This topic describes how to create multiple private IPsec-VPN connections between a data center and a virtual private cloud (VPC). You can use the connections to encrypt data transmission between the data center and the VPC, and implement load balancing based on equal-cost multi-path (ECMP) routing.

Scenarios

Best practice for associating IPsec-VPN connections with transit routers-private network-scenarios

The preceding scenario is used as an example in this topic. An enterprise owns a data center in Shanghai and created a VPC in the China (Hangzhou) region. Applications are deployed on an Elastic Compute Service (ECS) instance in the VPC. The enterprise wants to create private connections between the data center and the VPC. The enterprise also wants to encrypt the private connections and use the connections to implement load balancing based on ECMP routing.

Network design

Network settings

The following network settings are used in this topic:

  • The data center is connected to Alibaba Cloud through two Express Connect circuits, and communicates with the VPC through a Cloud Enterprise Network (CEN) instance. The two Express Connect circuits ensure network redundancy and forward traffic.
  • After the data center and the VPC are connected through Express Connect circuits, you can create IPsec-VPN connections over the Express Connect circuits. You can create two IPsec-VPN connections over each Express Connect circuit. The connections encrypt data transmission between the data center and the VPC, and balance the load of traffic based on ECMP routing.
    • When you create the IPsec-VPN connections, set Gateway Type to Private.
    • Set the Associate Resource parameter of the IPsec-VPN connections to CEN. This way, the IPsec-VPN connections are aggregated for ECMP routing.
      Note You can associate IPsec-VPN connections only with Enterprise Edition transit routers on CEN instances.
  • The data center, the virtual border routers (VBRs), and the IPsec-VPN connections use BGP to automatically learn and advertise routes. This facilitates route configuration. When one of the IPsec-VPN connections fails, traffic is redirected to another IPsec-VPN connection. This ensures service reliability.

Network planning

Important When you plan CIDR blocks, make sure that the CIDR blocks of the data center and the VPC do not overlap.
ItemCIDR block and IP address
VPCPrimary CIDR block: 172.16.0.0/16
  • vSwitch 1 CIDR block: 172.16.10.0/24
  • vSwitch 2 CIDR block: 172.16.20.0/24
  • IP address of the ECS instance attached to vSwitch 1: 172.16.10.1
IPsec-VPN connectionsBGP configurations:
  • IPsec-VPN Connection 1: The CIDR block of the tunnel, the BGP IP address, and the autonomous system number (ASN) on the Alibaba Cloud side are 169.254.10.0/30, 169.254.10.1, and 45104. 45104 is the default value.
  • IPsec-VPN Connection 2: The CIDR block of the tunnel, the BGP IP address, and the ASN on the Alibaba Cloud side are 169.254.11.0/30, 169.254.11.1, and 45104, respectively. 45104 is the default value.
  • IPsec-VPN Connection 3: The CIDR block of the tunnel, the BGP IP address, and the ASN on the Alibaba Cloud side are 169.254.12.0/30, 169.254.12.1, and 45104, respectively. 45104 is the default value.
  • IPsec-VPN Connection 4: The CIDR block of the tunnel, the BGP IP address, and the ASN on the Alibaba Cloud side are 169.254.13.0/30, 169.254.13.1, and 45104, respectively. 45104 is the default value.
VBRVBR1 configurations:
  • VLAN ID: 201
  • IPv4 address on the Alibaba Cloud side: 10.0.0.2/30
  • IPv4 address on the user side: 10.0.0.1/30

    In this example, the IPv4 address on the user side is the IPv4 address of On-premises Gateway Device 1.

  • ASN: 45104

    The ASN of the VBR is 45104 by default.

VBR2 configurations:
  • VLAN ID: 202
  • IPv4 address on the Alibaba Cloud side: 10.0.1.2/30
  • IPv4 address on the user side: 10.0.1.1/30

    In this example, the IPv4 address on the user side is the IPv4 address of On-premises Gateway Device 2.

  • ASN: 45104

    The ASN of the VBR is 45104 by default.

On-premises gateway devicesVPN IP addresses of the on-premises gateway devices:
  • On-premises Gateway Device 1
    • VPN IP Address 1: 192.168.0.1
    • VPN IP Address 2: 192.168.1.1
  • On-premises Gateway Device 2
    • VPN IP Address 1: 192.168.1.2
    • VPN IP Address 2: 192.168.2.2
BGP configurations of premises gateway devices:
  • On-premises Gateway Device 1:
    • Tunnel CIDR Block 1, the BGP IP address, and the ASN on the data center side are 169.254.10.0/30, 169.254.10.2, and 65530, respectively.
    • Tunnel CIDR Block 2, the BGP IP address, and the ASN on the data center side are 169.254.11.0/30, 169.254.11.2, and 65530, respectively.
  • On-premises Gateway Device 2:
    • Tunnel CIDR Block 1, the BGP IP address, and the ASN on the data center side are 169.254.12.0/30, 169.254.12.2, and 65530, respectively.
    • Tunnel CIDR Block 2, the BGP IP address, and the ASN on the data center side are 169.254.13.0/30, 169.254.13.2, and 65530, respectively.
Data centerCIDR blocks to be connected to the VPC:
  • 192.168.0.0/24
  • 192.168.1.0/24
  • 192.168.2.0/24

Preparations

Make sure that the following prerequisites are met before you start:
  • A VPC is created in the China (Hangzhou) region. Applications are deployed on the ECS instance in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
  • A CEN instance is created. An Enterprise Edition transit router is created in the China (Hangzhou) and China (Shanghai) regions. For more information, see Create a CEN instance and Create a transit router.
    Important When you create a transit router, you must configure a CIDR block for the transit router. Otherwise, IPsec-VPN connections cannot be associated with the transit router.

