You can connect a data center to a virtual private cloud (VPC) through an IPsec-VPN connection. This topic provides an overview of IPsec-VPN connections.
Prerequisites
- The gateway device in the data center supports the IKEv1 and IKEv2 protocols.
IPsec-VPN supports the IKEv1 and IKEv2 protocols. All gateway devices that support the two protocols can connect to VPN gateways on Alibaba Cloud.
- A static public IP address is assigned to the gateway device in the data center.
- The CIDR block of the data center does not overlap with the CIDR block of the VPC.
- The security group rules that are applied to the Elastic Compute Service (ECS) instances in the VPC allow gateway devices in the data center to access cloud resources. For more information, see Query security group rules.
Procedure
- Create a VPN gateway
You must enable the IPsec-VPN feature for the VPN gateway. Then, you can establish more than one IPsec-VPN connection to the VPN gateway.
- Create a customer gateway
You must load the configuration of the gateway device in the data center to the customer gateway on Alibaba Cloud.
- Create an IPsec-VPN connection
An IPsec-VPN connection is a VPN tunnel between a VPN gateway and a gateway device in the data center. The data center can communicate with Alibaba Cloud through an encrypted tunnel only after an IPsec-VPN connection is established.
- Configure the gateway device in the data center
You must load the configuration of the VPN gateway on Alibaba Cloud to the gateway device in the data center. For more information, see Configure on-premises gateways.
- Add routes to the VPN gateway
You must add routes to the VPN gateway and advertise these routes to the VPC route table. Then, the VPC can communicate with the data center. For more information, see Route overview
- Test the connectivity
Log on to an ECS instance that is not assigned a public IP address in the VPC. Then, run the ping command to ping the private IP address of a server in the data center.