Name |
Enter a name for the IPsec-VPN connection.
The name must be 2 to 128 characters in length and can contain digits, hyphens (-),
and underscores (_). It must start with a letter.
|
VPN Gateway |
Select the standard VPN gateway to be connected through the IPsec-VPN connection.
|
Customer Gateway |
Select the customer gateway to be connected through the IPsec-VPN connection. |
Routing Mode |
Select a routing mode. Default value: Destination Routing Mode.
- Destination Routing Mode: forwards traffic to specified destination IP addresses.
After you create an IPsec-VPN connection, you must add destination-based routes to
the route table of the VPN gateway. For more information, see Manage destination-based routes.
- Protected Data Flows: forwards traffic based on source and destination IP addresses.
If you select Protected Data Flows when you create an IPsec-VPN connection, you must configure Local Network and Remote Network. After you complete the configurations, the system automatically adds policy-based
routes to the route table of the VPN gateway.
After the system adds policy-based routes to the route table of the VPN gateway, the
routes are not advertised by default. You must manually advertise the routes to the
VPC.
Note
- If you use an earlier version of VPN Gateway, you do not need to select a routing
mode. After you create an IPsec-VPN connection, you must manually add destination-based
routes or policy-based routes to the VPN gateway. For more information, see Route overview.
- Do not create a route that meets the following conditions: The destination CIDR block
is 100.64.0.0/10 or one of its subnets. The next hop is an IPsec-VPN connection. If
you create such a route, one of the following errors occurs: The status of the IPsec-VPN
connection cannot be displayed in the console. The negotiations of the IPsec-VPN connection
fail.
|
Local Network |
Enter the CIDR block on the VPC side. The CIDR block is used in Phase 2 negotiations.
Click  next to the field to add multiple CIDR blocks on the VPC side.
Note You can add multiple CIDR blocks only if IKEv2 is used.
|
Remote Network |
Enter the CIDR block on the data center side. This CIDR block is used in Phase 2 negotiations.
Click  next to the field to add multiple CIDR blocks on the data center side.
Note You can add multiple CIDR blocks only if IKEv2 is used.
|
Effective Immediately |
Specify whether to immediately start negotiations.
- Yes: starts connection negotiations after the configuration is completed.
- No: starts negotiations when inbound traffic is detected.
|
Pre-Shared Key |
Enter the pre-shared key that is used for identity authentication between the VPN
gateway and the data center. The key must be 1 to 100 characters in length.
If you do not specify a pre-shared key, the system randomly generates a 16-bit string
as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system. For more information,
see Modify an IPsec-VPN connection.
Notice The pre-shared key of the IPsec-VPN connection must be the same as the authentication
key of the data center. Otherwise, you cannot establish a connection between the data
center and the VPN gateway.
|
Advanced Configuration: IKE Configurations |
Version |
Select an IKE version.
IKEv1 and IKEv2 are supported. Compared with IKEv1, IKEv2 simplifies the SA negotiation
process and provides better support for scenarios in which multiple CIDR blocks are
used. We recommend that you select IKEv2.
|
Negotiation Mode |
Select a negotiation mode.
- main: This mode offers higher security during negotiations.
- aggressive: This mode is faster and has a higher success rate.
Connections negotiated in both modes ensure the same level of security for data transmission.
|
Encryption Algorithm |
Select the encryption algorithm that is used in Phase 1 negotiations. Supported algorithms
are aes, aes192, aes256, des, and 3des.
|
Authentication Algorithm |
Select the authentication algorithm that is used in Phase 1 negotiations. Supported
algorithms are sha1, md5, sha256, sha384, and sha512.
|
DH Group |
Select the DH key exchange algorithm that is used in Phase 1 negotiations. The following
DH groups are supported:
- group1: DH group 1
- group2: DH group 2
- group5: DH group 5
- group14: DH group 14
|
SA Life Cycle (seconds) |
Specify the lifecycle of the SA after Phase 1 negotiations succeed. Unit: seconds.
Default value: 86400. Valid values: 0 to 86400.
|
LocalId |
Specify the identifier of the VPN gateway that is used in Phase 1 negotiations. The
default value is the public IP address of the VPN gateway. If you set LocalId to a
fully qualified domain name (FQDN), we recommend that you set Negotiation Mode to
aggressive.
|
RemoteId |
Specify the identifier of the customer gateway that is used in Phase 1 negotiations.
The default value is the public IP address of the customer gateway. If you set RemoteId
to an FQDN, we recommend that you set Negotiation Mode to aggressive.
|
Advanced Configuration: IPSec Configurations |
Encryption Algorithm |
Select the encryption algorithm that is used in Phase 2 negotiations. Supported algorithms
are aes, aes192, aes256, des, and 3des.
|
Authentication Algorithm |
Select the authentication algorithm that is used in Phase 2 negotiations. Supported
algorithms are sha1, md5, sha256, sha384, and sha512.
|
DH Group |
Select the DH key exchange algorithm that is used in Phase 2 negotiations. Standard
VPN gateways support the following values:
- disabled: does not use a DH key exchange algorithm.
- For clients that do not support perfect forward secrecy (PFS), select disabled.
- If you select a value other than disabled, the PFS feature is enabled by default, which requires a key update for every renegotiation.
Therefore, you must also enable PFS for the client.
- group1: DH group 1
- group2: DH group 2
- group5: DH group 5
- group14: DH group 14
|
SA Life Cycle (seconds) |
Specify the lifecycle of the SA after Phase 2 negotiations succeed. Unit: seconds.
Default value: 86400. Valid values: 0 to 86400.
|
DPD |
Specify whether to enable the DPD feature. This feature is enabled by default. |
NAT Traversal |
Specify whether to enable the NAT traversal feature. This feature is enabled by default.
|
BGP Configuration |
Tunnel CIDR Block |
Enter the CIDR block of the IPsec tunnel.
The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block
must be 30 bits in length.
|
Local BGP IP address |
Enter the BGP IP address on the VPC side.
This IP address must fall within the CIDR block of the IPsec tunnel.
Note Make sure that the BGP IP addresses on the VPC side and on the data center side do
not conflict with each other.
|
Local ASN |
Enter the autonomous system number (ASN) on the VPC side. Valid values: 1 to 4294967295. Default value: 45104.
Note We recommend that you use a private ASN to establish a connection with Alibaba Cloud
over BGP. Refer to the relevant documentation for the valid range of a private ASN.
|
Health Check |
Destination IP |
Enter the IP address on the data center side that the VPC can communicate with through
the IPsec-VPN connection.
|
Source IP |
Enter the IP address on the VPC side that the data center can communicate with through
the IPsec-VPN connection.
|
Retry Interval |
Specify the interval between two consecutive health checks. Unit: seconds. |
Number of Retries |
Specify the maximum number of health check retries. |