    If you have already created a transit router, you can configure a CIDR block for the transit router. For more information, see Create a CIDR block for a transit router.

  • You understand the security group rules of the ECS instance in the VPC. Make sure that the rules allow the ECS instance to communicate with the data center. For more information, see Query security group rules and Add a security group rule.

Procedure

Best practice for associating IPsec-VPN connections with transit routers-Private-procedure

Step 1: Deploy Express Connect circuits

You must deploy an Express Connect circuit to connect the data center to Alibaba Cloud.

  1. Create dedicated connections over Express Connect circuits.
    In this example, two dedicated connections over Express Connect circuits are created in the China (Shanghai) region. The Express Connect circuits are named Express Connect Circuit 1 and Express Connect Circuit 2. For more information, see Create and manage a dedicated connection over an Express Connect circuit.
    When you apply for the second Express Connect circuit, you may need to specify a redundant Express Connect circuit based on the access point.
    • If you want to connect the Express Connect circuits to the same access point, you must specify the redundant Express Connect circuit. Set Redundant Connection ID to the first Express Connect circuit. This way, the Express Connect circuits will be connected to different access devices.
    • If you want to connect the Express Connect circuits to different access points, you do not need to specify the redundant Express Connect circuit. In this case, you do not need to specify Redundant Connection ID.

      In this example, the Express Connect circuits are connected to different access points.

  2. Create VBRs.
    1. Log on to the Express Connect console.
    2. In the left-side navigation pane, click Virtual Border Routers (VBRs).
    3. In the top navigation bar, select the region where you want to create the VBR.
      In this example, China (Shanghai) is selected.
    4. On the Virtual Border Routers (VBRs) page, click Create VBR.
    5. In the Create VBR panel, set the following parameters and click OK.
      Create two VBRs based on the following information. The two VBRs are associated with different Express Connect circuits. The following table describes only the key parameters. The default values are used for the other parameters. For more information, see Create a VBR.
      ParameterDescriptionVBR1VBR2
      AccountSpecify whether to create a VBR for the current or another Alibaba Cloud account. In this example, Current account is selected.
      NameEnter a name for the VBR. In this example, VBR1 is used. In this example, VBR2 is used.
      Physical Connection InterfaceSelect the Express Connect circuit that you want to associate with the VBR. In this example, Dedicated Physical Connection is selected, and Express Connect circuit 1 that is created in Step 1 is selected. In this example, Dedicated Physical Connection is selected, and the Express Connect circuit 2 that is created in Step 1 is selected.
      VLAN IDEnter the VLAN ID of the VBR.
      Note Make sure that the VLAN ID of the VBR is the same as the VLAN ID of the interface that the on-premises gateway device uses to connect to the Express Connect circuit.
      In this example, 201 is used. In this example, 202 is used.
      Set VBR Bandwidth ValueSpecify a maximum bandwidth value for the VBR. Select a maximum bandwidth value based on your business requirements.
      IPv4 Address (Alibaba Cloud Gateway)Specify an IPv4 address for the VBR to route network traffic from the VPC to the data center. In this example, 10.0.0.2 is used. In this example, 10.0.1.2 is used.
      IPv4 Address (Data Center Gateway)Specify an IPv4 address for the gateway device in the data center to route network traffic from the data center to the VPC. In this example, 10.0.0.1 is used. In this example, 10.0.1.1 is used.
      Subnet Mask (IPv4)Enter the subnet mask of the specified IPv4 addresses. In this example, 255.255.255.252 is used. In this example, 255.255.255.252 is used.
  3. Configure a BGP group for each VBR.
    1. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
    2. On the details page, click the BGP Groups tab.
    3. On the BGP Groups tab, click Create BGP Group, set the following parameters, and click OK.
      Configure the BGP groups based on the following information. The following table describes only the key parameters. The default values are used for the other parameters. For more information, see Create a BGP group.
      ParameterDescriptionVBR1VBR2
      NameEnter a name for the BGP group. In this example, VBR1-BGP is used. In this example, VBR2-BGP is used.
      Peer ASNEnter the ASN of the on-premises gateway device. In this example, 65530 is used. This is the ASN of On-premises Gateway Device 1. In this example, 65530 is used. This is the ASN of On-premises Gateway Device 2.
  4. Configure a BGP peer for each VBR.
    1. On the VBR details page, click the BGP Peers tab.
    2. On the BGP Peers tab, click Create BGP Peer.
    3. In the Create BGP Peer panel, set the following parameters and click OK:
      Configure the BGP peers based on the following information. The following table describes only the key parameters. The default values are used for the other parameters. For more information, see Create a BGP peer.
      ParameterDescriptionVBR1VBR2
      BGP GroupSelect the BGP group to which you want to add the BGP peer. In this example, VBR1-BGP is selected. In this example, VBR2-BGP is selected.
      BGP Peer IP AddressEnter the IP address of the BGP peer. In this example, the IP address 10.0.0.1 is entered. This is the IP address of the interface that On-premises Gateway Device 1 uses to connect to Express Connect Circuit 1. In this example, the IP address 10.0.1.1 is entered. This is the IP address of the interface that On-premises Gateway Device 2 uses to connect to Express Connect Circuit 2.
  5. Configure BGP routing for the on-premises gateway devices.
    After you configure BGP routing for the on-premises gateway devices, the on-premises gateway devices and the VBRs establish peering connections, and automatically learn and advertise routes. The following configurations are used for reference only. The commands may vary based on the network device vendor. Contact the vendor to obtain the information about specific commands.
    # Configure On-premises Gateway Device 1.
    router bgp 65530                         //Enable BGP and configure the ASN of the data center. In this example, 65530 is used. 
    bgp router-id 10.0.0.1                   //Enter the ID of the BGP router. In this example, 10.0.0.1 is used. 
    bgp log-neighbor-changes
    neighbor 10.0.0.2 remote-as 45104        //Establish a peering connection to VBR1. 
    !
    address-family ipv4
    network 192.168.0.0 mask 255.255.255.0     //Advertise the CIDR block of the data center. 
    network 192.168.1.0 mask 255.255.255.0
    network 192.168.2.0 mask 255.255.255.0 
    neighbor 10.0.0.2 activate               //Activate the BGP peer. 
    exit-address-family
    !
    # Configure On-premises Gateway Device 2.
    router bgp 65530                         //Enable BGP and configure the ASN of the data center. In this example, 65530 is used. 
    bgp router-id 10.0.1.1                   //Enter the ID of the BGP router. In this example, 10.0.1.1 is used. 
    bgp log-neighbor-changes
    neighbor 10.0.1.2 remote-as 45104        //Establish a peering connection to VBR2. 
    !
    address-family ipv4
    network 192.168.0.0 mask 255.255.255.0     //Advertise the CIDR block of the data center. 
    network 192.168.1.0 mask 255.255.255.0
    network 192.168.2.0 mask 255.255.255.0 
    neighbor 10.0.1.2 activate               //Activate the BGP peer. 
    exit-address-family
    !

