This topic describes how to create an IPsec-VPN connection in dual-tunnel mode between a virtual private cloud (VPC) and a data center by using a public VPN gateway. The IPsec-VPN connection can enable encrypted communication between the VPC and the data center and ensure high availability of the connection. Meanwhile, Border Gateway Protocol (BGP) is used to enable automatic route learning, which simplifies network O&M and reduces the risk of configuration errors.
Prerequisites
- If the IPsec-VPN connection is associated with a public VPN gateway, a public IP address must be assigned to the on-premises gateway device.
For regions that support the dual-tunnel mode, we recommend that you configure two public IP addresses for the on-premises gateway device. Alternatively, you can deploy two on-premises gateway devices in the data center and configure a public IP address for each gateway device. This way, you can create high-availability IPsec-VPN connections. For more information about the regions that support the dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
The on-premises gateway device must support IKEv1 or IKEv2 to establish IPsec-VPN connections with a VPN gateway.
The CIDR block of the data center does not overlap with the CIDR block of the VPC.
Regions that support BGP dynamic routing
Area | Region |
Asia Pacific | China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and India (Mumbai) |
Europe and Americas | Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley) |
Middle East and India | UAE (Dubai) |
Example
In this example, the following scenario is used. An enterprise has created a VPC in the China (Hohhot) region. The primary CIDR block of the VPC is 192.168.0.0/16. The enterprise has a data center in Hohhot. Due to business development, the devices in the CIDR block 172.16.0.0/16 of the data center need to access the VPC. To meet this requirement, the enterprise can establish an IPsec-VPN connection between the VPC and data center. The IPsec-VPN connection can enable encrypted communication between the VPC and data center and ensure high-availability of the connection.
BGP tunnel CIDR blocks
In this example, the data center and VPC use BGP to automatically learn and advertise routes. The following table describes the BGP tunnel CIDR blocks of the data center and IPsec-VPN connection.
If an IPsec-VPN connection uses BGP dynamic routing, the Local ASN of the two tunnels must be the same. The peer ASNs of the two tunnels can be different, but we recommend that you use the same peer ASN.
Item | IPsec tunnel | BGP autonomous system number (ASN) | BGP tunnel CIDR block | BGP IP address |
IPsec-VPN connection | Active tunnel | 65530 | 169.254.10.0/30 | 169.254.10.1 |
Standby tunnel | 65530 | 169.254.20.0/30 | 169.254.20.1 | |
Data center | Active tunnel | 65500 | 169.254.10.0/30 | 169.254.10.2 |
Standby tunnel | 65500 | 169.254.20.0/30 | 169.254.20.2 |
Preparations
A VPC is created in the China (Hohhot) region, and workloads are deployed on the Elastic Compute Service (ECS) instances in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
The security group rules that are configured on the ECS instances in the VPC and the access control rules of the data center allow the data center and VPC to communicate with each other. For more information about security group rules for ECS instances, see View security group rules and Add a security group rule.
Procedure
Step 1: Create a VPN gateway
Log on to the VPN Gateway console.
In the top navigation bar, select the region in which you want to create the VPN gateway.
The VPN gateway and the VPC that the data center needs to access must be in the same region.
On the VPN Gateway page, click Create VPN Gateway.
On the buy page, configure the following parameters, click Buy Now, and then complete the payment.
Parameter
Description
Example
Name
Enter a name for the VPN gateway.
In this example, VPNGW is used.
Resource Group
Select the resource group to which the VPN gateway belongs.
If you leave this parameter empty, the VPN gateway belongs to the default resource group.
In this example, this parameter is left empty.
Region
Select the region in which you want to create the VPN gateway.
In this example, China (Hohhot) is selected.
Gateway Type
Select a gateway type.
In this example, Standard is selected.
Network Type
Select a network type for the VPN gateway.
Public: The VPN gateway can be used to establish VPN connections over the Internet.
Private: The VPN gateway can be used to establish VPN connections over private networks.
In this example, Public is selected.
