Use two public IP addresses to create active/standby IPsec-VPN connections to a VPC - VPN Gateway

Example

The following scenario is used as an example in this topic. An enterprise owns a data center in Hangzhou and has a VPC deployed in the China (Hangzhou) region. Applications are deployed on Elastic Compute Service (ECS) instances in the VPC. The enterprise wants to enable the data center to access the VPC over multiple encrypted connections to ensure data security and network redundancy.

An on-premises gateway device in the data center has multiple public IP addresses. The enterprise can use two of them to create two IPsec-VPN connections between the data center and VPC. This ensures the security of data transmission between the data center and VPC and also implements network redundancy.

High availability - two IPsec-VPN connections

Networking

Networking requirements

Networking requirements in this scenario:

A public VPN gateway is created.
The two IPsec-VPN connections are attached to the same VPN gateway.
The VPN gateway uses static routing. You can set route priorities to specify active and standby connections.
Both IPsec-VPN connections have health checks enabled. Health checks are used to test the availability of the connections.
If the active IPsec-VPN connection fails health checks multiple times, the standby IPsec-VPN connection automatically takes over.

CIDR blocks

Important When you allocate CIDR blocks, make sure that the CIDR block of the data center and the CIDR block of the VPC do not overlap.


Resource	CIDR block and IP address
VPC	Primary CIDR block: 172.16.0.0/16 vSwitch 1 CIDR block:172.16.10.0/24 vSwitch 2 CIDR block: 172.16.20.0/24 ECS instance (deployed in vSwitch 1) IP address: 172.16.10.1
On-premises gateway device	Public IP address of the on-premises gateway device: Public IP Address 1: 118.XX.XX.20 Public IP Address 2: 120.XX.XX.40
Data center	CIDR block used to communicate with the VPC: 192.168.0.0/24

Prerequisites

The following prerequisites must be met before you start:

A VPC is deployed in the China (Hangzhou) region and applications are deployed on the ECS instances in VPC1. For more information, see Create a VPC with an IPv4 CIDR block.
The gateway device in the data center supports the IKEv1 and IKEv2 protocols. Gateway devices that support these protocols can connect to VPN gateways.
You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see Query security group rules and Add a security group rule.

Procedure

Step 1: Create a VPN gateway

You must create a VPN gateway and enable IPsec-VPN for the VPN gateway before you can create IPsec-VPN connections.

Log on to the VPN Gateway console.
In the top navigation bar, select the region where you want to create the VPN gateway.
The VPN gateway and the VPC to be associated must belong to the same region. China (Hangzhou) is selected in this example.
On the VPN Gateways page, click Create VPN Gateway.

On the buy page, set the following parameters, click Buy Now, and then complete the payment.


Parameter	Description
Gateway Name	Enter a name for the VPN gateway. In this example, `VPN Gateway 1` is used.
Region	Select the region where you want to deploy the VPN gateway. China (Hangzhou) is selected in this example.
Network Type	Select a network type for the VPN gateway. Public is selected in this example.
VPC	Select the VPC with which you want to associate the VPN gateway. In this example, the VPC that you created is selected.
Specify VSwitch	Select whether to deploy the VPN gateway in a specified vSwitch of the VPC. In this example, No is selected.
Peak Bandwidth	Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
Traffic	Select a billing method for the VPN gateway. Default value: Pay-by-data-transfer. For more information, see Billing.
IPsec-VPN	Specify whether to enable the IPsec-VPN feature. In this example, the default value Enable is selected.
SSL-VPN	Specify whether to enable the SSL-VPN feature. In this example, the default value Disable is selected.
Subscription Duration	Select a billing cycle. Default value: By Hour.
Service-linked Role	Click Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn. For more information about how a VPN gateway assumes the role to access other cloud resources, see AliyunServiceRoleForVpn. If Created is displayed, the service-linked role is created and you do not need to create it again.

Return to the VPN Gateways page to view the VPN gateway.
After you create a VPN gateway, it is in the Preparing state. After 1 to 5 minutes, the VPN gateway changes to the Normal state. After the VPN gateway changes to the Normal state, the VPN gateway is ready for use.

Step 2: Create customer gateways

You must create customer gateways and register the gateway information on Alibaba Cloud before you can create IPsec-VPN connections.

In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.
In the top navigation bar, select the region where you want to create customer gateways.

Note Make sure that the customer gateways and the VPN gateway created in Step 1 are deployed in the same region.
On the User Gateway page, click Create Customer Gateway.

In the Create Customer Gateway panel, set the parameters based on the following table and click OK:

The following table lists the public IP addresses with which the two customer gateways are associated. Parameters not listed in the following table use the default values. For more information, see Create a customer gateway.


Parameter	Description	Customer Gateway 1	Customer Gateway 2
Name	Enter a name for the customer gateway.	`Customer1` is used in this example.	`Customer2` is used in this example.
IP Address	Enter the public IP address of the customer gateway.	In this example, the public IP address `118.XX.XX.20` of the on-premises gateway device is entered.	In this example, the public IP address `120.XX.XX.40` of the on-premises gateway device is entered.

