All Products
Search

This Product

    VPN Gateway:Connect a VPC to a data center in single-tunnel mode

    Document Center

    VPN Gateway:Connect a VPC to a data center in single-tunnel mode

    Last Updated:Apr 08, 2025

    This topic describes how to create an IPsec-VPN connection in single-tunnel mode between a virtual private cloud (VPC) and a data center by using a public VPN gateway. The IPsec-VPN connection can enable private communication between the VPC and the data center.

    Prerequisites

    • Before you associate an IPsec-VPN connection with a public VPN gateway, make sure that a public IP address is assigned to the gateway device in the data center.

    • The gateway device in the data center must support the IKEv1 or IKEv2 protocol to establish an IPsec-VPN connection with a transit router.

    • The CIDR block of the data center does not overlap with the CIDR block of the network to be accessed.

    Example

    In this example, the following scenario is used. An enterprise has created a VPC on Alibaba Cloud. The CIDR block of the VPC is 192.168.0.0/16. The CIDR block of the data center is 172.16.0.0/12. The static public IP address of the gateway device in the data center is 211.XX.XX.68. To meet business requirements, the enterprise needs to connect the data center to the VPC. You can create an IPsec-VPN connection to enable encrypted communication between the VPC and the data center.

    IPsec快速入门

    Preparations

    • A VPC is created and applications are deployed on Elastic Compute Service (ECS) instances in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

    • You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see Query security group rules and Add security group rules.

    Step 1: Create a VPN gateway

    1. Log on to the VPN gateway console.

    2. In the top navigation bar, select the region in which you want to create the VPN gateway.

      The VPN gateway and the VPC to be associated must belong to the same region.

    3. On the VPN Gateways page, click Create VPN Gateway.

    4. On the buy page, configure the following parameters, click Buy Now, and then complete the payment.

      Parameter

      Description

      Name

      Enter a name for the VPN gateway.

      In this example, VPN Gateway 1 is used.

      Resource Group

      Select the resource group to which the VPN gateway belongs. If you leave this parameter empty, the VPN gateway belongs to the default resource group.

      In this example, this parameter is left empty.

      Region

      Select the region in which you want to create the VPN gateway.

      Note

      The VPN gateway must belong to the same region as the VPC.

      Gateway Type

      Select a gateway type.

      Standard is selected by default.

      Network Type

      Select a network type for the VPN gateway.

      In this example, Public is selected.

      Tunnels

      The system displays the tunnel modes that are supported in this region. Valid values:

      • Single-tunnel

      • Dual-tunnel

      For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

      VPC

      Select the VPC with which you want to associate the VPN gateway.

      VSwitch

      Select a vSwitch from the selected VPC.

      • If you select Single-tunnel, you need to specify only one vSwitch.

      • If you select Dual-tunnel, you need to specify two vSwitches.

        After the IPsec-VPN feature is enabled, the system creates an elastic network interface (ENI) for each of the two vSwitches as an interface to communicate with the VPC over an IPsec-VPN connection. Each ENI occupies one IP address in the vSwitch.

      Note

      • The system selects a vSwitch by default. You can change or use the default vSwitch.

      • After a VPN gateway is created, you cannot modify the vSwitch associated with the VPN gateway. You can view the vSwitch associated with the VPN gateway, the zone to which the vSwitch belongs, and the ENI in the vSwitch on the details page of the VPN gateway.

      vSwitch 2

      Ignore this parameter if you select Single-tunnel for the Tunnels parameter.

      Maximum Bandwidth

      Specify a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.

      Traffic

      Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.

      For more information, see Billing rules.

      IPsec-VPN

      Specify whether to enable IPsec-VPN.

      In this example, Enable is selected.

      SSL-VPN

      Specify whether to enable SSL-VPN.

      In this example, Disable is selected.

      Duration

      Select a billing cycle for the VPN gateway. By Hour is selected by default.

      Service-linked Role

      Click Create Service-linked Role. The system automatically creates the service-linked role AliyunServiceRoleForVpn.

      The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.

      If Created is displayed, the service-linked role is created and you do not need to create it again.

      For more information about the parameters, see the Create a VPN gateway section of the "Create and manage a VPN gateway" topic.

    5. Return to the VPN Gateways page to view the VPN gateway that you created.

      A newly created VPN gateway is in the Preparing state and changes to the Normal state in about 1 to 5 minutes. After the status changes to Normal, the VPN gateway is ready for use.

