All Products
Search
Document Center

VPN Gateway:Enhanced VPN Gateway Quick Start

Last Updated:Jun 21, 2026
Important
  • Enhanced VPN Gateway is currently in invitation-only beta. To use this feature, contact your Alibaba Cloud account manager to request service activation.

  • For a detailed comparison between Enhanced and standard VPN gateways, see Feature comparison.

You can use the open-source software strongSwan to quickly establish an IPsec connection with an Enhanced VPN Gateway and enable private communication between your on-premises IDC and a VPC.

Scenario

A company has a VPC in the Malaysia (Kuala Lumpur) region and needs to connect the VPC to an on-premises IDC with an Enhanced VPN Gateway and strongSwan.

In this scenario, the on-premises IDC has a single public egress IP address and uses a dual-tunnel IPsec connection to connect to the VPN gateway:

image

Resource planning

  • Cloud resources: A VPC with the CIDR block 10.0.0.0/16 in the Malaysia (Kuala Lumpur) region.

    • vSwitch 1: In availability zone A, with the CIDR block 10.0.0.0/24.

    • vSwitch 2: In availability zone B, with the CIDR block 10.0.1.0/24.

    • ECS instance: Deployed in vSwitch 1, with the IP address 10.0.0.1.

    • VPN Gateway: Create one IPsec connection. The system automatically assigns two public IP addresses to this connection.

      • IPsec Address 1 (for the primary tunnel): XX.XX.1.1

      • IPsec Address 2 (for the secondary tunnel): XX.XX.2.2

  • On-premises resources: An on-premises IDC with the CIDR block 172.16.0.0/16.

    • strongSwan device: Private IP address 172.16.0.1.

    • Public egress IP address: XX.XX.3.3

  • Encryption algorithm: AES-256-GCM-16 / SHA-256 / DH Group 14. You must specify this on your on-premises device. The Enhanced VPN Gateway automatically negotiates a compatible algorithm.

  • Routing method: Use static routing in policy-based mode. In this mode, you define the networks on both ends to specify which traffic, known as "interesting traffic," passes through the VPN tunnel. The system automatically routes this traffic and creates the necessary routes.

Important

This topic describes a scenario that uses a single public egress IP address and static routing. For scenarios that use dual public egress IP addresses or BGP dynamic routing, see strongSwan configuration examples.

Prerequisites

  • The CIDR block of the VPC and the CIDR block of the on-premises IDC do not overlap.

  • You have created a VPC as described in the resource planning section. The VPC contains two vSwitches in different availability zones and at least one ECS instance to test connectivity.

  • A Linux server is deployed in your on-premises IDC. This topic uses CentOS Stream 9 as an example. The server has one public egress IP address. You will install strongSwan on this server to act as the on-premises gateway.

Step 1: Create an Enhanced VPN Gateway

  1. Go to the VPN Gateway page. In the top navigation bar, select the Malaysia (Kuala Lumpur) region.

  2. On the Enhanced IPsec-VPN tab, click Create Enhanced IPsec-VPN.

    Important

    Enhanced VPN Gateway is in invitation-only beta. If the Enhanced IPsec-VPN tab does not appear, contact your Alibaba Cloud account manager to activate the service.

    • Region: Select the region where your VPC is located. In this topic, select Malaysia (Kuala Lumpur).

    • VPC: Select the target VPC to connect.

    • vSwitch 1: Select the vSwitch in availability zone A.

    • vSwitch 2: Select the vSwitch in availability zone B. This vSwitch must be in a different availability zone than vSwitch 1 to ensure cross-zone high availability. If no vSwitch is available, create one first.

      The system creates an elastic network interface (ENI) in each vSwitch. These ENIs act as the interfaces for traffic between the IPsec connection and the VPC. Each ENI consumes one IP address from its vSwitch.

Step 2: Create a customer gateway

A customer gateway is an object in Alibaba Cloud that records the public IP address of your on-premises gateway device. In this scenario, your on-premises IDC has only one public egress IP address, so you need to create only one customer gateway.

  1. On the left-side navigation pane of the VPN Gateway console, click Customer Gateways.

  2. Click Create Customer Gateway and configure the parameters.

    • Name: Enter a name for the customer gateway, for example, cgw-idc-kl.

    • IP Address: Enter the public egress IP of your local IDC (XX.XX.3.3).

Step 3: Create an IPsec connection

  1. On the left-side navigation pane, click IPsec Connections, and then click Bind VPN Gateway.

  2. Configure the basic parameters for the IPsec connection.

    • Name: Enter a meaningful name for the resource, such as ipsec-demo.