Step 2: Configure a CEN instance

After you deploy the Express Connect circuits, the data center is connected to Alibaba Cloud through the Express Connect circuits. However, the data center and the VPC cannot communicate with each other. To enable communication between the data center and the VPC, you must connect the VBRs and the VPC to a CEN instance.

  1. Create a VPC connection.
    1. Log on to the CEN console.
    2. On the Instances page, find the CEN instance that you created and click its ID.
    3. On the Basic Settings > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.
    4. On the Connection with Peer Network Instance page, set the following parameters and click OK.
      ParameterDescriptionVPC connection
      Network TypeSpecify the type of network instance. In this example, VPC is selected.
      RegionSpecify the region of the network instance. China (Hangzhou) is selected in this example.
      Transit RouterThe system automatically displays the transit router in the current region.
      Resource Owner IDSpecify whether the network instance belongs to the current Alibaba Cloud account. In this example, Your Account is selected.
      Billing MethodThe billing method of the VPC connection. Default value: Pay-As-You-Go. For more information about the billing rules for transit routers, see Billing rules.
      Attachment NameEnter a name for the VPC connection. In this example, VPC-test is used.
      NetworksSelect a network instance. In this example, the VPC created in the Preparations section is selected.
      vSwitchSelect at least one vSwitch in a zone that supports Enterprise Edition transit routers. Make sure that each vSwitch has at least one idle IP address.

      If the VPC does not contain vSwitches deployed in zones that support Enterprise Edition transit routers, you need to create vSwitches. For more information, see Create and manage a vSwitch.

      After you select a vSwitch in the VPC, the transit router creates an elastic network interface (ENI) on the vSwitch. The ENI occupies one IP address provided by the vSwitch and forwards network traffic between the VPC and transit router.

      In this example, vSwitch 1 in Zone H is selected.
      Advanced SettingsSpecify whether to enable the advanced features. By default, all advanced features are enabled. In this example, the default settings are used.
  2. Create VBR connections.
    1. Return to the Basic Settings > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.
    1. On the Connection with Peer Network Instance page, set the following parameters and click OK.
      Create a VBR connection for VBR1 and VBR2 based on the following information.
      ParameterDescriptionVBR1VBR2
      Network TypeSpecify the type of network instance. In this example, Virtual Border Router (VBR) is selected.
      RegionSpecify the region of the network instance. In this example, China (Shanghai) is selected.
      Transit RouterThe system automatically displays the transit router in the current region.
      Resource Owner IDSpecify whether the network instance belongs to the current Alibaba Cloud account. In this example, Your Account is selected.
      Attachment NameEnter a name for the network connection. In this example, VBR1-test is used. In this example, VBR2-test is used.
      NetworksSelect a network instance. VBR1 is selected in this example. VBR2 is selected in this example.
      Advanced SettingsSpecify whether to enable the advanced features. By default, all advanced features are enabled. In this example, the default settings are used.
  3. Purchase a bandwidth plan.
    The transit router associated with the VBRs and the transit router associated with the VPC are deployed in different regions. By default, the VBRs cannot communicate with the VPC in this scenario. To allow the VBRs to communicate with the VPC across regions, you need to create an inter-region connection between the transit router in the China (Hangzhou) region and the transit router in the China (Shanghai) region.

    You can allocate bandwidth to an inter-region connection from a bandwidth plan or pay for the bandwidth usage of the inter-region connection on a pay-by-data-transfer basis. In this example, a bandwidth plan is used.

    Purchase a bandwidth plan to allocate bandwidth for inter-region communication before you create an inter-region connection.

    1. On the Instances page, find the CEN instance that you want to manage and click its ID.
    2. On the details page of the CEN instance, choose Basic Settings > Bandwidth Plans and click Purchase Bandwidth Plan(Subscription).
    3. On the buy page, configure the following parameters, click Buy Now, and then complete the payment.
      ParameterDescription
      CEN IDSelect the CEN instance for which you want to purchase the bandwidth plan.

      After you complete the payment, the bandwidth plan is automatically associated with the CEN instance.

