This topic describes how to establish an IPsec-VPN connection between a virtual private cloud (VPC) and a data center, and how to configure Border Gateway Protocol (BGP) dynamic routing for the VPC and the data center to automatically learn routes. This way, the VPC and the data center can share resources with each other. This reduces network maintenance costs and network configuration errors.
Prerequisites
If the IPsec-VPN connection is associated with a public VPN gateway, a public IP address must be assigned to the on-premises gateway device.
The on-premises gateway device must support IKEv1 or IKEv2 to establish an IPsec-VPN connection.
The CIDR block of the data center does not overlap with the CIDR block of the VPC.
Regions that support BGP dynamic routing
Area | Region |
Asia Pacific | China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and India (Mumbai) |
Europe & Americas | Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley) |
Middle East & India | UAE (Dubai) |
Scenarios
The following scenario is an example. An enterprise created a VPC in the Germany (Frankfurt) region. The private CIDR block of the VPC is 10.0.0.0/8 and the autonomous system number (ASN) is 65530. The enterprise has a data center in Frankfurt. The public IP address of the data center is 2.XX.XX.2, the private CIDR block is 172.17.0.0/16, and the ASN is 65531. The enterprise wants to establish a connection between the VPC and the data center for business development.
You can use IPsec-VPN to establish a connection between the VPC and the data center, and configure BGP dynamic routing. After the configuration is completed, the VPC and the data center can automatically learn routes and communicate with each other by using BGP. This reduces network maintenance costs and network configuration errors.
An autonomous system (AS) is a small unit that independently decides which routing protocol to use in the system. This unit is an independent and manageable network unit. It may consist of a simple network or a network group that is controlled by one or more network administrators. Each AS has a globally unique identifier called ASN.

Prerequisites
A VPC is created in the Germany (Frankfurt) region and cloud services are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see View security group rules and Add a security group rule.
Procedure

Step 1: Create a VPN gateway
- Log on to the VPN gateway console.
On the VPN Gateways page, click Create VPN Gateway.
On the buy page, set the following parameters, click Buy Now, and then complete the payment.
Parameter
Description
Name
Enter a name for the VPN gateway. In this example, VPN is used.
Region
Select the region where you want to create the VPN gateway.
Make sure that the VPN gateway and the VPC are deployed in the same region. In this example, Germany (Frankfurt) is selected.
Gateway Type
Select a VPN gateway type.
Default value: Standard.
Network Type
Select a network type. In this example, Public is selected.
Tunnels
The supported tunnel modes are automatically displayed.
Single-tunnel
Dual-tunnel
For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
VPC
Select the VPC where you want to create the VPN gateway. In this example, the VPC that is created in the Germany (Frankfurt) region is selected.
VSwitch
Select a vSwitch from the selected VPC.
- If you select Single-tunnel, you need to specify one vSwitch.
- If you select Dual-tunnel, you need to specify two vSwitches.
Note- The system selects a vSwitch by default. You can change or use the default vSwitch.
- After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.
vSwitch 2
Ignore this parameter if you select Single-tunnel.
Maximum Bandwidth
Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
The bandwidth is used by the VPN gateway for data transfer over the Internet. 5 Mbit/s is selected in this example.
Traffic
By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Billing.
IPsec-VPN
Specify whether to enable the IPsec-VPN feature. In this example, Enable is selected.
SSL-VPN
Specify whether to enable the SSL-VPN feature. Disable is selected in this example.
Duration
Select a billing cycle. Default value: By Hour.
Service-linked Role
Click Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn. For more information about how a VPN gateway assumes the role to access other cloud resources, see AliyunServiceRoleForVpn.
If Created is displayed, the service-linked role is created and you do not need to create it again.
The newly created VPN gateway is in the Preparing state and changes to the Normal state after about 1 to 5 minutes. After the VPN gateway changes to the Normal state, the VPN gateway is ready for use. After the VPN gateway is created, a public IP address is automatically assigned to the gateway for establishing VPN connections.
If you want to use an existing VPN gateway, make sure that it is updated to the latest version. If the existing VPN gateway does not use the latest version, you cannot use BGP dynamic routing by default.
