This topic describes how to create active/standby IPsec-VPN connections for high availability. If your gateway device is assigned two public IP addresses, you can use them to create two IPsec-VPN connections to a VPN gateway.

Overview

A gateway device is provided with two connections to the Internet. Each connection is established from a separate public IP address. The public IP addresses are used to establish IPsec-VPN connections to the VPN gateway. Health checks are enabled for these connections. Two routes are created and assigned different weights so that they serve as active/standby routes. The IPsec-VPN connection with which the active route is associated serves as the active IPsec-VPN connection. The IPsec-VPN connection with which the standby route is associated serves as the standby IPsec-VPN connection.
  • If the IPsec-VPN connection that uses IP address 1 to connect the VPN gateway to the gateway device is active, traffic between the virtual private cloud (VPC) and the on-premises network is transmitted only through the active IPsec-VPN connection.
  • If the IPsec-VPN connection that uses IP address 1 to connect the VPN gateway to the gateway device is down, traffic between the VPC and the on-premises network is transmitted through the standby IPsec-VPN connection.

Prerequisites

Before you start, make sure that the following requirements are met:
  • The gateway device in the on-premises network is checked. VPN Gateway supports the standard IKEv1 and IKEv2 protocols. Any gateway device that supports these two protocols can connect to Alibaba Cloud VPN gateways, such as gateway devices that are manufactured by H3C, Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia.
  • Make sure that a static public IP address for the gateway device is assigned in the on-premises network.
  • The CIDR block of the on-premises network must not overlap with that of the VPC.

Step 1: Create a VPN gateway

Take the following steps to create a VPN gateway:

  1. Log on to the VPN gateway console.
  2. In the left-side navigation pane, choose VPN > VPN Gateways.
  3. On the VPN Gateways page, click Create VPN Gateway.
  4. On the buy page, set the following parameters, click Buy Now, and complete the payment.
    • Name: Enter a name for the VPN gateway.
    • Region: Select the region where you want to deploy the VPN gateway.
      Note Make sure that the VPC network and the VPN gateway associated with the VPC network are deployed in the same region.
    • VPC: Select the VPC network to be associated with the VPN gateway.
    • Bandwidth: Specify the maximum bandwidth of the VPN gateway. The bandwidth is provided for data transfer over the Internet.
    • IPsec-VPN: Specify whether to enable IPsec-VPN for the VPN gateway.
    • SSL-VPN: Specify whether to enable SSL-VPN. SSL-VPN allows you to connect a client to a VPC network from any places.
    • SSL Connections: Specify the maximum number of concurrent SSL connections that the VPN gateway supports.
      Note This parameter is available only after SSL-VPN is enabled.
    • Billing Cycle: Specify the subscription duration.
  5. Go to the VPN Gateways page to view the newly created VPN gateway.
    The newly created VPN gateway is in the Preparing state. Its status changes to Normal after about two minutes. The Normal state indicates that the VPN gateway is initialized and ready for use.
    Note It takes about one to five minutes to create a VPN gateway.

Step 2: Create two customer gateways

Perform the following operations to create two customer gateways and register the public IP addresses of the gateway device to the customer gateways:
  1. In the left-side navigation pane, choose VPN > Customer Gateways.
  2. Select the region where you want to deploy the customer gateways.
  3. On the Customer Gateways page, click Create Customer Gateway.
  4. Set the following parameters to create two customer gateways:
    • Name: Enter a name for the customer gateway.
    • IP Address: Enter one of the public IP addresses of the gateway device that you want to connect to the VPC.
    • Description: Enter a description for the customer gateway.

Step 3: Create two IPsec-VPN connections

Perform the following operations to create two IPsec-VPN connections between the customer gateways and the VPN gateway, and enable health checks:
  1. In the left-side navigation pane, choose VPN > IPsec Connections.
  2. Select the region where you want to create the IPsec-VPN connections.
  3. On the IPsec Connections page, click Create IPsec Connection.
  4. Set the following parameters and click OK:
    • Name: Enter a name for the IPsec-VPN connection.
    • VPN Gateway: Select a VPN gateway from the drop-down list.
    • Customer Gateway: Select the customer gateway to be connected through the IPsec-VPN connection.
    • Local Network: Enter the CIDR block of the VPC where the VPN gateway is deployed.
    • Remote Network: Enter the CIDR block of the on-premises network.
    • Effective Immediately: Specify whether to immediately start negotiations.
      • Yes: immediately negotiates after the configuration is completed.
      • No: negotiates when traffic is detected.
    • Pre-Shared Key: Enter the pre-shared key. The pre-shared key must be the same as the one specified on the gateway device.
    • Health Check: Enable health checks, and specify the destination IP address, source IP address, retry interval, and number of retries.

      Use the default settings for other parameters.

  5. Repeat the preceding operations to create the other IPsec-VPN connection.

Step 4: Load the configurations of the IPsec-VPN connections to the gateway device

Perform the following operations to load the configurations of the IPsec-VPN connections to the gateway device:
  1. In the left-side navigation pane, choose VPN > IPsec Connections.
  2. Select the region where you want to establish the IPsec-VPN connection.
  3. Find the IPsec-VPN connections that you created, and click Download Configuration in the Actions column.
  4. Load the configurations of the IPsec-VPN connections to the gateway device. For more information about how to load the configuration of an IPsec-VPN connection to a gateway device, see Configure local gateways.

    The values of RemoteSubnet and LocalSubnet in the downloaded configurations and the values specified when you create the IPsec-VPN connections are swapped between each other. For a VPN gateway, RemoteSubnet refers to the CIDR block of the on-premises network, whereas LocalSubnet refers to the CIDR block of the VPC. For a gateway device, LocalSubnet refers to the CIDR block of the on-premises network, whereas RemoteSubnet refers to the CIDR block of the VPC.

Step 5: Configure two routes on the VPN gateway

Perform the following operations to configure two routes on the VPN gateway:

  1. In the left-side navigation pane, choose VPN > VPN Gateways.
  2. On the VPN Gateways page, select the region where the VPN gateway is created.
  3. Find the VPN gateway that you want to manage and click its ID in the Instance ID/Name column.
  4. On the Destination-based routing tab, click Add Route Entry.
  5. Set the following parameters and click OK to configure the routes:
    • Destination CIDR Block: Enter the private CIDR block of the on-premises network.
    • Next Hop: Select one of the IPsec-VPN connections.
    • Publish to VPC: Specify whether to automatically advertise this route to the route table of the VPC.
    • Weight: Select a weight.
      Important You must specify different weights to the routes so that they can serve as active/standby routes. You cannot set the weights of both routes to 100 or 0.

    The following table describes the routes in this example.

    Destination CIDR block Next hop Advertise to VPC Weight
    Private CIDR block of the gateway device IPsec-VPN connection 1 Yes 100
    Private CIDR block of the gateway device IPsec-VPN connection 2 Yes 0