Connect a VPC to a data center by using an IPsec-VPN connection in single-tunnel mode and enable BGP routing - VPN Gateway

This topic describes how to establish an IPsec-VPN connection in single-tunnel mode between a virtual private cloud (VPC) and a data center by using a public VPN gateway, and how to configure Border Gateway Protocol (BGP) dynamic routing for the VPC and the data center to automatically learn routes. This way, the VPC and the data center can share resources with each other. This reduces network maintenance costs and network configuration errors.

Prerequisites

Before you associate an IPsec-VPN connection with a public VPN gateway, make sure that a public IP address is assigned to the gateway device in the data center.
The on-premises gateway device must support IKEv1 or IKEv2 to establish IPsec-VPN connections with a VPN gateway.
The CIDR block of the data center does not overlap with the CIDR block of the VPC.

Regions that support BGP dynamic routing

Area	Region
Asia Pacific	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and India (Mumbai)
Europe & Americas	Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley)
Middle East & India	UAE (Dubai)

Scenarios

The following figure shows the scenario that is used in this example. An enterprise created a VPC in the Germany (Frankfurt) region. The private CIDR block of the VPC is 10.0.0.0/8 and the autonomous system number (ASN) is 65530. The enterprise has a data center in Frankfurt. The public IP address of the data center is 2.XX.XX.2, the private CIDR block is 172.17.0.0/16, and the ASN is 65531. The enterprise wants to establish a connection between the VPC and the data center for business development.

You can use IPsec-VPN to establish a connection between the VPC and the data center, and configure BGP dynamic routing. After the configuration is completed, the VPC and the data center can automatically learn routes and communicate with each other by using BGP. This reduces network maintenance costs and network configuration errors.

Note

An autonomous system (AS) is a small unit that independently decides which routing protocol to use in the system. This unit is an independent and manageable network unit. It may consist of a simple network or a network group that is controlled by one or more network administrators. Each AS has a globally unique identifier called ASN.

Prerequisites

A VPC is created in the Germany (Frankfurt) region and cloud services are deployed in the VPC. For more information, see Create an IPv4 VPC.
You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see View security group rules and Add a security group rule.

Procedure

Step 1: Create a VPN gateway

Log on to the VPN gateway console.
On the VPN Gateways page, click Create VPN Gateway.

On the buy page, configure the following parameters, click Buy Now, and then complete the payment.

Parameter	Description
Name	Enter a name for the VPN gateway. In this example, `VPN` is used.
Region	Select the region where you want to create the VPN gateway. Make sure that the VPN gateway and the VPC are deployed in the same region. In this example, Germany (Frankfurt) is selected.
Gateway Type	Select a VPN gateway type. Default value: Standard.
Network Type	Select a network type. In this example, Public is selected.
Tunnels	The supported tunnel modes are automatically displayed. Single-tunnel Dual-tunnel For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
VPC	Select the VPC where you want to create the VPN gateway. In this example, the VPC that is created in the Germany (Frankfurt) region is selected.
VSwitch	Select a vSwitch from the selected VPC. If you select Single-tunnel, you need to specify one vSwitch. If you select Dual-tunnel, you need to specify two vSwitches. Note The system selects a vSwitch by default. You can change or use the default vSwitch. After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.
vSwitch 2	Ignore this parameter if you select Single-tunnel.
Maximum Bandwidth	Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s. The bandwidth is used by the VPN gateway for data transfer over the Internet. 5 Mbit/s is selected in this example.
Traffic	By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Billing.
IPsec-VPN	Specify whether to enable the IPsec-VPN feature. In this example, Enable is selected.
SSL-VPN	Specify whether to enable the SSL-VPN feature. Disable is selected in this example.
Duration	Select a billing cycle. Default value: By Hour.
Service-linked Role	Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn. A VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn. If Created is displayed, the service-linked role is created and you do not need to create it again.

The newly created VPN gateway is in the Preparing state and changes to the Normal state after about 1 to 5 minutes. After the status changes to Normal, the VPN gateway is ready for use. After the VPN gateway is created, a public IP address is automatically assigned to the gateway for establishing VPN connections. VPN网关公网IP地址

Note

If you want to use an existing VPN gateway, make sure that it is updated to the latest version. If the existing VPN gateway does not use the latest version, you cannot use BGP dynamic routing by default.