      In this example, the CEN instance created in the Preparations section is selected.

      Area ASelect one of the areas where you want to enable inter-region communication.

      Mainland China is selected in this example.

      Note
      • After you purchase a bandwidth plan, you cannot change the areas that you selected for the bandwidth plan.
      • For more information about the regions and areas that support bandwidth plans, see Work with a bandwidth plan.
      Area BSelect the other area where you want to enable inter-region communication.

      Mainland China is selected in this example.

      Billing methodDisplays the billing method of the bandwidth plan. The default billing method is Pay by Bandwidth.

      For more information about bandwidth plan billing, see Billing rules.

      BandwidthSelect a bandwidth value based on your business requirements. Unit: Mbit/s.
      Bandwidth_package_nameEnter a name for the bandwidth plan.
      Order timeSelect a subscription duration for the bandwidth plan.

      You can select Auto-renewal to allow the system to automatically renew the bandwidth plan.

  4. Create an inter-region connection
    1. On the Instances page, find the CEN instance that you want to manage and click its ID.
    2. Navigate to the Basic Settings > Bandwidth Plans tab and click Set Region Connection.
    3. On the Connection with Peer Network Instance page, set the following parameters and click OK.
      ParameterDescription
      Network typeInter-region Connection is selected in this example.
      RegionSelect the region that you want to connect.

      China (Hangzhou) is selected in this example.

      Transit RouterThe system automatically displays the ID of the transit router in the selected region.
      Attachment NameEnter a name for the inter-region connection.

      In this example, Cross-Region-test is used.

      Peer RegionSelect the other region to be connected.

      In this example, China (Shanghai) is selected.

      Transit RouterThe system automatically displays the ID of the transit router in the selected region.
      Bandwidth Allocation ModeThe following modes are supported:
      • Allocate from Bandwidth Plan: Bandwidth resources are allocated from a purchased bandwidth plan.
      • Pay-By-Data-Transfer: You are charged for data transfer over the inter-region connection.

      In this example, Allocate from Bandwidth Plan is selected.

      Bandwidth PlanSelect the bandwidth plan that is associated with the CEN instance.
      BandwidthSpecify a bandwidth value for the inter-region connection. Unit: Mbit/s.
      Advanced SettingsBy default, all advanced features are enabled. In this example, the default setting is used.

Step 3: Create IPsec-VPN connections

After you complete the preceding steps, the data center can communicate with the VPC over private connections. However, data transmission between the data center and the VPC is not encrypted. To encrypt data transmission, you must create IPsec-VPN connections between the data center and Alibaba Cloud.

  1. Log on to the VPN Gateway console.
  2. Creates customer gateways.
    Before you create IPsec-VPN connections, you need to create customer gateways to provide information about the on-premises gateway devices to Alibaba Cloud.
    1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.
    2. In the top navigation bar, select the region where you want to create the customer gateways.
      VPN gateways do not support cross-border IPsec-VPN connections. Therefore, you need to follow the nearby access principle and select a region that is closest to your data center when you choose the region in which your customer gateways are deployed. In this example, China (Shanghai) is selected.

      For more information about cross-border connections, see What are inter-border connections and intra-border connections?.

    3. On the Customer Gateway page, click Create Customer Gateway.
    4. In the Create Customer Gateway panel, set the following parameters and click OK.
      Create four customer gateways in the China (Shanghai) region based on the following information.
      ParameterDescriptionCustomer Gateway 1Customer Gateway 2Customer Gateway 3Customer Gateway 4
      NameEnter a name for the customer gateway. Customer-Gateway1 Customer-Gateway2 Customer-Gateway3 Customer-Gateway4
      IP AddressEnter the public IP address of the on-premises gateway device to be connected to Alibaba Cloud. In this example, 192.168.0.1, the first VPN IP address of On-premises Gateway Device 1, is entered. In this example, 192.168.1.1, the second VPN IP address of On-premises Gateway Device 1, is entered. In this example, 192.168.1.2, the first VPN IP address of On-premises Gateway Device 2, is entered. In this example, 192.168.2.2, the second VPN IP address of On-premises Gateway Device 2, is entered.
      ASNEnter the BGP ASN of the on-premises gateway device. 65530 is used in this example.
  3. Create IPsec-VPN connections.
    After you create customer gateways, you need to create IPsec-VPN connections between Alibaba Cloud and the data center.
    1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
    2. In the top navigation bar, select the region in which you want to create IPsec-VPN connections.
      The IPsec-VPN connections and the customer gateways must be created in the same region. In this example, China (Shanghai) is selected.
    3. On the IPsec Connection page, click Create IPsec Connection.
    4. On the Create IPsec Connection page, configure IPsec-VPN connections based on the following information and click OK.
      Create four IPsec-VPN connections in the China (Shanghai) region based on the following information. You are charged for IPsec-VPN connections. For more information about the billing of IPsec-VPN connections, see Billing.
      ParameterDescriptionIPsec-VPN Connection 1IPsec-VPN Connection 2IPsec-VPN Connection 3IPsec-VPN Connection 4
      NameEnter a name for the IPsec-VPN connection. IPsec-VPN Connection 1 IPsec-VPN Connection 2 IPsec-VPN Connection 3 IPsec-VPN Connection 4
      Associate ResourceSelect the type of resource to be associated with the IPsec-VPN connection. In this example, CEN is selected.
      Gateway TypeSelect the network type of the IPsec-VPN connection. In this example, Private is selected.
      CEN Instance IDSelect a CEN instance. In this example, the CEN instance created in the Preparations section is selected.
      Transit RouterSelect the transit router to be associated with the IPsec-VPN connection. The system automatically selects a transit router in the region in which the IPsec-VPN connection is created.
      ZoneSelect the zone in which the IPsec-VPN connection is created. Make sure that the IPsec-VPN connection is created in a zone that supports transit routers. In this example, Shanghai Zone F is selected.
      Note In this scenario, we recommend that you deploy IPsec-VPN connections in different zones to implement disaster recovery.
      In this example, Shanghai Zone G is selected.
      Customer GatewaySelect the customer gateway to be associated with the IPsec-VPN connection. Customer-Gateway1 Customer-Gateway2 Customer-Gateway3 Customer-Gateway4
      Routing ModeSelect a routing mode. In this example, Destination Routing Mode is selected.
      Effective ImmediatelySpecify whether to immediately start IPsec negotiations. Valid values:
      • Yes: starts connection negotiations after the configuration is completed.
      • No: starts negotiations when inbound traffic is detected.
      In this example, Yes is selected.
      Pre-Shared KeyEnter a pre-shared key that is used to authenticate the on-premises gateway device.