You can check whether your VPN gateway uses the latest version based on the status of the Upgrade button. If your VPN gateway does not use the latest version, you can click upgrade to update your VPN gateway. For more information, see Upgrade a VPN gateway.
Step 2: Enable BGP dynamic routing
BGP is used to exchange routing information between different ASs. To use BGP dynamic routing, you must enable BGP dynamic routing for the VPN gateway.
In the left-side navigation pane, choose .
In the top navigation bar, select the region of the VPN gateway.
On the VPN Gateways page, find the VPN gateway that you created and select in the Actions column.
In the Enable Automatic BGP Propagation message, click OK.
After you enable automatic BGP advertising, the VPN gateway automatically advertises BGP routes to the VPC.
Step 3: Create a customer gateway
You can create a customer gateway to register and update information about the data center to Alibaba Cloud, and then connect the customer gateway to the VPN gateway.
In the left-side navigation pane, choose .
In the top navigation bar, select the region where you want to create the customer gateway.
NoteMake sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.
On the Customer Gateways page, click Create Customer Gateway.
In the Create Customer Gateway panel, set the following parameters and click OK.
Parameter
Description
Name
Enter a name for the customer gateway. In this example, CGW is used.
IP Address
Enter the static public IP address of the gateway device in the data center. In this example, 2.XX.XX. 2 is used.
ASN
Enter the ASN of the data center. In this example, 65531 is used.
Description
Enter a description for the customer gateway.
For more information about the parameters, see Create a customer gateway.
After the customer gateway is created, the customer gateway is displayed on the Customer Gateways page. The system automatically assigns a public IP address to the customer gateway. You can use the IP address to establish a connection between the customer gateway and the VPN gateway.
Step 4: Create an IPsec-VPN connection
In the left-side navigation pane, choose .
In the top navigation bar, select the region where you want to create the IPsec-VPN connection.
NoteMake sure that the IPsec-VPN connection and the VPN gateway to be connected are deployed in the same region.
On the IPsec Connections page, click Create an IPsec connection.
On the Create IPsec Connection page, configure the IPsec-VPN connection based on the following information and click OK.
The following table describes only the key parameters. The default values are used for the other parameters. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.
Parameter
Description
Name
Enter a name for the IPsec-VPN connection. In this example, VPCTOIDC is used.
Associate Resource
Select the type of network resource to be associated with the IPsec-VPN connection.
In this example, VPN Gateway is selected.
VPN Gateway
Select the VPN gateway that you want to connect.
In this example, the VPN gateway that is created in Step 1 is selected.
Customer Gateway
Select the customer gateway that you want to connect.
In this example, the customer gateway that is created in Step 3 is selected.
Routing Mode
Select a routing mode.
You can select Destination Routing Mode and Protected Data Flows. If the IPsec-VPN connection uses BGP, we recommend that you select Destination Routing Mode. In this example, Destination Routing Mode is selected.
Effective Immediately
Specify whether to immediately start negotiations for the connection.
Yes: starts negotiations after the configuration is completed.
No: starts negotiations when inbound traffic is detected.
Yes is selected in this example.
Pre-Shared Key
Enter a pre-shared key.
Make sure that the VPC and the data center use the same pre-shared key. In this example, 123456**** is used.
Version
Select an IKE version. In this example, ikev2 is selected.
Encryption Algorithm
Select an encryption algorithm. In this example, aes is selected.
Authentication Algorithm
Select an authentication algorithm. In this example, sha1 is selected.
DH Group
Select a DH group. In this example, group2 is selected.
Tunnel CIDR Block
Enter the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. In this example, 169.254.10.0/30 is used.
Local BGP IP address
Enter the BGP IP address on the VPC side. The IP address must fall within the CIDR block of the IPsec tunnel. In this example, 169.254.10.1 is used.
NoteMake sure that the BGP IP addresses on the VPC side and on the data center side do not conflict with each other.
Local ASN
Enter the ASN on the VPC side. In this example, 65530 is used.
Step 5: Add VPN configurations to the gateway device in the data center
After you create an IPsec-VPN connection, you need to add the VPN configurations to the gateway device in the data center to establish a VPN connection between the VPC and the data center.
The following example shows how to add VPN configurations to the gateway device in the data center. A Cisco firewall device that runs the Cisco IOS XE system is used in the example.
