This topic describes how to create an IPsec-VPN connection. After you create a VPN gateway and a customer gateway, you can create an IPsec-VPN connection between the two gateways to encrypt data transmission.

Prerequisites

Background information

When you create an IPsec-VPN connection, you can enable or disable the following features:
  • DPD: the dead peer detection (DPD) feature.

    After you enable DPD, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. The ISAKMP Security Association (SA), IPsec SA, and IPsec tunnel are deleted. This feature is enabled by default.

  • NAT Traversal: the network address translation (NAT) traversal feature.

    After you enable NAT traversal, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel. This feature is enabled by default.

  • BGP: the Border Gateway Protocol (BGP) dynamic routing feature.

    After you enable BGP routing, the VPN gateway can automatically learn routes by using BGP. This reduces network maintenance costs and network configuration errors. This feature is disabled by default.

  • Health Check: the health check feature.

    You can configure health checks to check the connectivity of IPsec-VPN connections and detect issues at the earliest opportunity. This feature is disabled by default.

Note
  • If you use a VPN gateway of the latest version, you can use DPD, NAT traversal, BGP dynamic routing, and health checks. Otherwise, you cannot use the preceding features.

    You can check whether your VPN gateway uses the latest version based on the status of the Upgrade button. If your VPN gateway does not use the latest version, you can click upgrade to update your VPN gateway. For more information, see Update a VPN gateway.

  • You cannot disable BGP dynamic routing after you enable it.

Procedure

  1. Log on to the VPN gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  3. In the top navigation bar, select the region where the IPsec-VPN connection is created.
  4. On the IPsec Connections page, click Create IPsec Connection.
  5. On the Create IPsec Connection page, configure the IPsec-VPN connection based on the following information and click OK.
    Parameter Description
    Name

    Enter a name for the IPsec-VPN connection.

    The name must be 2 to 128 characters in length and can contain digits, hyphens (-), and underscores (_). It must start with a letter.

    VPN Gateway Select the standard VPN gateway to be connected through the IPsec-VPN connection.
    Customer Gateway Select the customer gateway to be connected through the IPsec-VPN connection.
    Routing Mode Select a routing mode. Default value: Destination Routing Mode.
    • Destination Routing Mode: forwards traffic to specified destination IP addresses.

      After you create an IPsec-VPN connection, you must add destination-based routes to the route table of the VPN gateway. For more information, see Manage destination-based routes.

    • Protected Data Flows: forwards traffic based on source and destination IP addresses.

      If you select Protected Data Flows when you create an IPsec-VPN connection, you must configure Local Network and Remote Network. After you complete the configurations, the system automatically adds policy-based routes to the route table of the VPN gateway.

      After the system adds policy-based routes to the route table of the VPN gateway, the routes are not advertised by default. You must manually advertise the routes to the VPC.

    Note
    • If you use an earlier version of VPN Gateway, you do not need to select a routing mode. After you create an IPsec-VPN connection, you must manually add destination-based routes or policy-based routes to the VPN gateway. For more information, see Route overview.
    • Do not create a route that meets the following conditions: The destination CIDR block is 100.64.0.0/10 or one of its subnets. The next hop is an IPsec-VPN connection. If you create such a route, one of the following errors occurs: The status of the IPsec-VPN connection cannot be displayed in the console. The negotiations of the IPsec-VPN connection fail.
    Local Network Enter the CIDR block on the VPC side. The CIDR block is used in Phase 2 negotiations.
    Click Add next to the field to add multiple CIDR blocks on the VPC side.
    Note You can add multiple CIDR blocks only if IKEv2 is used.
    Remote Network Enter the CIDR block on the data center side. This CIDR block is used in Phase 2 negotiations.
    Click Add next to the field to add multiple CIDR blocks on the data center side.
    Note You can add multiple CIDR blocks only if IKEv2 is used.
    Effective Immediately Specify whether to immediately start negotiations.
    • Yes: starts connection negotiations after the configuration is completed.
    • No: starts negotiations when inbound traffic is detected.
    Pre-Shared Key Enter the pre-shared key that is used for identity authentication between the VPN gateway and the data center. The key must be 1 to 100 characters in length.

