This topic describes how to create active/standby IPsec-VPN connections for high availability. If your gateway device is assigned two public IP addresses, you can use them to create two IPsec-VPN connections to a VPN gateway.
Overview
- If the IPsec-VPN connection that uses IP address 1 to connect the VPN gateway to the gateway device is active, traffic between the virtual private cloud (VPC) and the on-premises network is transmitted only through the active IPsec-VPN connection.
- If the IPsec-VPN connection that uses IP address 1 to connect the VPN gateway to the gateway device is down, traffic between the VPC and the on-premises network is transmitted through the standby IPsec-VPN connection.

Prerequisites
- The gateway device in the on-premises network is checked. VPN Gateway supports the standard IKEv1 and IKEv2 protocols. Any gateway device that supports these two protocols can connect to Alibaba Cloud VPN gateways, such as gateway devices that are manufactured by H3C, Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia.
- Make sure that a static public IP address for the gateway device is assigned in the on-premises network.
- The CIDR block of the on-premises network must not overlap with that of the VPC.
Step 1: Create a VPN gateway
Take the following steps to create a VPN gateway:
- Log on to the VPN gateway console.
- In the left-side navigation pane, choose .
- On the VPN Gateways page, click Create VPN Gateway.
- On the buy page, set the following parameters, click Buy Now, and complete the payment.
- Name: Enter a name for the VPN gateway.
- Region: Select the region where you want to deploy the VPN gateway.
Note Make sure that the VPC network and the VPN gateway associated with the VPC network are deployed in the same region.
- VPC: Select the VPC network to be associated with the VPN gateway.
- Bandwidth: Specify the maximum bandwidth of the VPN gateway. The bandwidth is provided for data transfer over the Internet.
- IPsec-VPN: Specify whether to enable IPsec-VPN for the VPN gateway.
- SSL-VPN: Specify whether to enable SSL-VPN. SSL-VPN allows you to connect a client to a VPC network from any places.
- SSL Connections: Specify the maximum number of concurrent SSL connections that the VPN gateway supports.
Note This parameter is available only after SSL-VPN is enabled.
- Billing Cycle: Specify the subscription duration.
- Go to the VPN Gateways page to view the newly created VPN gateway.
The newly created VPN gateway is in the Preparing state. Its status changes to Normal after about two minutes. The Normal state indicates that the VPN gateway is initialized and ready for use.Note It takes about one to five minutes to create a VPN gateway.
Step 2: Create two customer gateways
- In the left-side navigation pane, choose .
- Select the region where you want to deploy the customer gateways.
- On the Customer Gateways page, click Create Customer Gateway.
- Set the following parameters to create two customer gateways:
- Name: Enter a name for the first customer gateway.
- IP Address: Enter one of the public IP addresses of the gateway device that you want to connect to the VPC.
- Description: Enter a description for the first customer gateway.
- On the Create Customer Gateway page, click +Add to create the other customer gateway.
Step 3: Create two IPsec-VPN connections
- In the left-side navigation pane, choose .
- Select the region where you want to create the IPsec-VPN connections.
- On the IPsec Connections page, click Create IPsec Connection.
- Set the following parameters and click OK:
- Name: Enter a name for the IPsec-VPN connection.
- VPN Gateway: Select a VPN gateway from the drop-down list.
- Customer Gateway: Select the customer gateway to be connected through the IPsec-VPN connection.
- Local Network: Enter the CIDR block of the VPC where the VPN gateway is deployed.
- Remote Network: Enter the CIDR block of the on-premises network.
- Effective Immediately: Specify whether to immediately start negotiations.
- Yes: immediately negotiates after the configuration is completed.
- No: negotiates when traffic is detected.
- Pre-Shared Key: Enter the pre-shared key. The pre-shared key must be the same as the one specified on the gateway device.
- Health Check: Enable health checks, and specify the destination IP address, source IP address,
retry interval, and number of retries.
Use the default settings for other parameters.
- Repeat the preceding operations to create the other IPsec-VPN connection.
Step 4: Load the configurations of the IPsec-VPN connections to the gateway device
- In the left-side navigation pane, choose .
- Select the region where you want to establish the IPsec-VPN connection.
- Find the IPsec-VPN connections that you created, and click Download Configuration in the Actions column.
- Load the configurations of the IPsec-VPN connections to the gateway device. For more
information about how to load the configuration of an IPsec-VPN connection to a gateway
device, see Configure local gateways.
The values of RemoteSubnet and LocalSubnet in the downloaded configurations and the values specified when you create the IPsec-VPN connections are swapped between each other. For a VPN gateway, RemoteSubnet refers to the CIDR block of the on-premises network, whereas LocalSubnet refers to the CIDR block of the VPC. For a gateway device, LocalSubnet refers to the CIDR block of the on-premises network, whereas RemoteSubnet refers to the CIDR block of the VPC.
Step 5: Configure two routes on the VPN gateway
Perform the following operations to configure two routes on the VPN gateway:
- In the left-side navigation pane, choose .
- On the VPN Gateways page, select the region where the VPN gateway is created.
- Find the VPN gateway that you want to manage and click its ID in the Instance ID/Name column.
- On the Destination-based routing tab, click Add Route Entry.
- Set the following parameters and click OK to configure the routes:
- Destination CIDR Block: Enter the private CIDR block of the on-premises network.
- Next Hop: Select one of the IPsec-VPN connections.
- Publish to VPC: Specify whether to automatically advertise this route to the route table of the VPC.
- Weight: Select a weight.
Notice You must specify different weights to the routes so that they can serve as active/standby routes. You cannot set the weights of both routes to 100 or 0.
The following table describes the routes in this example.
Destination CIDR block Next hop Advertise to VPC Weight Private CIDR block of the gateway device IPsec-VPN connection 1 Yes 100 Private CIDR block of the gateway device IPsec-VPN connection 2 Yes 0