This topic describes how to establish an IPsec-VPN connection in single-tunnel mode between a virtual private cloud (VPC) and a data center by using a public VPN gateway, and how to configure Border Gateway Protocol (BGP) dynamic routing for the VPC and the data center to automatically learn routes. This way, the VPC and the data center can share resources with each other. This reduces network maintenance costs and network configuration errors.
Prerequisites
A public IP address is assigned to the gateway device in the data center before you associate an IPsec-VPN connection with a public VPN gateway.
The on-premises gateway device must support IKEv1 or IKEv2 to establish IPsec-VPN connections with a VPN gateway.
The CIDR block of the data center does not overlap with the CIDR block of the VPC.
Regions that support BGP dynamic routing
Area | Region |
Asia Pacific | China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and India (Mumbai) |
Europe and Americas | Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley) |
Middle East and India | UAE (Dubai) |
Scenario
The following figure shows the scenario that is used in this topic. An enterprise has created a VPC in the Germany (Frankfurt) region. The private CIDR block of the VPC is 10.0.0.0/8 and the autonomous system number (ASN) is 65530. The enterprise has a data center in Frankfurt. The public IP address of the data center is 2.XX.XX.2, the private CIDR block is 172.17.0.0/16, and the ASN is 65531. The enterprise wants to establish a connection between the VPC and the data center for business development.
You can use IPsec-VPN to establish a connection between the VPC and the data center, and configure BGP dynamic routing. After the configuration is complete, the VPC and the data center can automatically learn routes and communicate with each other by using BGP dynamic routing. This reduces network maintenance costs and network configuration errors.
An autonomous system (AS) is a small unit that independently determines the routing protocol to be used in the system. This unit is an independent and manageable network unit. It may consist of a simple network or a network group that is controlled by one or more network administrators. Each AS has a globally unique identifier called ASN.
Preparations
A VPC is created in the Germany (Frankfurt) region and cloud services are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see View security group rules and Add a security group rule.
Procedure
Step 1: Create a VPN gateway
- Log on to the VPN gateway console.
On the VPN Gateways page, click Create VPN Gateway.
On the buy page, configure the following parameters, click Buy Now, and then complete the payment.
Parameter
Description
Name
Enter a name for the VPN gateway. In this example, VPN is used.
Resource Group
Select the resource group to which the VPN gateway belongs. If you leave this parameter empty, the VPN gateway belongs to the default resource group.
In this example, this parameter is left empty.
Region
Select the region in which you want to create the VPN gateway.
Make sure that the VPN gateway and the VPC are deployed in the same region. In this example, Germany (Frankfurt) is selected.
Gateway Type
Select a gateway type.
Default value: Standard.
Network Type
Select a network type. In this example, Public is selected.
Tunnels
The system displays the tunnel modes supported in this region.
Single-tunnel
Dual-tunnel
For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
VPC
Select the VPC in which you want to create the VPN gateway. In this example, the VPC that is created in the Germany (Frankfurt) region is selected.
VSwitch
Select a vSwitch from the selected VPC.
- If you select Single-tunnel, you need to specify one vSwitch.
- If you select Dual-tunnel, you need to specify two vSwitches.
Note- The system selects a vSwitch by default. You can change or use the default vSwitch.
- After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.
vSwitch 2
Ignore this parameter if you select Single-tunnel.
Maximum Bandwidth
Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
The maximum bandwidth value is used to limit the data transfer rate over the Internet. In this example, 5 Mbit/s is selected.
Traffic
By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Billing rules.
IPsec-VPN
Specify whether to enable IPsec-VPN. In this example, Enable is selected.
SSL-VPN
Specify whether to enable SSL-VPN. In this example, Disable is selected.
Duration
Select a billing cycle. Default value: By Hour.
Service-linked Role
Click Create Service-linked Role. The system automatically creates the service-linked role AliyunServiceRoleForVpn. A VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.
If Created is displayed, the service-linked role is created and you do not need to create it again.
The newly created VPN gateway is in the Preparing state and changes to the Normal state after about 1 to 5 minutes. After the status changes to Normal, the VPN gateway is ready for use. After the VPN gateway is created, a public IP address is automatically assigned to the gateway for establishing VPN connections.
If you want to use an existing VPN gateway, make sure that it is updated to the latest version. By default, if the existing VPN gateway does not use the latest version, you cannot use BGP dynamic routing.