    If you do not specify a pre-shared key, the system randomly generates a 16-bit string as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection.

    Notice The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the data center. Otherwise, you cannot establish a connection between the data center and the VPN gateway.
    Advanced Configuration: IKE Configurations
    Version Select an IKE version.
    • ikev1
    • ikev2

    IKEv1 and IKEv2 are supported. Compared with IKEv1, IKEv2 simplifies the SA negotiation process and provides better support for scenarios in which multiple CIDR blocks are used. We recommend that you select IKEv2.

    Negotiation Mode Select a negotiation mode.
    • main: This mode offers higher security during negotiations.
    • aggressive: This mode is faster and has a higher success rate.

    Connections negotiated in both modes ensure the same level of security for data transmission.

    Encryption Algorithm Select the encryption algorithm that is used in Phase 1 negotiations. Supported algorithms are aes, aes192, aes256, des, and 3des.
    Authentication Algorithm Select the authentication algorithm that is used in Phase 1 negotiations. Supported algorithms are sha1, md5, sha256, sha384, and sha512.
    DH Group Select the DH key exchange algorithm that is used in Phase 1 negotiations. The following DH groups are supported:
    • group1: DH group 1
    • group2: DH group 2
    • group5: DH group 5
    • group14: DH group 14
    SA Life Cycle (seconds) Specify the lifecycle of the SA after Phase 1 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
    LocalId Specify the identifier of the VPN gateway that is used in Phase 1 negotiations. The default value is the public IP address of the VPN gateway. If you set LocalId to a fully qualified domain name (FQDN), we recommend that you set Negotiation Mode to aggressive.
    RemoteId Specify the identifier of the customer gateway that is used in Phase 1 negotiations. The default value is the public IP address of the customer gateway. If you set RemoteId to an FQDN, we recommend that you set Negotiation Mode to aggressive.
    Advanced Configuration: IPSec Configurations
    Encryption Algorithm Select the encryption algorithm that is used in Phase 2 negotiations. Supported algorithms are aes, aes192, aes256, des, and 3des.
    Authentication Algorithm Select the authentication algorithm that is used in Phase 2 negotiations. Supported algorithms are sha1, md5, sha256, sha384, and sha512.
    DH Group Select the DH key exchange algorithm that is used in Phase 2 negotiations. Standard VPN gateways support the following values:
    • disabled: does not use a DH key exchange algorithm.
      • For clients that do not support perfect forward secrecy (PFS), select disabled.
      • If you select a value other than disabled, the PFS feature is enabled by default, which requires a key update for every renegotiation. Therefore, you must also enable PFS for the client.
    • group1: DH group 1
    • group2: DH group 2
    • group5: DH group 5
    • group14: DH group 14
    SA Life Cycle (seconds) Specify the lifecycle of the SA after Phase 2 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
    DPD Specify whether to enable the DPD feature. This feature is enabled by default.
    NAT Traversal Specify whether to enable the NAT traversal feature. This feature is enabled by default.
    BGP Configuration
    Tunnel CIDR Block Enter the CIDR block of the IPsec tunnel.

    The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length.

    Local BGP IP address Enter the BGP IP address on the VPC side.

    This IP address must fall within the CIDR block of the IPsec tunnel.

    Note Make sure that the BGP IP addresses on the VPC side and on the data center side do not conflict with each other.
    Local ASN Enter the autonomous system number (ASN) on the VPC side. Valid values: 1 to 4294967295. Default value: 45104.
    Note We recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. Refer to the relevant documentation for the valid range of a private ASN.
    Health Check
    Destination IP Enter the IP address on the data center side that the VPC can communicate with through the IPsec-VPN connection.
    Source IP Enter the IP address on the VPC side that the data center can communicate with through the IPsec-VPN connection.
    Retry Interval Specify the interval between two consecutive health checks. Unit: seconds.
    Number of Retries Specify the maximum number of health check retries.