This topic describes how to create and manage IPsec-VPN connections.

Background information

When you create an IPsec-VPN connection, you can enable or disable the following features:
  • DPD: the dead peer detection (DPD) feature.

    After you enable DPD, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. The ISAKMP Security Association (SA), IPsec SA, and IPsec tunnel are deleted.

    This feature is enabled by default.

  • NAT Traversal: the NAT traversal feature.

    After you enable NAT traversal, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.

    This feature is enabled by default.

  • BGP: the Border Gateway Protocol (BGP) dynamic routing feature.

    After you enable BGP dynamic routing, the IPsec-VPN connection can automatically learn and advertise routes. This facilitates network maintenance and configuration.

    This feature is disabled by default.

  • Health Check: the health check feature.

    After you enable the health check feature, the system automatically checks the connectivity between the data center and Alibaba Cloud. If the connection is unavailable, the systems automatically performs failover. This improves the network availability.

    This feature is disabled by default.

The supported features vary based on the resource associated with the IPsec-VPN connection, as described in the following section:

  • If you associate the IPsec-VPN connection with a transit router when you create the IPsec-VPN connection, DPD, NAT traversal, BGP dynamic routing, and health checks are supported.
  • If you associate the IPsec-VPN connection with a VPN gateway when you create the IPsec-VPN connection:

    If the VPN gateway uses the latest version, DPD, NAT traversal, BGP dynamic routing, and health checks are supported. Otherwise, you can use only the features supported by the VPN gateway version.

    You can check whether your VPN gateway uses the latest version based on the status of the Upgrade button. If your VPN gateway does not use the latest version, you can click upgrade to update your VPN gateway. For more information, see Upgrade a VPN gateway.

Create an IPsec-VPN connection

Before you create an IPsec-VPN connection, learn about the procedure and make sure that the prerequisites are met. For more information, see Procedure.

  1. Log on to the VPN gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  3. In the top navigation bar, select the region where you want to create the IPsec-VPN connection.
    Note The IPsec-VPN connection and the VPN gateway or the transit router to be associated must belong to the same region.
  4. On the IPsec Connections page, click Create IPsec Connection.
  5. On the Create IPsec Connection page, configure the IPsec-VPN connection based on the following information and click OK.
    The required parameters vary based on the resource that you want to associate with the IPsec-VPN connection. The following table lists all parameters.

    Basic configurations

    Parameter Description
    Name

    Enter a name for the IPsec-VPN connection.

    Associate Resource Select the type of resource to be associated with the IPsec-VPN connection.
    • If you want to associate the IPsec-VPN connection with a transit router, select CEN or Do Not Associate.
      • If you select CEN, the system automatically associates the IPsec-VPN connection with the specified transit router of the same Alibaba Cloud account.
      • If you select Do Not Associate, the IPsec-VPN connection is not associated with a resource. You can manually associate the IPsec-VPN connection with a transit router of the same Alibaba Cloud account or a different Alibaba Cloud account in the Cloud Enterprise Network (CEN) console. For more information, see Connect a transit router to an IPsec-VPN connection.
    • If you want to associate the IPsec-VPN connection with a VPN gateway, select VPN Gateway.
    Gateway Type Select the network type of the IPsec-VPN connection.
    • Public (default): The IPsec-VPN connection is established over the Internet.
    • Private: The IPsec-VPN connection is established over private networks.
    Zone Select a zone.

    The system creates resources in the specified zone.

    CEN Instance ID Select the ID of the CEN instance to which the transit router belongs.
    Transit Router Select the transit router to be associated with the IPsec-VPN connection.
    VPN Gateway Select the VPN gateway to be associated with the IPsec-VPN connection.
    Customer Gateway Select the customer gateway to be associated with the IPsec-VPN connection.
    Routing Mode Select the routing mode of the IPsec-VPN connection.
    • Destination Routing Mode (default): routes and forwards traffic based on the destination IP address.
    • Protected Data Flows: routes and forwards traffic based on source and destination IP addresses.
      After you select Protected Data Flows, you must set Local Network and Remote Network. After you configure the IPsec-VPN connection:
      • If the IPsec-VPN connection is associated with a VPN gateway, the system automatically adds policy-based routes to the route table of the VPN gateway.

        The policy-based routes are not advertised by default. You can determine whether to advertise the routes to the VPC route table based on your requirements. For more information, see Advertise a policy-based route.