You can check whether your VPN gateway uses the latest version based on the status of the Upgrade button. If your VPN gateway does not use the latest version, you can click upgrade to update your VPN gateway. For more information, see Upgrade a VPN gateway.
Step 2: Enable BGP dynamic routing
BGP is used to exchange routing information between different ASs. To use BGP dynamic routing, you must enable BGP dynamic routing for the VPN gateway.
In the left-side navigation pane, choose .
In the top navigation bar, select the region of the VPN gateway.
On the VPN Gateways page, find the VPN gateway that you create, move the pointer over the icon in the Actions column, and then click Enable Automatic BGP Propagation.
In the Enable Automatic BGP Propagation message, click OK.
The VPN gateway automatically advertises BGP routes to the VPC.
Step 3: Create a customer gateway
You can create a customer gateway to register and update information about the data center to Alibaba Cloud, and then connect the customer gateway to the VPN gateway.
In the left-side navigation pane, choose .
In the top navigation bar, select the region in which you want to create the customer gateway.
NoteMake sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.
On the Customer Gateway page, click Create Customer Gateway.
In the Create Customer Gateway panel, configure the following parameters and click OK.
The following table describes only the parameters that are relevant to this topic. You can use the default values for other parameters or leave them empty. For more information, see Create and manage a customer gateway.
Parameter
Description
Name
Enter a name for the customer gateway. In this example, CGW is used.
IP Address
Enter the public IP address of the gateway device in the data center. In this example, 2.XX.XX.2 is used.
ASN
Enter the ASN of the data center. In this example, 65531 is used.
Description
Enter a description for the customer gateway.
Step 4: Create an IPsec-VPN connection
In the left-side navigation pane, choose .
In the top navigation bar, select the region in which you want to create the IPsec-VPN connection.
NoteMake sure that the IPsec-VPN connection and the VPN gateway to be connected are deployed in the same region.
On the IPsec Connections page, click Create IPsec-VPN Connection.
On the Create IPsec-VPN Connection page, configure the following parameters and click OK.
The following table describes only the key parameters. The default values are used for the other parameters. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.
Parameter
Description
Name
Enter a name for the IPsec-VPN connection. In this example, VPCTOIDC is used.
Resource Group
Select the resource group to which the VPN gateway belongs.
In this example, the default resource group is selected.
Associate Resource
Select the type of network resource to be associated with the IPsec-VPN connection.
In this example, VPN Gateway is selected.
VPN gateway
Select the VPN gateway that you want to connect.
In this example, the VPN gateway that is created in Step 1 is selected.
Routing Mode
Select a routing mode.
Valid values: Destination Routing Mode or Protected Data Flows. If the IPsec-VPN connection uses BGP dynamic routing, we recommend that you select Destination Routing Mode. In this example, Destination Routing Mode is selected.
Effective Immediately
Specify whether to immediately start negotiations for the connection. Valid values:
Yes: starts negotiations after the configuration is complete.
No: starts negotiations when traffic is detected.
In this example, Yes is selected.
Customer Gateway
Select the customer gateway that you want to connect.
In this example, the customer gateway that is created in Step 3 is selected.
Pre-Shared Key
Enter a pre-shared key.
Make sure that the VPC and the data center use the same pre-shared key. In this example, 123456**** is used.
Enable BGP
If you want to use Border Gateway Protocol (BGP) routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off.
In this example, Enable BGP is turned on.
Local ASN
Enter the ASN on the VPC side. Default value: 45104.
In this example, 65530 is used.
Version
Select an IKE version. In this example, ikev2 is selected.
Encryption Algorithm
Select an encryption algorithm. In this example, aes is selected.
Authentication Algorithm
Select an authentication algorithm. In this example, sha1 is selected.
DH Group
Select a DH group. In this example, group2 is selected.
Tunnel CIDR Block
Enter the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. In this example, 169.254.10.0/30 is used.
Local BGP IP address
Enter the BGP IP address on the VPC side. The IP address must fall within the CIDR block of the IPsec tunnel. In this example, 169.254.10.1 is used.
NoteMake sure that the BGP IP addresses on the VPC side and on the data center side do not conflict with each other.
In the Created message, click OK.
Step 5: Add VPN configurations to the gateway device in the data center
After you create an IPsec-VPN connection, you need to add the VPN configurations to the gateway device in the data center to establish a VPN connection between the VPC and the data center.