You can check whether your VPN gateway uses the latest version based on the status of the Upgrade button. If your VPN gateway does not use the latest version, you can click upgrade to update your VPN gateway. For more information, see Upgrade a VPN gateway.

Step 2: Enable BGP dynamic routing

BGP is used to exchange routing information between different ASs. To use BGP dynamic routing, you must enable BGP dynamic routing for the VPN gateway.

In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.
In the top navigation bar, select the region of the VPN gateway.
On the VPN Gateways page, find the VPN gateway that you created and choose > Enable Automatic BGP Propagation in the Actions column.
In the Enable Automatic BGP Propagation message, click OK.
After you enable automatic BGP advertising, the VPN gateway automatically advertises BGP routes to the VPC.

Step 3: Create a customer gateway

You can create a customer gateway to register and update information about the data center to Alibaba Cloud, and then connect the customer gateway to the VPN gateway.

In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.
In the top navigation bar, select the region of the customer gateway.
Note
Make sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.
On the Customer Gateway page, click Create Customer Gateway.

In the Create Customer Gateway panel, configure the following parameters and click OK.

Parameter	Description
Name	Enter a name for the customer gateway. In this example, `CGW` is used.
IP Address	Enter the static public IP address of the gateway device in the data center. In this example, `2.XX.XX.2` is used.
ASN	Enter the ASN of the data center. In this example, `65531` is used.
Description	Enter a description for the customer gateway.

For more information about the parameters, see Create a customer gateway.

After the customer gateway is created, the customer gateway is displayed on the Customer Gateways page.

Step 4: Create an IPsec-VPN connection

In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region where you want to create the IPsec-VPN connection.
Note
Make sure that the IPsec-VPN connection and the VPN gateway to be connected are deployed in the same region.
On the IPsec Connections page, click Create IPsec-VPN Connection.

On the Create IPsec-VPN Connection page, configure the following parameters and click OK.

The following table describes only the key parameters. The default values are used for the other parameters. For more information, see Create and manage an IPsec-VPN connection in single-tunnel mode.

Parameter	Description
Name	Enter a name for the IPsec-VPN connection. In this example, `VPCTOIDC` is used.
Associate Resource	Select the type of network resource to be associated with the IPsec-VPN connection. In this example, VPN Gateway is selected.
VPN Gateway	Select the VPN gateway that you want to connect. In this example, the VPN gateway that is created in Step 1 is selected.
Customer Gateway	Select the customer gateway that you want to connect. In this example, the customer gateway that is created in Step 3 is selected.
Routing Mode	Select a routing mode. You can select Destination Routing Mode or Protected Data Flows. If the IPsec-VPN connection uses BGP, we recommend that you select Destination Routing Mode. In this example, Destination Routing Mode is selected.
Effective Immediately	Specify whether to immediately start negotiations for the connection. Yes: starts negotiations after the configuration is completed. No: starts negotiations when inbound traffic is detected. Yes is selected in this example.
Pre-Shared Key	Enter a pre-shared key. Make sure that the VPC and the data center use the same pre-shared key. In this example, `123456****` is used.
Version	Select an IKE version. In this example, ikev2 is selected.
Encryption Algorithm	Select an encryption algorithm. In this example, aes is selected.
Authentication Algorithm	Select an authentication algorithm. In this example, sha1 is selected.
DH Group	Select a DH group. In this example, group2 is selected.
Tunnel CIDR Block	Enter the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. In this example, `169.254.10.0/30` is used.
Local BGP IP address	Enter the BGP IP address on the VPC side. The IP address must fall within the CIDR block of the IPsec tunnel. In this example, `169.254.10.1` is used. Note Make sure that the BGP IP addresses on the VPC side and on the data center side do not conflict with each other.
Local ASN	Enter the ASN on the VPC side. In this example, `65530` is used.

Step 5: Add VPN configurations to the gateway device in the data center

After you create an IPsec-VPN connection, you need to add the VPN configurations to the gateway device in the data center to establish a VPN connection between the VPC and the data center.

The following example shows how to add VPN configurations to the gateway device in the data center. A Cisco firewall device that runs the Cisco IOS XE system is used in the example.

Note

The following content contains third-party product information, which is for reference only. Alibaba Cloud does not make guarantees or other forms of commitments for the performance and reliability of the third-party tools, and potential impacts of operations on these tools.