Tunnels
Select a tunnel mode. Valid values:
Dual-tunnel
Single-tunnel
For more information about the single-tunnel mode and dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
In this example, the default value Dual-tunnel is used.
VPC
Select the VPC that you want to associate with the VPN gateway.
In this example, the VPC deployed in the China (Hohhot) region is selected.
VSwitch
Select a vSwitch from the selected VPC.
- If you select Single-tunnel, you need to specify one vSwitch.
- If you select Dual-tunnel, you need to specify two vSwitches.
Note- The system selects a vSwitch by default. You can change or use the default vSwitch.
- After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.
In this example, a vSwitch in the VPC is selected.
vSwitch 2
Select another vSwitch from the selected VPC.
- The two vSwitches must be in different zones to implement zone disaster recovery.
- For a region that supports only one zone, zone disaster recovery is not supported. We recommend that you specify two vSwitches in the zone to implement high availability of IPsec-VPN connections. You can select the same vSwitch as the first one.
NoteIf only one vSwitch is deployed in the VPC, create a vSwitch. For more information, see Create and manage a vSwitch.
In this example, another vSwitch in the VPC is selected.
Peak Bandwidth
Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
In this example, the default value is used.
Traffic
Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.
For more information, see Billing rules.
In this example, the default value is used.
IPsec-VPN
Specify whether to enable IPsec-VPN. Default value: Enable.
In this example, Enable is selected.
SSL-VPN
Specify whether to enable SSL-VPN. Default value: Disable.
In this example, Disable is selected.
Duration
Select a billing cycle for the VPN gateway. Default value: By Hour.
In this example, the default value is used.
Service-linked Role
Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn.
The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.
If Created is displayed, the service-linked role is created and you do not need to create it again.
Configure this parameter based on actual conditions.
After you create the VPN gateway, view the VPN gateway on the VPN Gateway page.
The newly created VPN gateway is in the Preparing state and changes to the Normal state after about 1 to 5 minutes. After the status changes to Normal, the VPN gateway is ready for use.
Two public IP addresses are assigned to each public VPN gateway for establishing two encrypted tunnels. The following table describes the public IP addresses that are assigned to the VPN gateway.
IPsec tunnel
IP address
Tunnel 1 (active tunnel)
47.XX.XX.157
Tunnel 2 (standby tunnel)
47.XX.XX.138
Step 2: Create a customer gateway
In the left-side navigation pane, choose .
In the top navigation bar, select the region in which you want to create the customer gateway.
Make sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.
On the Customer Gateways page, click Create Customer Gateway.
In the Create Customer Gateway panel, configure the following parameters and click OK.
You must create two customer gateways in order to create two encrypted tunnels. The following table describes only the parameters that are relevant to this topic. You can use the default values for other parameters or leave them empty. For more information, see Create and manage a customer gateway.
Parameter
Description
Customer gateway 1
Customer gateway 2
Name
Enter a name for the customer gateway.
CustomerGW1
CustomerGW2
IP Address
Enter the public IP address of the gateway device in the data center.
211.XX.XX.36
211.XX.XX.71
ASN
Enter the BGP ASN of the gateway device in the data center.
65500
65500
Step 3: Create an IPsec-VPN connection
In the left-side navigation pane, choose .
In the top navigation bar, select the region in which you want to create the IPsec-VPN connection.
Make sure that the IPsec-VPN connection and the VPN gateway are in the same region.
On the IPsec Connections page, click Create IPsec-VPN Connection.
On the Create IPsec-VPN Connection page, configure the following parameters and click OK.
Parameter
Description
Example
Name
Enter a name for the IPsec-VPN connection.
In this example, IPsec-Connection is used.
Resource Group
Select the resource group to which the VPN gateway belongs.
In this example, the default resource group is selected.
Associate Resource
Select the type of network resource to be associated with the IPsec-VPN connection.
In this example, VPN Gateway is selected.
VPN Gateway
Select the VPN gateway that you want to associate with the IPsec-VPN connection.
In this example, the VPN gateway VPNGW is selected.