      • If the IPsec-VPN connection is associated with a transit router, the system automatically adds destination-based routes to the route table of the IPsec-VPN connection. The destination-based routes are automatically advertised to the route table of the associated transit router.
    Note If the IPsec-VPN connection is associated with a VPN gateway and the VPN gateway does not use the latest version, you do not need to specify the routing mode.
    Local Network Enter the CIDR block on the VPC side. The CIDR block is used in phase 2 negotiations.
    Click Add next to the field to add multiple CIDR blocks on the VPC side.
    Note If you specify multiple CIDR blocks, you must set the IKE version to ikev2.
    Remote Network Enter the CIDR block on the data center side. This CIDR block is used in phase 2 negotiations.
    Click Add next to the field to add multiple CIDR blocks on the data center side.
    Note If you specify multiple CIDR blocks, you must set the IKE version to ikev2.
    Effective Immediately Specify whether to start IPsec negotiations immediately.
    • Yes: starts IPsec negotiations immediately after the configuration is complete.
    • No: starts IPsec negotiations when inbound traffic is detected.
    Pre-Shared Key Enter the pre-shared key that is used for authentication between the data center and the VPN gateway or transit router.

    The key must be 1 to 100 characters in length. If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection.

    Notice The pre-shared keys must be the same on both sides. Otherwise, the system cannot establish an IPsec-VPN connection.

    Advanced Configuration

    Parameter Description
    Advanced Configuration: IKE Configurations
    Version Select an IKE version.
    • ikev1
    • ikev2

    IKEv1 and IKEv2 are supported. Compared with IKEv1, IKEv2 simplifies the SA negotiation process and provides better support for scenarios in which multiple CIDR blocks are used. We recommend that you select IKEv2.

    Negotiation Mode Select a negotiation mode.
    • main: This mode offers higher security during negotiations.
    • aggressive: This mode is faster and has a higher success rate.

    Connections negotiated in both modes ensure the same security level of data transmission.

    Encryption Algorithm Select the encryption algorithm that is used in phase 1 negotiations.

    Supported algorithms are aes, aes192, aes256, des, and 3des.

    Authentication Algorithm Select the authentication algorithm that is used in phase 1 negotiations.
    • If the IPsec-VPN connection is associated with a transit router, supported algorithms are sha1 and md5.
    • If the IPsec-VPN connection is associated with a VPN gateway, supported algorithms are sha1, md5, sha256, sha384, and sha512.
    DH Group Select the Diffie-Hellman (DH) key exchange algorithm that is used in phase 1 negotiations.
    • group1: DH group 1
    • group2: DH group 2
    • group5: DH group 5
    • group14: DH group 14
    SA Life Cycle (seconds) Specify the lifecycle of the SA after phase 1 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
    LocalId The identifier of the IPsec-VPN connection on the Alibaba Cloud side. The identifier is used in phase 1 negotiations.
    • If the IPsec-VPN connection is associated with a transit router, the default value is the gateway IP address of the IPsec-VPN connection.
    • If the IPsec-VPN connection is associated with a VPN gateway, the default value is the IP address of the VPN gateway.

    You can set LocalId to a fully qualified domain name (FQDN). In this case, we recommend that you set Negotiation Mode to aggressive.

    RemoteId Specify the identifier of the IPsec-VPN connection on the data center side. The identifier is used in phase 1 negotiations. The default value is the IP address of the customer gateway.

    You can set RemoteId to an FQDN. In this case, we recommend that you set Negotiation Mode to aggressive.

    Advanced Configuration: IPSec Configurations
    Encryption Algorithm Select the encryption algorithm that is used in phase 2 negotiations.

    Supported algorithms are aes, aes192, aes256, des, and 3des.

    Authentication Algorithm Select the authentication algorithm that is used in phase 2 negotiations.
    • If the IPsec-VPN connection is associated with a transit router, supported algorithms are sha1 and md5.
    • If the IPsec-VPN connection is associated with a VPN gateway, supported algorithms are sha1, md5, sha256, sha384, and sha512.
    DH Group Select the DH key exchange algorithm that is used in phase 2 negotiations.
    • disabled: does not use the DH key exchange algorithm.
      • For clients that do not support perfect forward secrecy (PFS), select disabled.
      • If you select a value other than disabled, PFS is enabled by default. In this case, the key is updated for each negotiation. Therefore, you must enable PFS for the client.
    • group1: DH group 1
    • group2: DH group 2
    • group5: DH group 5
    • group14: DH group 14
    SA Life Cycle (seconds) Specify the lifecycle of the SA after phase 2 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
    DPD Specify whether to enable the DPD feature. This feature is enabled by default.
    NAT Traversal Specify whether to enable the NAT traversal feature. This feature is enabled by default.

    BGP Configuration

    By default, the BGP feature is disabled. Before you add a BGP configuration, enable the BGP feature.

    Parameter Description
    Tunnel CIDR Block Enter the CIDR block of the IPsec tunnel.

    The CIDR block must fall within 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length.

    Local BGP IP address Enter the BGP IP address of the IPsec-VPN connection on the Alibaba Cloud side.

    This IP address falls within the CIDR block of the IPsec tunnel.

    Local ASN Enter the autonomous system number (ASN) of the IPsec-VPN connection on the Alibaba Cloud side. Default value: 45104. Valid values: 1 to 4294967295.
    For example, if you enter 123.456, the ASN is 8061384. The ASN is calculated by using the following formula: 123 × 65536 + 456 = 8061384.
    Note We recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. Refer to the relevant documentation for the valid range of a private ASN.

