This topic describes how to create and manage IPsec-VPN connections.
Background information
- DPD: the dead peer detection (DPD) feature.
After you enable DPD, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. The ISAKMP Security Association (SA), IPsec SA, and IPsec tunnel are deleted.
This feature is enabled by default.
- NAT Traversal: the NAT traversal feature.
After you enable NAT traversal, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.
This feature is enabled by default.
- BGP: the Border Gateway Protocol (BGP) dynamic routing feature.
After you enable BGP dynamic routing, the IPsec-VPN connection can automatically learn and advertise routes. This facilitates network maintenance and configuration.
This feature is disabled by default.
- Health Check: the health check feature.
After you enable the health check feature, the system automatically checks the connectivity between the data center and Alibaba Cloud. If the connection is unavailable, the systems automatically performs failover. This improves the network availability.
This feature is disabled by default.
The supported features vary based on the resource associated with the IPsec-VPN connection, as described in the following section:
- If you associate the IPsec-VPN connection with a transit router when you create the IPsec-VPN connection, DPD, NAT traversal, BGP dynamic routing, and health checks are supported.
- If you associate the IPsec-VPN connection with a VPN gateway when you create the IPsec-VPN
connection:
If the VPN gateway uses the latest version, DPD, NAT traversal, BGP dynamic routing, and health checks are supported. Otherwise, you can use only the features supported by the VPN gateway version.
You can check whether your VPN gateway uses the latest version based on the status of the Upgrade button. If your VPN gateway does not use the latest version, you can click upgrade to update your VPN gateway. For more information, see Upgrade a VPN gateway.
Create an IPsec-VPN connection
Before you create an IPsec-VPN connection, learn about the procedure and make sure that the prerequisites are met. For more information, see Procedure.
Download the configuration of an IPsec-VPN connection
After you create an IPsec-VPN connection, you can download the configuration file of an IPsec-VPN connection and load the configuration to an on-premise gateway device.
Grant the permissions on the IPsec-VPN connection to a transit router of another Alibaba Cloud account
You can associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account. However, you cannot associate an IPsec-VPN connection with a VPN gateway of another Alibaba Cloud account. Before you associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account, you must grant the permissions on the IPsec-VPN connection to the transit router.
- If the IPsec-VPN connection is already associated with a VPN gateway, you cannot associate the IPsec-VPN connection with a transit router of the same or another Alibaba Cloud account.
- If the IPsec-VPN connection is already associated with a transit router, you must first disassociate the IPsec-VPN connection from the transit router. For more information, see Delete a network instance connection.
Modify an IPsec-VPN connection
After you create an IPsec-VPN connection, you can modify its configurations.
Revoke the permissions on the IPsec-VPN connection granted to a transit router of another Alibaba Cloud account
If the IPsec-VPN connection is already associated with a transit router, you must first disassociate the IPsec-VPN connection from the transit router before you revoke the permissions. For more information, see Delete a network instance connection.
- Log on to the VPN Gateway console.
- In the left-side navigation pane, choose .
- In the top navigation bar, select the region of the IPsec-VPN connection.
- On the IPsec Connections page, find the IPsec-VPN connection and click its ID.
- On the CEN Cross Account Authorization tab, find the authorization record and click Unauthorize in the Actions column.
- In the Unauthorize message, confirm the information and click OK.
Delete an IPsec-VPN connection
- If the IPsec-VPN connection is associated with a transit router, disassociate the IPsec-VPN connection from the transit router before you delete the IPsec-VPN connection. For more information, see Delete a network instance connection.
- If the IPsec-VPN connection is associated with a VPN gateway, you can directly delete the IPsec-VPN connection.
- Log on to the VPN Gateway console.
- In the left-side navigation pane, choose .
- In the top navigation bar, select the region of the IPsec-VPN connection.
- On the IPsec Connections page, find the IPsec-VPN connection that you want to delete, and click Delete in the Actions column.
- In the message that appears, confirm the information and click OK.