    Step 2: Create a customer gateway

    1. In the left-side navigation pane, choose Cross-network Interconnection > VPN > Customer Gateways.

    2. In the top navigation bar, select the region in which you want to create the customer gateway.

      Note

      Make sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.

    3. On the Customer Gateway page, click Create Customer Gateway.

    4. In the Create Customer Gateway panel, configure the following parameters and click OK.

      This topic describes only the following required parameters. You can use the default values for other parameters or leave them empty. For more information, see Create and manage a customer gateway.

      • Name: Enter a name for the customer gateway.

        In this example, Customer Gateway 1 is used.

      • IP Address: Enter the public IP address of the gateway device in the data center that you want to connect to the VPC.

        In this example, 211.XX.XX.68 is used.

    Step 3: Create an IPsec-VPN connection

    1. In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.

    2. On the IPsec Connections page, click Bind VPN Gateway.

    3. On the Create Ipsec-vpn Connection (VPN) page, configure the parameters that are described in the following table and click OK.

      Parameter

      Description

      Name

      Enter the name of the IPsec-VPN connection.

      In this example, IPsec-VPN Connection 1 is used.

      Region

      Select the region where the VPN gateway to be associated with the IPsec-VPN connection is deployed.

      The IPsec-VPN connection is created in the same region as the VPN gateway.

      Resource Group

      Select the resource group to which the VPN gateway belongs.

      In this example, the default resource group is selected.

      Bind VPN Gateway

      Select the VPN gateway that you created.

      In this example, VPN Gateway 1 is selected.

      Routing Mode

      Select a routing mode.

      In this example, Destination Routing Mode is selected.

      Effective Immediately

      Specify whether the configuration immediately takes effect.

      • Yes: The negotiation is initiated immediately after the configuration is complete.

      • No: Negotiation occurs when traffic enters.

      In this example, Yes is selected.

      Customer Gateway

      Select the customer gateway that you created.

      In this example, Customer Gateway 1 is selected.

      Enable BGP

      Specify whether to enable Border Gateway Protocol (BGP). If you want to use BGP routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off.

      In this example, BGP is disabled.

      Pre-Shared Key

      Enter a pre-shared key.

      • The key must be 1 to 100 characters in length and can contain digits, uppercase letters, lowercase letters, and the following special characters: ~`!@#$%^&*()_-+={}[]\|;:',.<>/?.

      • If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After you create an IPsec-VPN connection, you can view the pre-shared key that is generated by the system by clicking the Edit button. For more information, see Modify an IPsec-VPN connection.

      Important

      The IPsec-VPN connection and the peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.

      Encryption Configuration

      In this example, the Version parameter is set to ikev1 and the other parameters use the default values. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.

      Health Check

      In this example, the default value is used and no health check is configured for the IPsec-VPN connection.

      Tags

      Add tag-key pairs to the IPsec-VPN connection.

      In this example, this parameter is left empty.

    4. In the Created message, click Cancel.

    Step 4: Load the configuration of the IPsec-VPN connection to the gateway device in the data center

    1. In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.

    2. On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click Generate Peer Configuration in the Actions column.

    3. Load the configuration of the IPsec-VPN connection to the gateway device in the data center. For more information, see Configure local gateways.

    Step 5: Configure routes for the VPN gateway

    1. In the left-side navigation pane, choose Cross-network Interconnection > VPN > VPN Gateways.

    2. On the VPN Gateway page, find the VPN gateway that you want to manage and click the ID of the VPN gateway.

    3. On the Destination-based Route Table tab, click Add Route Entry.

    4. In the Add Route Entry panel, configure the following parameters and click OK.

      Parameter

      Description

      Destination CIDR block

      Enter a destination CIDR block for the route.

      In this example, 172.16.0.0/12 is used.

      Next Hop Type

      Select the type of next hop.

      In this example, IPsec-VPN connection is selected.

      Next Hop

      Select the IPsec-VPN connection that you created.

      Advertise to VPC

      Specify whether to advertise the route to the VPC that is associated with the VPN gateway.

      In this example, Yes is selected.

      Weight

      Select a weight for the route. Valid values:

      • 100: specifies a high priority for the route.

      • 0: specifies a low priority for the route.

      In this example, the default value 100 is used.

    Step 6: Test the network connectivity

    1. Log on to an ECS instance that is not assigned a public IP address in the VPC. For more information, see Connection method overview.

    2. Run the ping command to ping a server in the data center to test the network connectivity.

      If you can receive echo reply packets, the connection is established.