Routing Mode
Select a routing mode.
Destination Routing Mode: Traffic is forwarded based on the destination IP address.
Protected Data Flows: Traffic is forwarded based on the source and destination IP addresses.
In this example, Destination Routing Mode is selected.
Effective Immediately
Specify whether to immediately start negotiations for the connection. Valid values:
Yes: starts negotiations after the configuration is complete.
No: starts negotiations when traffic is detected.
In this example, Yes is selected.
Enable BGP
If you want to use Border Gateway Protocol (BGP) routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off.
In this example, BGP is enabled.
Local ASN
Enter the ASN on the VPC side. Default value: 45104. Valid values: 1 to 4294967295.
In this example, 65530 is used.
Tunnel 1
Configure VPN parameters for the active tunnel.
By default, Tunnel 1 serves as the active tunnel and Tunnel 2 serves as the standby tunnel. You cannot modify this configuration.
Customer Gateway
Select the customer gateway that you want to associate with the active tunnel.
In this example, CustomerGW1 is selected.
Pre-Shared Key
Enter a pre-shared key for the active tunnel to verify identities.
The pre-shared key must be 1 to 100 characters in length, and can contain digits, letters, and the following characters:
~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : ' , . < > / ?.If you do not specify a pre-shared key, the system generates a random 16-character string as the pre-shared key.
ImportantThe IPsec-VPN connection and the peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.
In this example, fddsFF123**** is used.
Encryption Configuration
Configure the parameters for Internet Key Exchange (IKE), IPsec, dead peer detection (DPD), and NAT traversal features.
In this example, IKEv2 is used. Other parameters use the default values. For more information, see Create and manage an IPsec-VPN connection in dual-tunnel mode.
BGP Configuration
Configure the BGP parameters.
Tunnel CIDR Block: Enter a CIDR block for the active tunnel.
The CIDR block must fall within 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length.
NoteOn a VPN gateway, the CIDR block of each tunnel must be unique.
Local BGP IP address: Enter the BGP IP address of the tunnel.
The IP address must fall within the CIDR block of the tunnel.
Tunnel CIDR Block: 169.254.10.0/30.
Local BGP IP address:: 169.254.10.1.
Tunnel 2
Configure VPN parameters for the standby tunnel.
Customer Gateway
Select the customer gateway that you want to associate with the standby tunnel.
In this example, CustomerGW2 is selected.
Pre-Shared Key
Enter a pre-shared key for the standby tunnel to verify identities.
In this example, fddsFF456**** is used.
Encryption Configuration
Configure the parameters for IKE, IPsec, DPD, and NAT traversal features.
In this example, IKEv2 is used. Other parameters use the default values. For more information, see Create and manage an IPsec-VPN connection in dual-tunnel mode.
BGP Configuration
Configure the BGP parameters.
Tunnel CIDR Block: 169.254.20.0/30.
Local BGP IP address: 169.254.20.1.
Tags
Add a tag to the IPsec-VPN connection.
In this example, this parameter is left empty.
In the Created message, click OK.
On the IPsec Connections page, find the IPsec-VPN connection that you create and click Generate Peer Configuration in the Actions column.
The configurations of the IPsec peer refer to the VPN configurations that you need to add when you create the IPsec-VPN connection. In this example, you need to add the VPN configurations to the gateway device of the data center.
In the IPsec-VPN Connection Configuration dialog box, copy and save the configurations to an on-premises machine. The configurations are required when you configure the gateway device of the data center.
Step 4: Enable BGP automatic route advertisement
After BGP automatic route advertisement is enabled for the VPN gateways, the VPN gateways can learn routes from the data center and advertise them to the VPC.
In the left-side navigation pane, choose .
On the VPN Gateway page, find the VPN gateway that you want to manage, move the pointer over the More icon in the Actions column, and then select Enable Automatic BGP Propagation.
In the Enable Automatic BGP Propagation message, click OK.