The commands may vary with different vendors. Contact the vendor to obtain the information about specific commands.

Log on to the command-line interface (CLI) of the Cisco firewall device.

Run the following commands to set the IKEv2 proposal and policy:

crypto ikev2 proposal alicloud  
encryption aes-cbc-128          //Set the encryption algorithm. In this example, aes-cbc-128 is used. 
integrity sha1                  //Set the authentication algorithm. In this example, sha1 is used. 
group 2                         //Set the DH group. In this example, group 2 is used. 
exit
!
crypto ikev2 policy Pureport_Pol_ikev2
proposal alicloud
exit
!

Run the following command to configure an IKEv2 keyring:

crypto ikev2 keyring alicloud
peer alicloud
address 1.XX.XX.1                //Set the public IP address of the VPN gateway on the VPC side. In this example, 1.XX.XX.1 is used. 
pre-shared-key 123456****          //Set the pre-shared key. In this example, 123456**** is used. 
exit
!

Run the following command to configure an IKEv2 profile:

crypto ikev2 profile alicloud
match identity remote address 1.XX.XX.1 255.255.255.255    //Match the public IP address of the VPN gateway on the VPC side. The matched IP address is 1.XX.XX.1 in this example. 
identity local address 2.XX.XX.2    //Set the public IP address of the data center. In this example, 2.XX.XX.2 is used. 
authentication remote pre-share   //Set the authentication mode for the VPC to PSK. 
authentication local pre-share    //Set the authentication mode for the data center to PSK. 
keyring local alicloud            //Invoke the IKEv2 keyring. 
exit
!

Run the following command to configure a transform set:

crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode tunnel
exit
!

Run the following command to configure an IPsec profile, and invoke the transform set, Perfect Forward Secrecy (PSF), and the IKEv2 profile:
```
crypto ipsec profile alicloud
set transform-set TSET
set pfs group2
set ikev2-profile alicloud
exit
!
```

Run the following commands to configure the IPsec tunnel:

interface Tunnel100
ip address 169.254.10.2 255.255.255.252    //Set the tunnel address on the data center side. In this example, 169.254.10.2 is used. 
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 1.XX.XX.1                 //Set the public IP address of the VPN gateway on the Alibaba Cloud side. In this example, 1.XX.XX.1 is used. 
tunnel protection ipsec profile alicloud
no shutdown
exit
!
interface GigabitEthernet1
ip address 2.XX.XX.2 255.255.255.0
negotiation auto
!

Run the following command to configure BGP:

router bgp 65531                         //Enable BGP and set the ASN of the data center. In this example, 65531 is used. 
bgp router-id 169.254.10.2               //Set the BGP router ID. In this example, 169.254.10.2 is used. 
bgp log-neighbor-changes
neighbor 169.254.10.1 remote-as 65530    //Set the ASN of the BGP peer. 
neighbor 169.254.10.1 ebgp-multihop 10   //Set the EBGP hop-count to 10.   
!
address-family ipv4
network 172.17.0.0 mask 255.255.0.0      //Advertise the CIDR block of the data center. In this example, the CIDR block is 172.17.0.0/16. 
neighbor 169.254.10.1 activate           //Activate the BGP peer. 
exit-address-family
!

After you establish the IPsec-VPN connection, the VPN gateway of the VPC and the gateway device in the data center advertise the following routes:

The gateway device in the data center automatically learns routes from the CIDR block of the data center through BGP, and then advertises the routes to the VPN gateway of the VPC. The VPN gateway of the VPC automatically advertises the learned routes to the system route table of the VPC. You can view route information about the system route table on the Dynamic Route tab.
The VPN gateway on Alibaba Cloud automatically learns system routes and custom routes from the system route table of the VPC, and then advertises the routes to the customer VPN gateway.

Step 6: Test the network connectivity

Log on to an ECS instance that is not assigned a public IP address in the VPC. For more information about how to log on to an ECS instance, see Methods used to connect to ECS instances.
Run the ping command to access a client in the local data center and check the connectivity.
The result shows that the ECS instance in the VPC can access the client in the data center.
Log on to the client in the data center.
Run the ping command to access the ECS instance in the VPC and check the connectivity.
The result shows that the client in the data center can access the ECS instance in the VPC.