The following content contains third-party product information, which is for reference only. Alibaba Cloud does not make guarantees or other forms of commitments for the performance and reliability of the third-party tools, and potential impacts of operations on these tools.
The commands may vary with different vendors. Contact the vendor to obtain the information about specific commands.
Log on to the CLI of the Cisco firewall device.
Run the following commands to set the IKEv2 proposal and policy:
crypto ikev2 proposal alicloud encryption aes-cbc-128 //Set the encryption algorithm. In this example, aes-cbc-128 is used. integrity sha1 //Set the authentication algorithm. In this example, sha1 is used. group 2 //Set the DH group. In this example, group 2 is used. exit ! crypto ikev2 policy Pureport_Pol_ikev2 proposal alicloud exit !
Run the following commands to configure the IKEv2 keyring:
crypto ikev2 keyring alicloud peer alicloud address 1.XX.XX.1 //Set the public IP address of the VPN gateway on the VPC side. In this example, 1.XX.XX.1 is used. pre-shared-key 123456**** //Set the pre-shared key. In this example, 123456**** is used. exit !
Run the following commands to configure the IKEv2 profile:
crypto ikev2 profile alicloud match identity remote address 1.XX.XX.1 255.255.255.255 //Match the public IP address of the VPN gateway on the VPC side. The matched IP address is 1.XX.XX.1 in this example. identity local address 2.XX.XX.2 //Set the public IP address of the data center. In this example, 2.XX.XX.2 is used. authentication remote pre-share //Set the authentication mode for the VPC to PSK. authentication local pre-share //Set the authentication mode for the data center to PSK. keyring local alicloud //Invoke the IKEv2 keyring. exit !
Run the following commands to set transform:
crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode tunnel exit !
Run the following commands to set the IPsec profile and to invoke the transform, PFS, and IKEv2 profiles:
crypto ipsec profile alicloud set transform-set TSET set pfs group2 set ikev2-profile alicloud exit !
Run the following commands to set the IPsec tunnel:
interface Tunnel100 ip address 169.254.10.2 255.255.255.252 //Set the tunnel address on the data center side. In this example, 169.254.10.2 is used. tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination 1.XX.XX.1 //Set the public IP address of the VPN gateway on the Alibaba Cloud side. In this example, 1.XX.XX.1 is used. tunnel protection ipsec profile alicloud no shutdown exit ! interface GigabitEthernet1 ip address 2.XX.XX.2 255.255.255.0 negotiation auto !
Run the following commands to configure BGP:
router bgp 65531 //Enable BGP and set the ASN of the data center. In this example, 65531 is used. bgp router-id 169.254.10.2 //Set the BGP router ID. In this example, 169.254.10.2 is used. bgp log-neighbor-changes neighbor 169.254.10.1 remote-as 65530 //Set the ASN of the BGP peer. neighbor 169.254.10.1 ebgp-multihop 10 //Set the EBGP hop-count to 10. ! address-family ipv4 network 172.17.0.0 mask 255.255.0.0 //Advertise the CIDR block of the data center. In this example, the CIDR block is 172.17.0.0/16. neighbor 169.254.10.1 activate //Activate the BGP peer. exit-address-family !
After you establish the IPsec-VPN connection, the VPN gateway of the VPC and the gateway device in the data center advertise the following routes:
The gateway device in the data center automatically learns routes from the CIDR block of the data center through BGP, and then advertises the routes to the VPN gateway of the VPC. The VPN gateway of the VPC automatically advertises the learned routes to the system route table of the VPC. You can view route information about the system route table on the Dynamic Route tab.
The VPN gateway on Alibaba Cloud automatically learns system routes and custom routes from the system route table of the VPC, and then advertises the routes to the customer VPN gateway.
Step 6: Test the network connectivity
Log on to an Elastic Compute Service (ECS) instance that is not assigned a public address in the VPC. For more information about how to log on to an ECS instance, see Guidelines on instance connection.
Run the
ping
command to access a client in the data center and test the connectivity.The result shows that the ECS instance in the VPC can access the client in the data center.
Log on to the client in the data center.
Run the
ping
command to access an ECS instance in the VPC and test the connectivity.The result shows that the client in the data center can access the ECS instance in the VPC.