      The key must be 1 to 100 characters in length. If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection.

      Important The IPsec-VPN connection and the corresponding on-premises gateway device must use the same pre-shared key. Otherwise, the system cannot establish the IPsec-VPN connection to the on-premises gateway device.
      fddsFF123**** fddsFF456**** fddsFF789**** fddsFF901****
      Advanced ConfigurationCustomize encryption configurations, including IKE configurations and IPsec configurations. In this example, the default settings are used. For more information, see Create and manage IPsec-VPN connections.
      BGP ConfigurationSpecify whether to enable BGP. By default, BGP is disabled. In this example, BGP is enabled.
      Tunnel CIDR BlockSpecify the CIDR block that is used for IPsec tunneling.

      The CIDR block must fall within 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length.

      169.254.10.0/30 169.254.11.0/30 169.254.12.0/30 169.254.13.0/30
      Local BGP IP addressEnter a BGP IP address for each IPsec-VPN connection.

      This IP address falls within the CIDR block of the IPsec tunnel.

      169.254.10.1 169.254.11.1 169.254.12.1 169.254.13.1
      Local ASNEnter the ASN of the IPsec-VPN connection. 45104 45104 45104 45104
      Health CheckSpecify whether to enable the health check feature. The health check feature is disabled by default. In this example, the health check feature is disabled.
    After the IPsec-VPN connections are created, the system assigns a private gateway IP address to each IPsec-VPN connection. The gateway IP address is an endpoint on the Alibaba Cloud side of the IPsec-VPN connection. You can view the gateway IP address of an IPsec-VPN connection on the details page, as shown in the following figure. View private IP addresses

    The following table describes the gateway IP addresses that are assigned to IPsec-VPN Connection 1, IPsec-VPN Connection 2, IPsec-VPN Connection 3, and IPsec-VPN Connection 4.

    IPsec-VPN connectionGateway IP address
    IPsec-VPN Connection 1192.168.168.1
    IPsec-VPN Connection 2192.168.168.2
    IPsec-VPN Connection 3192.168.168.3
    IPsec-VPN Connection 4192.168.168.4
    Note
    • The system assigns gateway IP addresses to IPsec-VPN connections only after you associate the IPsec-VPN connections with transit routers. When you create an IPsec-VPN connection, if you set Associate Resource to Do Not Associate or VPN Gateway, the system does not assign a gateway IP address to the IPsec-VPN connection.
    • After a private IPsec-VPN connection is associated with a transit router, the system automatically advertises the gateway IP address of the IPsec-VPN connection to the route table of the transit router.
  4. Download the peer configurations of the IPsec-VPN connections.
    On the IPsec Connections page, find the IPsec-VPN connection that you created. In the Actions column, choose More > Download Configuration.

    Download the peer configurations of the four IPsec-VPN connections to your on-premises machine so that you can use the configurations when you add VPN configurations to the on-premises gateway devices.

  5. Add VPN configurations and BGP configurations to the on-premises gateway devices.
    After the IPsec-VPN connections are created, perform the following steps to add the VPN and BGP configurations in the peer configurations that you downloaded to the On-premises Gateway Device 1 and On-premises Gateway Device 2. This way, the data center can communicate with Alibaba Cloud over the IPsec-VPN connections.

    The following configurations are used for reference only. The commands may vary based on the network device vendor. Contact the vendor to obtain the information about specific commands.

    1. Open the CLI of the on-premises gateway device.
    2. Run the following command to configure the isakmp policy:
      //Add the following configuration to the two on-premises gateway devices:
      crypto isakmp policy 1 
      authentication pre-share      //Configure the authentication method. In this example, pre-shared keys are used for authentication. 
      encryption aes                //Configure the encryption algorithm. In this example, aes is used. 
      hash sha                      //Configure the authentication algorithm. In this example, sha is used. 
      group  2                      //Configure the DH group. In this example, group2 is used. 
      lifetime 86400
                                      
    3. Run the following command to configure pre-shared keys:
      //Add the following configuration to On-premises Gateway Device 1:
      crypto keyring keyring1  
          pre-shared-key address 192.168.168.1 key fddsFF123****
      crypto keyring keyring2  
          pre-shared-key address 192.168.168.2 key fddsFF456****
      