    • Region: Select Malaysia (Kuala Lumpur).

    • Gateway Type: Select Enhanced IPsec-VPN.

    • Billing: The value is automatically set to Pay-by-CDT. For more information, see CDT Public Network Traffic.

    • Bind VPN Gateway: Select the Enhanced VPN Gateway that you created in Step 1.

    • Routing Mode: Select Protected Data Flows. In this mode, you must define the network segments at both ends. The system automatically transmits matching traffic through the tunnel and generates routes.

    • Local Network: Enter the VPC CIDR block 10.0.0.0/16.

    • Remote Network: Enter the data center CIDR block 172.16.0.0/16.

    • Effective Immediately: If you select Yes, Alibaba Cloud proactively initiates negotiation with the peer. This allows a connection to be quickly established after the peer is configured.

    • Enable BGP: For this scenario, keep this option disabled.

  3. Configure the tunnel parameters.

    Enhanced VPN Gateway supports multi-algorithm negotiation, so you can use the default encryption settings.

    • Tunnel 1 (Primary):

      • Customer Gateway: Select the customer gateway that you created in Step 2.

      • Pre-Shared Key: This key is used for authentication during IPsec negotiation. The pre-shared keys on both ends of the tunnel must be identical, or the tunnel cannot be established. Use a strong key that contains uppercase letters, lowercase letters, digits, and special characters.

    • Tunnel 2 (Secondary):

      • Customer Gateway: Select the same customer gateway that you selected for the primary tunnel because the on-premises IDC in this scenario has only one public egress IP address.

      • Pre-Shared Key: In this topic, use the same key as the primary tunnel.

    Important

    Enhanced VPN Gateway enables multi-algorithm negotiation by default. Multiple commonly used algorithms are preselected in the encryption configuration. The system automatically negotiates with the on-premises gateway device to find a supported algorithm. If you need to manually specify an algorithm, expand the Encryption Configuration section to modify the settings.

  4. After you click OK, a dialog box prompts you to publish the route. Click Cancel for now.

    Initializing the IPsec connection resource takes about 5 minutes. During this period, the Status is Preparing, and you cannot configure routes. You can first configure the strongSwan device in Step 4 and then complete the route configuration in Step 5.
  5. Record the public IP addresses of the two cloud tunnels. You will need them to configure strongSwan.

    1. Return to the IPsec-VPN connection page and find the IPsec connection that you just created.

    2. In the Gateway IP Address column, record IPsec Address 1 and IPsec Address 2. This topic uses XX.XX.1.1 and XX.XX.2.2 as examples.

Step 4: Configure strongSwan

Important

The third-party product information in this topic is for reference only. Alibaba Cloud does not make any promises, express or implied, about the performance or reliability of third-party products, nor is it responsible for any impacts from their operation.

The following example shows how to configure strongSwan on a 64-bit CentOS Stream 9 operating system. For other operating systems, see the official strongSwan documentation.

1. Configure firewall rules

On the strongSwan device, allow the ESP protocol (IP protocol number 50), UDP port 500, and UDP port 4500 to permit access from the two IPsec addresses on the cloud.

The following commands use iptables as an example. Modify the commands based on the firewall tool that you use.

iptables -I INPUT -s XX.XX.1.1,XX.XX.2.2 -p esp -j ACCEPT                
iptables -I INPUT -s XX.XX.1.1,XX.XX.2.2 -p udp --dport 500 -j ACCEPT
iptables -I INPUT -s XX.XX.1.1,XX.XX.2.2 -p udp --dport 4500 -j ACCEPT

2. Enable IP forwarding

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sudo sysctl -p

3. Install strongSwan

dnf install epel-release -y
dnf install strongswan -y

4. Configure strongSwan

  1. Back up the original configuration file:

    mv /etc/strongswan/swanctl/swanctl.conf /etc/strongswan/swanctl/swanctl.conf.bak
  2. Create a new configuration file:

    vi /etc/strongswan/swanctl/swanctl.conf
  3. Add the following configuration and save the file. Replace the placeholder values with your actual values.