Step 3: Create IPsec-VPN connections

After you create customer gateways, you must create IPsec-VPN connections to connect the on-premises gateway device to the VPN gateway.

In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region where you want to create IPsec-VPN connections.

Note The IPsec-VPN connections must be created in the same region as the VPN gateway created in Step 1.
On the IPsec Connections page, click Create IPsec Connection.

On the Create IPsec Connection page, set the following parameters and click OK.

The following table describes the parameters of the IPsec-VPN connections. Parameters not listed in the following table use the default values. For more information, see Create and manage IPsec-VPN connections.


Parameter	Description	IPsec-VPN Connection 1	IPsec-VPN Connection 2
Name	Enter a name for the IPsec-VPN connection.	In this example, `IPsec-VPN Connection 1` is used.	In this example, `IPsec-VPN Connection 2` is used.
Bind Resource	Select the type of resource to be associated with the IPsec-VPN connection.	In this example, VPN Gateway is selected.
VPN Gateway	Select the VPN gateway that you created.	In this example, `VPN Gateway` is selected.	In this example, `VPN Gateway` is selected.
Customer Gateway	Select the customer gateway that you created.	In this example, Customer1 is selected.	In this example, Customer2 is selected.
Routing Mode	Select a routing mode.	In this example, Destination Routing Mode is selected.
Effective Immediately	Specify whether to immediately start IPsec negotiations. Valid values: Yes: starts connection negotiations after the configuration is completed. No: starts negotiations when inbound traffic is detected.	In this example, No is selected.
Pre-shared Key	Enter a pre-shared key that is used to authenticate the on-premises gateway device. The key must be 1 to 100 characters in length. If you do not specify a pre-shared key, the system generates a random 16-character string as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection. Important The IPsec-VPN connection and corresponding on-premises gateway device must use the same pre-shared key. Otherwise, the system cannot establish the IPsec-VPN connection to the on-premises gateway device.	In this example, `fddsFF123****` is used.
Advanced Configuration	Configure IKE and IPsec settings based on your business requirements.	In this example, the default advanced settings are used.
BGP Configuration	Specify whether to enable BGP.	In this example, the default value is used. BGP is disabled.
Health Check	Specify whether to enable the health check feature. Destination IP: Enter the IP address on the data center side that the VPC can communicate with over the IPsec-VPN connection. Source IP: Enter the IP address on the VPC side that the data center can communicate with over the IPsec-VPN connection. Retry Interval: Enter the interval between two consecutive health checks. Unit: seconds. Default value: 3. Number of Retries: Select the number of attempts to retry health checks. Default value: 3.	In this example, the health check feature is enabled and uses the following settings: Destination IP: 192.168.0.1. Source IP: 172.16.10.1. Retry Interval: 3. Number of Retries: 3.	In this example, the health check feature is enabled and uses the following settings: Destination IP: 192.168.0.1. Source IP: 172.16.10.1. Retry Interval: 3. Number of Retries: 3.

In the Established dialog box, click OK.
On the IPsec Connections page, find the IPsec-VPN connection that you created. In the Actions column, choose > Download Configuration.
Save the peer configurations of IPsec-VPN Connection 1 and IPsec-VPN Connection 2 to your on-premises machine. The peer configurations will be used in subsequent steps when you configure the on-premises gateway device.

Step 4: Add routes to the VPN gateway.

You need to configure routes to route VPC traffic destined for the data center to the IPsec-VPN connections.

In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.
In the top navigation bar, select the region of the VPN gateway.
On the VPN Gateway page, find the VPN gateway that you want to manage and click its ID.
On the Destination-based Routing tab, click Add Route Entry.

In the Add Route Entry panel, set the following parameters and click OK.

The following table describes the parameters of the routes added to the VPN gateway. You can set route priorities to specify active and standby IPsec-VPN connections.


Parameter	Description	Route 1	Route 2
Destination CIDR Block	Enter a destination CIDR block for the route.	In this example, the CIDR block `192.168.0.0/24` that the data center uses to communicate with the VPC is entered.	In this example, the CIDR block `192.168.0.0/24` that the data center uses to communicate with the VPC is entered.
Next Hop Type	Select a next hop type.	Select IPsec Connection.	Select IPsec Connection.
Next Hop	Select a next hop.	In this example, IPsec-VPN Connection 1 is selected.	In this example, IPsec-VPN Connection 2 is selected.
Publish to VPC	Specify whether to advertise the route to the VPC that is associated with the VPN gateway.	In this example, Yes is selected.	In this example, Yes is selected.
Weight	Select a weight for the route. 100: specifies a high priority for the route. 0: specifies a low priority for the route.	In this example, 100(Active) is selected. Important You must specify different weights for the routes to specify the active and standby routes. You cannot set the weights of both routes to 100 or 0.	In this example, 0(Standby) is selected.