      //Add the following configuration to On-premises Gateway Device 2:
      crypto keyring keyring1  
          pre-shared-key address 192.168.168.3  key fddsFF789****
      crypto keyring keyring2  
          pre-shared-key address 192.168.168.4  key fddsFF901****
    4. Run the following command to configure the ikev1 profile:
      //Add the following configuration to On-premises Gateway Device 1:
      crypto isakmp profile profile1   
          keyring keyring1   
          match identity address 192.168.168.1 255.255.255.255 
      crypto isakmp profile profile2   
          keyring keyring2   
          match identity address 192.168.168.2 255.255.255.255
      //Add the following configuration to On-premises Gateway Device 2:
      crypto isakmp profile profile1   
          keyring keyring1   
          match identity address 192.168.168.3 255.255.255.255  
      crypto isakmp profile profile2   
          keyring keyring2   
          match identity address 192.168.168.4 255.255.255.255
    5. Run the following command to configure the IPsec protocol:
      //Add the following configuration to the two on-premises gateway devices:
      crypto ipsec transform-set ipsecpro64 esp-aes esp-sha-hmac 
      mode tunnel
    6. Run the following command to configure the IPsec profile:
      //Add the following configuration to the two on-premises gateway devices:
      crypto ipsec profile IPSEC_PROFILE1
          set transform-set ipsecpro64
          set isakmp-profile profile1
      crypto ipsec profile IPSEC_PROFILE2
          set transform-set ipsecpro64
          set isakmp-profile profile2
                                      
    7. Run the following commands to configure IPsec tunneling:
      //Add the following configuration to On-premises Gateway Device 1:
      interface Tunnel100
      ip address 169.254.10.2 255.255.255.252    //Specify the tunnel IP address of IPsec-VPN Connection 1 on On-premises Gateway Device 1. In this example, 169.254.10.2 is used. 
      tunnel source GigabitEthernet1
      tunnel mode ipsec ipv4
      tunnel destination 192.168.168.1            //Specify the private IP address of IPsec-VPN Connection 1 on the Alibaba Cloud side. In this example, 192.168.168.1 is used. 
      tunnel protection ipsec profile IPSEC_PROFILE1
      no shutdown
      exit
      !
      interface GigabitEthernet1                 //Configure the IP address of the interface that is used to establish IPsec-VPN Connection 1. 
      ip address 192.168.0.1 255.255.255.0
      negotiation auto
      !
      interface Tunnel101
      ip address 169.254.11.2 255.255.255.252    //Specify the tunnel IP address of IPsec-VPN Connection 2 on On-premises Gateway Device 1. In this example, 169.254.11.2 is used. 
      tunnel source GigabitEthernet2
      tunnel mode ipsec ipv4
      tunnel destination 192.168.168.2            //Specify the private IP address of IPsec-VPN Connection 2 on the Alibaba Cloud side. In this example, 192.168.168.2 is used. 
      tunnel protection ipsec profile IPSEC_PROFILE2
      no shutdown
      exit
      !
      interface GigabitEthernet2                 //Configure the IP address of the interface that is used to establish IPsec-VPN Connection 2. 
      ip address 192.168.1.1 255.255.255.0
      negotiation auto
      !
      //Add the following configuration to On-premises Gateway Device 2:
      interface Tunnel100
      ip address 169.254.12.2 255.255.255.252    //Specify the tunnel IP address of IPsec-VPN Connection 3 on On-premises Gateway Device 2. In this example, 169.254.12.2 is used. 
      tunnel source GigabitEthernet1
      tunnel mode ipsec ipv4
      tunnel destination 192.168.168.3            //Specify the private IP address of IPsec-VPN Connection 3 on the Alibaba Cloud side. In this example, 192.168.168.3 is used. 
      tunnel protection ipsec profile IPSEC_PROFILE1
      no shutdown
      exit
      !
      interface GigabitEthernet1                 //Configure the IP address of the interface that is used to establish IPsec-VPN Connection 3. 
      ip address 192.168.1.2 255.255.255.0
      negotiation auto
      !
      
      interface Tunnel101
      ip address 169.254.13.2 255.255.255.252    //Specify the tunnel IP address of IPsec-VPN Connection 4 on On-premises Gateway Device 2. In this example, 169.254.13.2 is used. 
      tunnel source GigabitEthernet2
      tunnel mode ipsec ipv4
      tunnel destination 192.168.168.4            //Specify the private IP address of IPsec-VPN Connection 4 on the Alibaba Cloud side. In this example, 192.168.168.4 is used. 
      tunnel protection ipsec profile IPSEC_PROFILE2
      no shutdown
      exit
      !
      interface GigabitEthernet2                 //Configure the IP address of the interface that is used to establish IPsec-VPN Connection 4. 
      ip address 192.168.2.2 255.255.255.0
      negotiation auto
      !
    8. Run the following commands to configure BGP:
      //Add the following configuration to On-premises Gateway Device 1:
      router bgp 65530                         
      neighbor 169.254.10.1 remote-as 45104    //Configure the ASN of the BGP peer. In this example, the BGP ASN of IPsec-VPN Connection 1 is used, which is 45104. 
      neighbor 169.254.10.1 ebgp-multihop 10   //Set the eBGP hop-count to 10.   
      neighbor 169.254.11.1 remote-as 45104    //Configure the ASN of the BGP peer. In this example, the BGP ASN of IPsec-VPN Connection 2 is used, which is 45104. 
      neighbor 169.254.11.1 ebgp-multihop 10   //Set the eBGP hop-count to 10. 
      !
      address-family ipv4 
      neighbor 169.254.10.1 activate           //Activate the BGP peers. 
      neighbor 169.254.11.1 activate 
      exit-address-family
      !
      //Add the following configuration to On-premises Gateway Device 2:
      router bgp 65530                         
      neighbor 169.254.12.1 remote-as 45104    //Configure the ASN of the BGP peer. In this example, the BGP ASN of IPsec-VPN Connection 3 is used, which is 45104. 
      neighbor 169.254.12.1 ebgp-multihop 10   //Set the eBGP hop-count to 10.  
      neighbor 169.254.13.1 remote-as 45104    //Configure the ASN of the BGP peer. In this example, the BGP ASN of IPsec-VPN Connection 4 is used, which is 45104. 
      neighbor 169.254.13.1 ebgp-multihop 10   //Set the eBGP hop-count to 10.  
      !
      address-family ipv4 
      neighbor 169.254.12.1 activate           //Activate the BGP peers. 
      neighbor 169.254.13.1 activate
      exit-address-family
      !
                                      