    Health checks

    By default, the health check feature is disabled. Before you add a health check configuration, enable the health check feature.

    Notice If the IPsec-VPN connection is associated with a transit router, you must add the following route for the data center after you configure the health check feature for the IPsec-VPN connection. The route must meet the following requirements: The destination CIDR block is Source IP, the subnet mask is 32 bits in length, and the next hop is the IPsec-VPN connection. This way, the health check feature can work as expected.
    Parameter Description
    Destination IP Enter the IP address on the data center side that the VPC can communicate with through the IPsec-VPN connection.
    Source IP Enter the IP address on the VPC side that the data center can communicate with through the IPsec-VPN connection.
    Retry Interval Specify the interval between two consecutive health checks. Unit: seconds. Default value: 3.
    Number of Retries Specify the number of health check retries.
    Switch Route Specify whether to allow the system to withdraw advertised routes after health checks fail. Default value: Yes. The system is allowed to withdraw advertised routes after health checks fail.

    If you clear Yes, the system is not allowed to withdraw advertised routes after health checks fail.

Download the configuration of an IPsec-VPN connection

After you create an IPsec-VPN connection, you can download the configuration file of an IPsec-VPN connection and load the configuration to an on-premise gateway device.

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, find the IPsec-VPN connection that you created. In the Actions column, choose More > Download Configuration.
    For more information about how to configure an on-premises gateway device, see Configure an on-premises gateway device.

Grant the permissions on the IPsec-VPN connection to a transit router of another Alibaba Cloud account

You can associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account. However, you cannot associate an IPsec-VPN connection with a VPN gateway of another Alibaba Cloud account. Before you associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account, you must grant the permissions on the IPsec-VPN connection to the transit router.

Before you grant the permissions, make sure that the IPsec-VPN connection is not associated with a resource.
  • If the IPsec-VPN connection is already associated with a VPN gateway, you cannot associate the IPsec-VPN connection with a transit router of the same or another Alibaba Cloud account.
  • If the IPsec-VPN connection is already associated with a transit router, you must first disassociate the IPsec-VPN connection from the transit router. For more information, see Delete a network instance connection.
  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, find the IPsec-VPN connection and click its ID.
  5. On the details page, click the CEN Cross Account Authorization tab, and then click Authorize Cross Account Attach CEN.
  6. In the Attach to CEN dialog box, set the following parameters and click OK.
    Parameter Description
    Peer Account UID Enter the ID of the Alibaba Cloud account to which the transit router belongs.
    Peer Account CEN ID Enter the ID of the CEN instance to which the transit router belongs.
    Payer Select the payer.
    • CEN Instance Owner (default): After the IPsec-VPN connection is associated with a transit router, the owner of the transit router pays the connection fee and data processing fee of the transit router.
    • VPN Owner: After the IPsec-VPN connection is associated with a transit router, the owner of the IPsec-VPN connection pays the connection fee and data processing fee of the transit router.
    Notice
    • Proceed with caution. Your services may be interrupted if you change the payer. For more information, see Change the account that pays the bills.
    • After the IPsec-VPN connection is associated with a transit router, the owner of the IPsec-VPN connection pays the instance fee and data transfer fee of the IPsec-VPN connection.
  7. We recommend that you record the ID of the IPsec-VPN connection and the ID of the Alibaba Cloud account to which the IPsec-VPN connection belongs. This facilitates creating VPN connections. For more information, see Connect a transit router to an IPsec-VPN connection.
    You canview the account ID on the Account Center page. View the account ID

Modify an IPsec-VPN connection

After you create an IPsec-VPN connection, you can modify its configurations.

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, find the IPsec-VPN connection that you want to manage, and click Edit in the Actions column.
  5. On the Modify IPsec Connections page, modify the name, advanced configurations, CIDR block, and then click OK.
    For more information about the parameters, see Create an IPsec-VPN connection.

Revoke the permissions on the IPsec-VPN connection granted to a transit router of another Alibaba Cloud account

If the IPsec-VPN connection is already associated with a transit router, you must first disassociate the IPsec-VPN connection from the transit router before you revoke the permissions. For more information, see Delete a network instance connection.

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, find the IPsec-VPN connection and click its ID.
  5. On the CEN Cross Account Authorization tab, find the authorization record and click Unauthorize in the Actions column.
  6. In the Unauthorize message, confirm the information and click OK.

Delete an IPsec-VPN connection

  • If the IPsec-VPN connection is associated with a transit router, disassociate the IPsec-VPN connection from the transit router before you delete the IPsec-VPN connection. For more information, see Delete a network instance connection.
  • If the IPsec-VPN connection is associated with a VPN gateway, you can directly delete the IPsec-VPN connection.
  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, find the IPsec-VPN connection that you want to delete, and click Delete in the Actions column.
  5. In the message that appears, confirm the information and click OK.