Step 5: Configure the gateway devices in the data center
After you create an IPsec-VPN connection on Alibaba Cloud, you need to add VPN and routing configurations to the gateway devices in the data center to allow the gateway devices to connect to the IPsec-VPN connection. Then, network traffic is transmitted from the active tunnel to the VPC by default. If the active tunnel is down, the standby tunnel automatically takes over.
The following content contains third-party product information, which is only for reference. Alibaba Cloud does not make guarantees or other forms of commitments for the performance and reliability of the third-party tools, or the potential impacts of operations performed by using these tools.
The commands may vary with different vendors. Contact the vendor to obtain the information about specific commands.
Open the CLI of the gateway device.
Run the following commands to configure an IKEv2 proposal and policy:
// Add the following configurations to on-premises gateway device 1 and gateway device 2 in the data center: crypto ikev2 proposal alicloud encryption aes-cbc-128 // Configure the encryption algorithm. In this example, aes-cbc-128 is used. integrity sha1 // Configure the authentication algorithm. In this example, sha1 is used. group 2 // Configure the Diffie-Hellman (DH) group. In this example, group 2 is used. exit ! crypto ikev2 policy Pureport_Pol_ikev2 proposal alicloud exit !Run the following commands to configure an IKEv2 keyring:
// Add the following configurations to on-premises gateway device 1 in the data center: crypto ikev2 keyring alicloud peer alicloud address 47.XX.XX.157 // Configure the public IP address of the active IPsec tunnel. In this example, the IP address is 47.XX.XX.157. pre-shared-key fddsFF123**** // Configure the pre-shared key. In this example, fddsFF123**** is used. exit ! // Add the following configurations to on-premises gateway device 2 in the data center: crypto ikev2 keyring alicloud peer alicloud address 47.XX.XX.138 // Configure the public IP address of the standby IPsec tunnel. In this example, the IP address is 47.XX.XX.138. pre-shared-key fddsFF456**** // Configure the pre-shared key. In this example, fddsFF456**** is used. exit !Run the following commands to configure an IKEv2 profile:
// Add the following configurations to on-premises gateway device 1 in the data center: crypto ikev2 profile alicloud match identity remote address 47.XX.XX.157 255.255.255.255 // Specify the public IP address of the active IPsec tunnel. In this example, the IP address is 47.XX.XX.157. identity local address 211.XX.XX.36 // Configure the public IP address of gateway device 1. In this example, the IP address is 211.XX.XX.36. authentication remote pre-share // Set the authentication mode for the VPC to pre-shared key (PSK). authentication local pre-share // Set the authentication mode of the data center to PSK. keyring local alicloud // Invoke the IKEv2 keyring. exit ! // Add the following configurations to on-premises gateway device 2 in the data center: crypto ikev2 profile alicloud match identity remote address 47.XX.XX.138 255.255.255.255 // Specify the public IP address of the standby IPsec tunnel. In this example, the IP address is 47.XX.XX.138. identity local address 211.XX.XX.71 // Configure the public IP address of gateway device 2. In this example, the IP address is 211.XX.XX.71. authentication remote pre-share // Set the authentication mode for the VPC to PSK. authentication local pre-share // Set the authentication mode of the data center to PSK. keyring local alicloud // Invoke the IKEv2 keyring. exit !Run the following command to configure a transform set:
// Add the following configurations to on-premises gateway device 1 and gateway device 2 in the data center: crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode tunnel exit !Run the following commands to configure an IPsec profile, and invoke the transform set, Perfect Forward Secrecy (PSF), and the IKEv2 profile:
// Add the following configurations to on-premises gateway device 1 and gateway device 2 in the data center: crypto ipsec profile alicloud set transform-set TSET set pfs group2 set ikev2-profile alicloud exit !Run the following commands to configure the IPsec tunnel:
// Add the following configurations to on-premises gateway device 1 in the data center: interface Tunnel100 ip address 169.254.10.2 255.255.255.252 // Configure the BGP tunnel IP address of gateway device 1. In this example, the IP address is 169.254.10.2. tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination 47.XX.XX.157 //Configure the public IP address of the active IPsec tunnel. In this example, the IP address is 47.XX.XX.157. tunnel protection ipsec profile alicloud no shutdown exit ! interface GigabitEthernet1 // Configure the IP address of the interface that is used to connect to the VPN gateway. ip address 211.XX.XX.36 255.255.255.0 negotiation auto ! // Add the following configurations to on-premises gateway device 2: interface Tunnel100 ip address 169.254.20.2 255.255.255.252 // Configure the BGP tunnel IP address of gateway device 2. In this example, the IP address is 169.254.20.2. tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination 47.XX.XX.138 // Configure the public IP address of the standby IPsec tunnel. In this example, the IP address is 47.XX.XX.138. tunnel protection ipsec profile alicloud no shutdown exit ! interface GigabitEthernet1 // Configure the IP address of the interface that is used to connect to the VPN gateway. ip address 211.XX.XX.71 255.255.255.0 negotiation auto !Run the following commands to configure BGP:
// Add the following configurations to on-premises gateway device 1 in the data center: router bgp 65500 // Enable BGP and configure the BGP ASN of the data center. In this example, the ASN is 65500. bgp router-id 169.254.10.2 // Specify the ID of the BGP router. In this example, 169.254.10.2 is used. bgp log-neighbor-changes neighbor 169.254.10.1 remote-as 65530 // Specify the ASN of the BGP neighbor. In this example, the BGP neighbor is the active IPsec tunnel and the ASN is 65530. neighbor 169.254.10.1 ebgp-multihop 10 // Set the EBGP hop-count to 10. ! address-family ipv4 network 172.16.0.0 mask 255.255.0.0 // Advertise the CIDR block of the data center. neighbor 169.254.10.1 activate // Activate the BGP peer. exit-address-family ! // Add the following configurations to on-premises gateway device 2: router bgp 65500 // Enable BGP and configure the BGP ASN of the data center. In this example, the ASN is 65500. bgp router-id 169.254.20.2 //Specify the ID of the BGP router. In this example, the ID is 169.254.20.2. bgp log-neighbor-changes neighbor 169.254.20.1 remote-as 65530 // Specify the ASN of the BGP neighbor. In this example, the BGP neighbor is the standby IPsec tunnel and the ASN is 65530. neighbor 169.254.20.1 ebgp-multihop 10 // Set the eBGP hop-count to 10. ! address-family ipv4 network 172.16.0.0 mask 255.255.0.0 // Advertise the CIDR block of the data center. neighbor 169.254.20.1 activate // Activate the BGP peer. exit-address-family !After you complete the preceding configurations, an IPsec-VPN connection is established between the data center and VPN gateway. The data center and VPN gateway can learn routes from each other over BGP.
Add routes to the data center based on your network environment. The routes must allow network traffic to be transmitted from the data center to the VPC preferentially over gateway device 1. If gateway device 1 is down, gateway device 2 automatically takes over. Contact the vendor to obtain the information about specific commands.
Step 6: Test network connectivity
Test the network connectivity between the VPC and data center.
Log on to an ECS instance in the VPC. For more information about how to log on to an ECS instance, see Connection method overview.
Run the
pingcommand on the ECS instance to ping a server in the data center to test the accessibility of the data center.If an echo reply packet is returned to the ECS instance, it indicates that the VPC can communicate with the data center.
ping <IP address of a server in the data center>
Test high availability of the IPsec-VPN connection.
Log on to an ECS instance in the VPC. For more information about how to log on to an ECS instance, see Connection method overview.
Run the following command to consecutively send packets from the ECS instance to the data center:
ping <IP address of a server in the data center> -c 10000Close the active tunnel of the IPsec-VPN connection.
You can close the active tunnel by modifying the pre-shared key of the active tunnel. The active tunnel is closed when the two sides of the tunnel use different pre-shared keys.
After the active tunnel is closed, you can check the traffic status on the ECS instance. If the traffic is interrupted and then resumed, it indicates that the standby tunnel automatically takes over after the active tunnel is down.