Step 4: Configure routes and routing policies

After you complete the preceding configurations, you must add routes and routing policies on Alibaba Cloud so that the IPsec-VPN connections can work as expected. You must also route traffic between the data center and Alibaba Cloud to encrypted tunnels.

  1. Add custom routes to the VBRs.
    Route traffic destined for the data center to the Express Connect circuits.
    1. Log on to the Express Connect console.
    2. In the left-side navigation pane, click Virtual Border Routers (VBRs).
    3. In the top navigation bar, select the region where the VBRs are deployed.
      In this example, China (Shanghai) is selected.
    4. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
    5. Click the Routes tab and click Add Route.
    6. In the Add Route panel, set the following parameters and click OK.
      Add Route 1 and Route 2 to VBR1. Add Route 3 and Route 4 to VBR2.
      ParameterDescriptionRoute 1Route 2Route 3Route 4
      Next Hop TypeSelect Physical Connection Interface.
      Destination CIDR BlockEnter the VPN IP address of the on-premises gateway device. VPN IP address 1 of On-premises Gateway Device 1: 192.168.0.1/32. VPN IP address 2 of On-premises Gateway Device 1: 192.168.1.1/32. VPN IP address 1 of On-premises Gateway Device 2: 192.168.1.2/32. VPN IP address 1 of On-premises Gateway Device 2: 192.168.2.2/32.
      Next HopSelect an Express Connect circuit. Select Express Connect Circuit 1. Select Express Connect Circuit 1. Select Express Connect Circuit 2. Select Express Connect Circuit 2.
  2. Add routing policies to the CEN instance.
    1. Log on to the CEN console.
    2. On the Instances page, click the ID of the CEN instance.
    3. Choose Basic Settings > Transit Router, find the transit router in the China (Shanghai), and then click the ID of the transit router.
    4. On the details page of the transit router, click the Route Table tab and click Route Maps.
    5. On the Route Maps tab, click Add Route Map. On the Add Route Map page, set the following parameters and click OK.
      Add four routing policies to CEN based on the information in the following table. The following section describes the four routing policies:
      • Routing Policy 1: The data center learns CIDR blocks from the VPC through the VBRs and the IPsec-VPN connections. To ensure that traffic destined for the VPC is routed to the IPsec-VPN connections, you must create Routing Policy 1 so that the priority of the CIDR blocks advertised by the VBRs is lower than the priority of the CIDR blocks advertised by the IPsec-VPN connections.
      • Routing Policy 2: When the CEN instance learns the same CIDR block through the VBRs and the IPsec-VPN connections, the CIDR block advertised by the VBRs has a higher priority. You must create Routing Policy 2 to reject data center routes advertised by the VBRs. This ensures that traffic destined for the data center is routed to the IPsec-VPN connections.
      • Routing Policy 3 and Routing Policy 4: After you create a VBR connection, CEN adds a routing policy that applies in the outbound direction to the route table of the transit router. The priority of the routing policy is 5000, and the policy action is Deny. The routing policy prevents VBRs, Cloud Connect Network (CCN) instances, and IPsec-VPN connections that are connected to the same transit router from communicating with each other.

        You must add Routing Policy 3 and Routing Policy 4 to allow CEN to advertise the gateway IP addresses of the IPsec-VPN connections.

      The following table describes only the key parameters. For more information about the other parameters, see Routing policy overview.
      ParameterDescriptionRouting Policy 1Routing Policy 2Routing Policy 3Routing Policy 4
      Routing Policy PriorityEnter a priority value for the routing policy. In this example, 5 is used. In this example, 10 is used. In this example, 15 is used. In this example, 20 is used.
      RegionSelect the region in which the routing policy applies. In this example, China (Shanghai) is selected.
      Associated Route TableSelect a route table to associate with the routing policy. In this example, the default route table of the current transit router is selected.
      DirectionSelect the direction in which the routing policy applies. In this example, Egress Regional Gateway is selected. In this example, Ingress Regional Gateway is selected. In this example, Egress Regional Gateway is selected. In this example, Egress Regional Gateway is selected.
      Match ConditionsConfigure match conditions for the routing policy. Configure the following match conditions:
      • Source Instance IDs: Enter the ID of the VPC.
      • Destination Instance IDs: Enter the IDs of VBR1 and VBR2.
      • Route Prefix: Enter 172.16.10.0/24 and 172.16.20.0/24, and select Exact Match.
      Configure the following match conditions:
      • Source Instance IDs: Enter the IDs of VBR1 and VBR2.
      • Route Prefix: Enter 192.168.0.0/24, 192.168.10.0/24, and 192.168.20.0/24, and select Exact Match.
      Configure the following match conditions:
      • Destination Instance IDs: Enter the ID of VBR1.
      • Route Prefix: Enter 192.168.168.1/32 and 192.168.168.2/32, and select Exact Match.
      Configure the following match conditions:
      • Destination Instance IDs: Enter the ID of VBR2.
      • Route Prefix: Enter 192.168.168.3/32 and 192.168.168.4/32, and select Exact Match.
      Routing Policy ActionSelect an action for the routing policy. In this example, Allow is selected. In this example, Deny is selected. In this example, Allow is selected. In this example, Allow is selected.
      Add Policy EntrySpecify a priority for the routes that are permitted. In this example, Prepend AS Path is selected and 65525, 65526, and 65527 are entered. This reduces the priority of the VPC CIDR block that the VBRs advertise to the data center. N/A N/A N/A