    # strongSwan dual-tunnel IPsec-VPN configuration for: Alibaba Cloud Enhanced VPN Gateway + single on-premises public egress IP + policy-based mode
    #
    # NOTE: Only modify parameters marked with "MODIFY". Keep the rest as default.
    # Algorithm details: aes256gcm16-sha256-modp2048 = AES-256-GCM-16 / SHA-256 / DH Group 14
    # High availability: vco1 (priority=1) is the primary tunnel, and vco2 (priority=2) is the secondary tunnel. Failover is automatic.
    connections {
       # === Tunnel 1 (Primary) ===
       vco1 {
          version = 2
          dpd_delay = 10
          rekey_time = 84600
          over_time = 1800
          proposals = aes256gcm16-sha256-modp2048
          encap = yes
          local_addrs  = 172.16.0.1                # MODIFY: The private IP address of the strongSwan server's network interface. If the server is behind a NAT device, enter its private IP address. If the server's network interface is directly assigned the public IP address, enter the public IP address.
          local {
             auth = psk
             id = XX.XX.3.3                        # MODIFY: The public egress IP address of your on-premises gateway.
          }
          remote_addrs = XX.XX.1.1                 # MODIFY: The public IP address of Alibaba Cloud Tunnel 1.
          remote {
             auth = psk
             id = XX.XX.1.1                        # MODIFY: The public IP address of Alibaba Cloud Tunnel 1. Must match remote_addrs.
          }
          children {
             vco_child1 {
                local_ts  = 172.16.0.0/16          # MODIFY: The CIDR block of your on-premises network (interesting traffic).
                remote_ts = 10.0.0.0/16            # MODIFY: The CIDR block of your VPC (interesting traffic).
                mode = tunnel
                rekey_time = 85500
                life_time = 86400
                dpd_action = restart
                start_action = start
                close_action = start
                esp_proposals = aes256gcm16-sha256-modp2048
                priority = 1                       # Specifies the primary tunnel. We recommend that you do not modify this parameter.
             }
          }
       }
       # === Tunnel 2 (Secondary) ===
       vco2 {
          version = 2
          dpd_delay = 10
          rekey_time = 84600
          over_time = 1800
          proposals = aes256gcm16-sha256-modp2048
          encap = yes
          local_addrs  = 172.16.0.1                # MODIFY: The IP address of the strongSwan server's network interface. Must be the same as local_addrs for Tunnel 1.
          local {
             auth = psk
             id = XX.XX.3.3                        # MODIFY: The public egress IP address of your on-premises gateway. Must be the same as id for Tunnel 1.
          }
          remote_addrs = XX.XX.2.2                 # MODIFY: The public IP address of Alibaba Cloud Tunnel 2.
          remote {
             auth = psk
             id = XX.XX.2.2                        # MODIFY: The public IP address of Alibaba Cloud Tunnel 2. Must match remote_addrs.
          }
          children {
             vco_child2 {
                local_ts  = 172.16.0.0/16          # MODIFY: The CIDR block of your on-premises network. Must be the same as local_ts for Tunnel 1.
                remote_ts = 10.0.0.0/16            # MODIFY: The CIDR block of your VPC. Must be the same as remote_ts for Tunnel 1.
                mode = tunnel
                rekey_time = 85500
                life_time = 86400
                dpd_action = restart
                start_action = start
                close_action = start
                esp_proposals = aes256gcm16-sha256-modp2048
                priority = 2                       # Specifies the secondary tunnel. We recommend that you do not modify this parameter.
             }
          }
       }
    }
    secrets {
       ike-vco1 {
          id = XX.XX.1.1                           # MODIFY: The public IP address of Alibaba Cloud Tunnel 1.
          secret = your-psk-here                   # MODIFY: The pre-shared key for Tunnel 1. Must match the key configured in the Alibaba Cloud console.
       }
       ike-vco2 {
          id = XX.XX.2.2                           # MODIFY: The public IP address of Alibaba Cloud Tunnel 2.
          secret = your-psk-here                   # MODIFY: The pre-shared key for Tunnel 2. Must match the key configured in the Alibaba Cloud console.
       }
    }

5. Start strongSwan and verify tunnel status

sudo systemctl restart strongswan
swanctl --load-all
watch swanctl --list-sas

If both tunnels display ESTABLISHED and the CHILD_SA is in the INSTALLED state, it indicates that an IPsec-VPN connection has been successfully established between the strongSwan device and the Alibaba Cloud VPN Gateway.

