following commands to configure BGP:
    router bgp 65531                        //Enable BGP and set the ASN of the data center. In this example, 65531 is used. 
    bgp router-id 169.254.10.2               //Set the BGP router ID. In this example, 169.254.10.2 is used. 
    bgp log-neighbor-changes
    neighbor 169.254.10.1 remote-as 65530    //Set the ASN of the BGP peer. 
    neighbor 169.254.10.1 ebgp-multihop 10   //Set the EBGP hop-count to 10.   
    !
    address-family ipv4
    network 172.17.0.0 mask 255.255.0.0      //Advertise the CIDR block of the data center. In this example, the CIDR block is 172.17.0.0/16. 
    neighbor 169.254.10.1 activate           //Activate the BGP peer. 
    exit-address-family
    !
After you establish the IPsec-VPN connection, the VPN gateway of the VPC and the gateway device in the data center advertise the following routes:
  • The gateway device in the data center automatically learns routes from the CIDR block of the data center through BGP, and then advertises the routes to the VPN gateway of the VPC. The VPN gateway of the VPC automatically advertises the learned routes to the VPC route table. VPC route table
  • The VPN gateway of the VPC automatically learns routes from the route table of the VPC through BGP, and then advertises the routes to the gateway device in the data center. On-premises route table

Step 6: Test the connectivity

  1. Log on to an Elastic Compute Service (ECS) instance that is not assigned a public address in the VPC. For more information about how to log on to an ECS instance, see Methods used to connect to ECS instances.
  2. Run the ping command to access a client in the data center and test the connectivity.
    The result shows that the ECS instance in the VPC can access the client in the data center. Access the data center from the VPC
  3. Log on to the client in the data center.
  4. Run the ping command to access an ECS instance in the VPC and test the connectivity.
    The result shows that the client in the data center can access the ECS instance in the VPC. Access the VPC from the data center