Step 5: Configure the on-premises gateway device

After you complete the preceding steps in the console, you must add the VPN settings, route settings, and health check settings to the on-premises gateway device. Otherwise, the IPsec-VPN connections cannot be established between the on-premises gateway device and VPN gateway. After you add these settings to the on-premises gateway device, traffic destined for the VPC is transmitted over the active IPsec-VPN connection. The standby IPsec-VPN connection automatically takes over if the active IPsec-VPN connection fails.

The following configurations are used for reference only. The commands may vary based on the network device vendor. Contact the vendor to obtain the information about specific commands.

Add the VPN settings to the on-premises gateway device.
Add the VPN settings to the on-premises gateway device based on the IPsec peer configurations downloaded in Step 6.
1. Open the CLI on the on-premises gateway device.
2. Create an ISAKMP policy.
```
crypto isakmp policy 1 
authentication pre-share 
encryption aes
hash sha 
group  2
lifetime 86400
```
3. Set the pre-shared key.
```
crypto isakmp key fddsFF123**** address 46.XX.XX.21
```
4. Specify the IPsec protocol.
```
crypto ipsec transform-set ipsecpro64 esp-aes esp-sha-hmac 
mode tunnel
```
5. Create network access control lists (ACLs) to specify the inbound and outbound traffic flows to be encrypted.
  Note If multiple CIDR blocks are configured on the firewall device, you must create a network ACL for each CIDR block.
```
access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
```
6. Create an IPsec policy.
```
crypto map ipsecpro64 10 ipsec-isakmp
set peer 46.XX.XX.21
set transform-set ipsecpro64
set pfs group2
match address 100
```
7. Apply the IPsec policy.
```
interface GigabitEthernet1    #Apply the IPsec policy to the interface that uses Public IP Address 1.
crypto map ipsecpro64
interface GigabitEthernet2    #Apply the IPsec policy to the interface that uses Public IP Address 2.
crypto map ipsecpro64
```

Add the route and health check settings to the on-premises gateway device.

You must add the route and health check settings to enable traffic destined for the VPC to be transmitted over the active IPsec-VPN connection, and enable health checks to automatically check the status of the active IPsec-VPN connection. If the active IPsec-VPN connection fails, the standby IPsec-VPN connection automatically takes over.

type icmp-echo  
 destination ip 46.XX.XX.21  #Set the destination IP address to the public IP address of the VPN gateway. 
 frequency 5000  
 reaction 1 checked-element probe-fail threshold-type consecutive 2 action-type trigger-only
nqa schedule admin test start-time now lifetime forever
track 1 nqa entry admin test reaction 1
ip route-static 172.16.0.0/16  118.XX.XX.20 track 1 preference 40     #172.16.0.0/16 is the CIDR block that the VPC uses to communicate with the data center. 118.XX.XX.20 is the public IP address that the on-premises gateway device uses to establish the active IPsec-VPN connection to the VPN gateway. 
ip route-static 172.16.0.0/16  120.XX.XX.40     #172.16.0.0/16 is the CIDR block that the VPC uses to communicate with the data center. 120.XX.XX.40 is the public IP address that the on-premises gateway device uses to establish the standby IPsec-VPN connection to the VPN gateway.

Step 6: Test the network connectivity

After you complete the preceding steps, the data center can communicate with the VPC over two IPsec-VPN connections. This section describes how to test the network connectivity and check whether the IPsec-VPN connections can work as active and standby connections.

Test the network connectivity.
1. Log on to an ECS instance in the VPC. For more information, see Guidelines on instance connection.
2. Run the ping command on the ECS instance to check whether the client in the data center is reachable.
```
ping <The IP address of a client>
```
  If you receive an echo reply packet, it indicates that the data center can communicate with the VPC.
Check whether the IPsec-VPN connections can work as active and standby connections.
1. Send requests from multiple clients in the data center to the ECS instance, or use the iPerf3 tool to send requests from the clients to the ECS instance. For more information about how to install and use Iperf3, see Test the performance of an Express Connect circuit.
2. Log on to the Alibaba Cloud Management Console, and check the monitoring data of the IPsec-VPN connections.
  In error-free scenarios, only the traffic monitoring data of IPsec-VPN Connection 1 (the active connection) is displayed.
  The following steps show how to open the details page of IPsec-VPN Connection 1:
  1. Log on to the VPN Gateway console.
  2. In the top navigation bar, select the region in which IPsec-VPN Connections 1 is created.
  3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  4. On the IPsec Connections page, find the IPsec-VPN connection and click its ID.
    On the details page, click the Monitor tab.
3. Temporarily close the active IPsec-VPN connection.
  You can close the active IPsec-VPN connection by disabling the interface that the on-premises gateway device uses to connect to the VPN gateway. For more information about how to disable an interface, see the user guide of the on-premises gateway device.
4. Log on to the Alibaba Cloud Management Console, and check the traffic monitoring data of IPsec-VPN Connection 2 (the standby connection).
  After the active IPsec-VPN connection is closed, network traffic is automatically switched to the standby IPsec-VPN connection. Traffic monitoring data of IPsec-VPN Connection 2 is generated and displayed on the Monitor tab.