Every 2.0s: swanctl --list-sas    iZ8psgynxxx: Fri Mar 13 14:53:47 2026
plugin 'sqlite': failed to load - sqlite_plugin_create not found and no plugin file
available
vco1: #11, ESTABLISHED, IKEv2, fbf8cda98d1d4f45_i c8a12ae19f8303d8_r*
   local  'XX.XX.3.3x.18' @ 172.16.0.1[4500]
   remote 'XX.XX.1.1x.58' @ XX.XX.1.1x.58[4500]
   AES_GCM_16-256/PRF_HMAC_SHA2_256/MODP_2048
   established 1534s ago, rekeying in 81327s
   vco_child1: #10, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256/MODP_2048
      installed 10638s ago, rekeying in 73995s, expires in 75762s
      in  c31a70fc, 892248 bytes, 10622 packets,    1s ago
      out c53ef972, 892332 bytes, 10623 packets,    1s ago
      local  172.16.0.0/16
      remote 10.0.0.0/16
vco2: #10, ESTABLISHED, IKEv2, 9b259bb527d43acf_i f53df17098e08519_r*
   local  'XX.XX.3.3x.18' @ 172.16.0.1[4500]
   remote 'XX.XX.2.2x.121' @ XX.XX.2.2x.121[4500]
   AES_GCM_16-256/PRF_HMAC_SHA2_256/MODP_2048
   established 3270s ago, rekeying in 81252s
   vco_child2: #9, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256/MODP_2048
      installed 12865s ago, rekeying in 71956s, expires in 73535s
      in  c11c544e,      0 bytes,     0 packets,    7s ago
      out c7acef03,      0 bytes,     0 packets,   14s ago
      local  172.16.0.0/16
      remote 10.0.0.0/16

Step 5: Configure cloud routes

Because this topic uses policy-based mode, the system automatically adds a route entry to the Destination-based Route Table of the Enhanced VPN Gateway.

You can publish this route to the VPC route table. Publishing the route directs traffic from ECS instances in the VPC to the on-premises IDC network through the VPN gateway.

  1. Click the instance ID of the Enhanced VPN Gateway that you created to open its details page.

  2. Go to the Destination-based Route Table tab. Find the destination route entry that the system automatically generated (destination network 172.16.0.0/16, next hop is the IPsec connection).

  3. In the Actions column of the target route entry, click Advertise to publish the route to the VPC route table.

    After you publish the route, a new route entry is added to the VPC route table with the destination network as 172.16.0.0/16 and the next hop as the VPN gateway. Traffic from ECS instances in the VPC to the on-premises IDC network is automatically routed through the VPN tunnel.

Verify the connection

Verify connectivity

  1. Make sure that the security group rules for your ECS instance allow ICMP traffic. Then, log on to your strongSwan device and ping the private IP address of the cloud ECS instance.

    ping 10.0.0.1

    Reply packets confirm that communication is established between the on-premises IDC and the cloud VPC.

  2. Make sure that your on-premises firewall allows ICMP traffic. Then, log on to the ECS instance in the VPC (10.0.0.1) and ping the private IP address of the strongSwan device.

    ping 172.16.0.1

    If you receive reply packets, the reverse connection is also established.

Verify high availability

  1. From the ECS instance, run a continuous ping to the on-premises server:

    ping 172.16.0.1 -c 10000
  2. Interrupt the primary tunnel. On the Alibaba Cloud console, modify the pre-shared key of the primary tunnel to create a key mismatch. This causes the primary tunnel to fail.

  3. Observe the ping results. After a brief interruption, communication resumes. This indicates that traffic has automatically failed over to the secondary tunnel.

  4. Restore the primary tunnel. Change the pre-shared key of the primary tunnel back to the correct value. After the primary tunnel is restored, traffic automatically fails back.

Troubleshooting

Common issues and solutions:

Symptom

Possible Cause

Solution

Tunnel negotiation fails.

Network connectivity failure

Check whether the strongSwan device can ping the Alibaba Cloud IPsec addresses. Confirm that the on-premises IDC firewall allows UDP traffic on ports 500 and 4500.

Pre-shared key mismatch

Verify that the pre-shared keys are identical on both ends, including case and special characters.

IKE parameter mismatch

Check whether the IKE version, encryption algorithm, authentication algorithm, DH group, and other parameters match on both ends.

The tunnel is established, but pings fail.

Routes are not configured.

Verify that you have published the destination route from the VPN gateway to the VPC route table.

Security group restrictions

Check whether the ECS security group allows ICMP traffic from the on-premises IDC network (172.16.0.0/16).

On-premises firewall restrictions

Check whether the on-premises firewall allows traffic from the VPC network (10.0.0.0/16).

Missing route on the strongSwan side

Confirm that IP forwarding is enabled on the strongSwan device and that other servers in your IDC use the strongSwan device as the next hop for traffic to the VPC network.

For more information, see Troubleshoot IPsec connections.