Step 5: Test the network connectivity

After you configure the routes, the data center can communicate with the VPC through private and encrypted connections. The traffic between the data center and VPC is load-balanced based on ECMP routing by using the four IPsec-VPN connections. This section describes how to test the network connectivity and how to check whether the four IPsec-VPN connections are used to load-balance the traffic.

  1. Test the network connectivity.
    1. Log on to the ECS instance in the VPC. For more information, see Guidelines on ECS instance connection.
    2. Run the ping command on the ECS instance to access a client in the data center.
      ping <IP address of the client in the data center>

      If the ECS instance receives echo reply messages, the data center can communicate with the VPC.

  2. Check whether traffic is load-balanced.
    Send requests to the ECS instance from multiple clients in the data center or use iPerf3 to send requests to the ECS instance. If you can view traffic monitoring data on the details pages of IPsec-VPN Connection 1, IPsec-VPN Connection 2, IPsec-VPN Connection 3, and IPsec-VPN Connection 4, traffic between the data center and the VPC is load-balanced through the four IPsec-VPN connections. For more information about how to install and use iPerf3, see Test the performance of an Express Connect circuit.
    1. Log on to the VPN Gateway console.
    2. In the top navigation bar, select the region in which the IPsec-VPN connection is created.
    3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
    4. On the IPsec Connections page, find the IPsec-VPN connection and click its ID.
      Go to the details page of the IPsec-VPN connection and view the traffic monitoring data on the Monitor tab.

Routing configuration

In this topic, the default routing configuration is used to create the IPsec-VPN connections, VPC connection, VBR connections, and inter-region connection. When the default routing configuration is used, CEN automatically learns and distributes routes to enable the data center to communicate with the VPC. The following sections describe the default routing configuration.

IPsec-VPN connection

If you associate an IPsec-VPN connection with a transit router when you create the IPsec-VPN connection, the system automatically applies the following routing configuration to the IPsec-VPN connection:

  • The IPsec-VPN connection is associated with the default route table of the transit router. The transit router forwards traffic from the IPsec-VPN connection based on the default route table.
  • The destination-based routes that you configure for the IPsec-VPN connection and the routes learned from the data center through the IPsec-VPN connection by using BGP dynamic routing are automatically propagated to the default route table of the transit router.
  • The transit router automatically propagates the routes in the default route table to the BGP route table associated with the IPsec-VPN connection.
  • The routes learned from the VPC through the IPsec-VPN connection by using BGP dynamic routing are automatically propagated to the data center.

VPC connection

If you use the default routing configuration (with all advanced features enabled) when you create a VPC connection, the system automatically applies the following routing configuration to the VPC:

  • Associate with Default Route Table of Transit Router

    After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table.

  • Propagate System Routes to Default Route Table of Transit Router

    After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router.

  • Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC

    After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The routes point to the VPC connection.

VBR connection

If you use the default routing configuration (with all advanced features enabled) when you create a VBR connection, the system automatically applies the following routing configuration to the VBR:

  • Associate with Default Route Table of Transit Router

    After this feature is enabled, the VBR connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VBR based on the default route table.

  • Propagate System Routes to Default Route Table of Transit Router

    After this feature is enabled, the system routes of the VBR are automatically advertised to the default route table of the transit router.

  • Propagate Routes to VBR

    After this feature is enabled, the system automatically advertises the routes in the route table that is associated with the VBR connection to the VBR.

Inter-region connection

If you use the default routing configuration (with all advanced features enabled) when you create an inter-region connection, the system automatically applies the following routing configuration to the inter-region connection:

  • Associate with Default Route Table of Transit Router

    After this feature is enabled, the inter-region connection is automatically associated with the default route table of the transit router. The transit router uses the default route table to forward network traffic across regions.

  • Propagate System Routes to Default Route Table of Transit Router

    After this feature is enabled, the inter-region connection advertises system routes to the default route table of the transit router.

  • Automatically Advertise Routes to Peer Region

    After this feature is enabled, the routes of the transit router deployed in the current region are automatically advertised to the route table of the peer transit router. The routes are used for inter-region communication between network instances.

View routes

You can check routes in the console.
  • For more information about routes of transit routers, see View routes of an Enterprise Edition transit router.
  • For more information about routes of VPCs, see Create and manage a route table.
  • For more information about routes of VBRs, perform the following steps:
    1. Log on to the Express Connect console.
    2. In the left-side navigation pane, click Virtual Border Routers (VBRs).
    3. In the top navigation bar, select the region where the VBR is deployed.
    4. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.

      On the details page of the VBR, view the custom routes, BGP routes, and CEN routes of the VBR on the Routes tab.

  • To view the routes of an IPsec-VPN connection, go to the details page of the IPsec-VPN connection:
    1. Log on to the VPN Gateway console.
    2. In the top navigation bar, select the region in which the IPsec-VPN connection is created.
    3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
    4. On the IPsec Connections page, find the IPsec-VPN connection and click its ID.

      Go to the details page of the IPsec-VPN connection and view the route entries on the BGP Route Table tab.