The following example shows how to add VPN configurations to the gateway device in the data center. In this example, a Cisco firewall device that runs the Cisco IOS XE system is used.
The following content contains third-party product information, which is for reference only. Alibaba Cloud does not make guarantees or other forms of commitments for the performance and reliability of the third-party tools, and potential impacts of operations on these tools.
The commands may vary with different vendors. Contact the vendor to obtain the information about specific commands.
Log on to the command-line interface (CLI) of the Cisco firewall device.
Run the following commands to configure the IKEv2 proposal and policy:
crypto ikev2 proposal alicloud encryption aes-cbc-128 // Specify the encryption algorithm. In this example, aes-cbc-128 is used. integrity sha1 // Specify the authentication algorithm. In this example, sha1 is used. group 2 // Specify the DH group. In this example, group 2 is used. exit ! crypto ikev2 policy Pureport_Pol_ikev2 proposal alicloud exit !
Run the following command to configure an IKEv2 keyring:
crypto ikev2 keyring alicloud peer alicloud address 1.XX.XX.1 // Specify the public IP address of the VPN gateway on the VPC side. In this example, 1.XX.XX.1 is used. pre-shared-key 123456**** // Specify the pre-shared key. In this example, 123456**** is used. exit !
Run the following command to configure an IKEv2 profile:
crypto ikev2 profile alicloud match identity remote address 1.XX.XX.1 255.255.255.255 // Match the public IP address of the VPN gateway on the VPC side. In this example, 1.XX.XX.1 is used. identity local address 2.XX.XX.2 // Specify the public IP address of the data center. In this example, 2.XX.XX.2 is used. authentication remote pre-share // Specify the authentication mode for the VPC to PSK. authentication local pre-share // Specify the authentication mode for the data center to PSK. keyring local alicloud // Invoke the IKEv2 keyring. exit !
Run the following command to configure a transform set:
crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode tunnel exit !
Run the following command to configure an IPsec profile, and invoke the transform set, Perfect Forward Secrecy (PSF), and the IKEv2 profile:
crypto ipsec profile alicloud set transform-set TSET set pfs group2 set ikev2-profile alicloud exit !
Run the following command to configure the IPsec tunnel:
interface Tunnel100 ip address 169.254.10.2 255.255.255.252 // Specify the tunnel address on the data center side. In this example, 169.254.10.2 is used. tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination 1.XX.XX.1 // Specify the public IP address of the VPN gateway on the Alibaba Cloud side. In this example, 1.XX.XX.1 is used. tunnel protection ipsec profile alicloud no shutdown exit ! interface GigabitEthernet1 ip address 2.XX.XX.2 255.255.255.0 negotiation auto !
Run the following command to configure BGP:
router bgp 65531 // Enable BGP routing and specify the ASN of the data center. In this example, 65531 is used. bgp router-id 169.254.10.2 // Specify the BGP router ID. In this example, 169.254.10.2 is used. bgp log-neighbor-changes neighbor 169.254.10.1 remote-as 65530 // Specify the ASN of the BGP peer. neighbor 169.254.10.1 ebgp-multihop 10 // Set the EBGP hop-count to 10. ! address-family ipv4 network 172.17.0.0 mask 255.255.0.0 // Advertise the CIDR block of the data center. In this example, 172.17.0.0/16 is used. neighbor 169.254.10.1 activate // Activate the BGP peer. exit-address-family !
After you establish the IPsec-VPN connection, the VPN gateway of the VPC and the gateway device in the data center advertise the following routes:
The gateway device in the data center automatically learns routes from the CIDR block of the data center by using BGP, and then advertises the routes to the VPN gateway of the VPC. The VPN gateway of the VPC automatically advertises the learned routes to the system route table of the VPC. You can view route information about the system route table on the Dynamic Route tab.
The VPN gateway on Alibaba Cloud automatically learns system routes and custom routes from the system route table of the VPC, and then advertises the routes to the customer VPN gateway.
Step 6: Test the network connectivity
Log on to an ECS instance that is not assigned a public IP address in the VPC. For more information about how to log on to an ECS instance, see Connection method overview.
Run the
ping
command to access a client in the data center and check the connectivity.The result shows that the ECS instance in the VPC can access the client in the data center.
Log on to the client in the data center.
Run the
ping
command to access the ECS instance in the VPC and check the connectivity.The result shows that the client in the data center can access the ECS instance in the VPC.