All Products
Search
Document Center

VPN Gateway:Bind to a transit router

Last Updated:May 27, 2026

Use strongSwan to establish a dual-tunnel IPsec connection to an Alibaba Cloud Transit Router, connecting your on-premises IDC to a VPC.

Scenario

A company has a VPC in the China (Hangzhou) region and needs to connect its on-premises IDC to the VPC through an IPsec connection. This scenario attaches the IPsec connection to a Transit Router instead of a VPN gateway. A Transit Router from Cloud Enterprise Network (CEN) enables centralized routing with flexible scaling—connect additional VPCs or establish cross-region connections as needed.

The on-premises IDC has a single public IP address and establishes a dual-tunnel IPsec connection with Alibaba Cloud.

image

Resource planning

  • Cloud: A VPC with CIDR block 10.0.0.0/16 in the China (Hangzhou) region.

    • vSwitch 1: In availability zone H, with the CIDR block 10.0.0.0/24.

    • vSwitch 2: In availability zone J, with the CIDR block 10.0.2.0/24.

    • ECS instance: IP address 10.0.0.1, used for connectivity testing.

    • CEN instance: Hosts the Transit Router.

    • Transit Router: In the China (Hangzhou) region, with a TR CIDR block of 10.10.10.0/24. Must not overlap with the VPC or IDC CIDR blocks.

  • On-premises: IDC with CIDR block 172.16.0.0/16.

    • strongSwan device: Private IP address 172.16.0.1.

    • Public IP address: XX.XX.3.3.

  • Encryption algorithm: IKEv2 / AES-128-CBC / SHA-1 / DH Group 2. Parameters must match on both tunnel endpoints.

  • Routing method: Destination-based routing. You add a static route to the Transit Router's route table to direct IDC-bound traffic to the IPsec connection.

Prerequisites

  • The VPC and on-premises IDC CIDR blocks do not overlap.

  • A VPC is created with two vSwitches in different availability zones. At least one ECS instance exists in the VPC for connectivity testing.

  • A CEN instance and a Transit Router (TR) are created with the following conditions met:

  • A Linux server with a public IP address is deployed in your on-premises IDC. This tutorial uses CentOS Stream 9. You install strongSwan on this server as the on-premises gateway device.

Step 1: Create a customer gateway

A customer gateway registers the public IP address of your on-premises gateway device in Alibaba Cloud. This scenario has a single on-premises public IP, so you create one customer gateway.

  1. Go to the VPN Gateway page. In the left-side navigation pane, click Customer Gateways.

  2. In the top navigation bar, select the China (Hangzhou) region.

  3. Click Create Customer Gateway and configure the following parameters:

    Name: Enter a name for the customer gateway, such as cgw-idc.

    IP Address: Enter the public IP address of your on-premises IDC (XX.XX.3.3).

Step 2: Create an IPsec connection

  1. In the left-side navigation pane of the VPN Gateway console, click IPsec Connections.

  2. Click Bind CEN and configure the following parameters:

    • Name: Enter a name for the resource, such as ipsec-demo.

    • Region: Select China (Hangzhou).

    • Gateway Type: Select Public.

    • Bind CEN: Select Same Account.

    • Associate Resource: Select Transit Router.

    • CEN Instance ID: Select the CEN instance that you created as part of the prerequisites.

    • Routing Mode: Select Destination Routing Mode. You will later add a static route to the Transit Router's route table to control traffic forwarding.

    • Effective Immediately: Select Yes. Start negotiations after the configuration is completed.. Alibaba Cloud initiates negotiation immediately.

    • Advanced Configuration (including route table association and route forwarding): Select all options: Automatic Advertising, Automatically Associate with Default Route Table of Transit Router, and Automatically Advertise System Routes to Default Route Table of Transit Router.

  3. Configure the tunnel parameters:

    • Tunnel 1 (Primary):

      • Customer Gateways: Select the customer gateway created in Step 1.

      • Pre-Shared Key: Used for mutual authentication between both tunnel endpoints. Use a strong password. Must match the cloud and on-premises configurations.

    • Tunnel 1 (Backup):

      • Customer Gateways: Select the same customer gateway as Tunnel 1. The IDC has only one public egress.

      • Pre-Shared Key: Use the same key as for Tunnel 1.

        Keep the default values for the other encryption parameters. To manually specify an algorithm, expand Encryption Configuration and make the required changes.
  4. Click OK. When prompted to publish the route, click Cancel for now.

    Initialization takes about 5 minutes. While the status is Preparing, you cannot configure routes. Record the cloud-side public IP addresses and proceed to Step 3.
  5. Record the public IP addresses of both cloud-side tunnels for strongSwan configuration.

    Return to the IPsec Connections list and find the IPsec connection that you just created. In the Gateway IP Address column, record IPsec Address 1: and IPsec Address 2:. This tutorial uses XX.XX.1.1 and XX.XX.2.2 as examples.

Step 3: Add a static route to the TR

With destination-based routing, you must manually add a route to the IDC CIDR block in the Transit Router's route table.

  1. Go to the Cloud Enterprise Network console and click the ID of your CEN instance.

  2. On the Transit Router tab, find the China (Hangzhou) Transit Router and click its ID.

  3. Go to the Route Table tab. The system route table displays by default.

  4. On the Route Entry tab of the system route table, click Add Route Entry.

    • Destination CIDR: Enter the CIDR block of the on-premises IDC, 172.16.0.0/16.

    • Blackhole Route: Select No.

    • Next Hop: Select the VPN connection's network instance connection. This is automatically created when the IPsec connection binds to the Transit Router.

  5. Click OK.

    After the route is added, the route table shows a static route with destination 172.16.0.0/16 and next hop set to the IPsec connection.

    This route directs IDC-bound traffic from the Transit Router to the IPsec tunnels. VPC-side routes are automatically configured through the Transit Router's route propagation feature.

Step 4: Configure the strongSwan device

Important

The information about third-party products in this document is for reference only. Alibaba Cloud does not provide any express or implied warranties for the performance or reliability of third-party products, nor for any potential impacts of their operation.

Configure strongSwan on CentOS Stream 9 (64-bit). The official strongSwan documentation covers other operating systems.

1. Configure firewall rules

On the strongSwan device, allow inbound ESP protocol (IP protocol number 50), UDP port 500, and UDP port 4500 from the two cloud-side IPsec addresses.

The following example uses iptables. Adjust for your firewall tool.

iptables -I INPUT -s XX.XX.1.1,XX.XX.2.2 -p esp -j ACCEPT  
iptables -I INPUT -s XX.XX.1.1,XX.XX.2.2 -p udp --dport 500 -j ACCEPT
iptables -I INPUT -s XX.XX.1.1,XX.XX.2.2 -p udp --dport 4500 -j ACCEPT

2. Enable IP forwarding

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sudo sysctl -p

3. Install strongSwan

sudo dnf install epel-release -y
sudo dnf install strongswan -y

4. Create XFRM interfaces and an updown script

In a dual-tunnel scenario, create XFRM virtual interfaces to differentiate tunnel traffic and avoid kernel routing policy conflicts.

# Create XFRM interfaces for Tunnel 1 and Tunnel 2 respectively
sudo ip link add xfrm1 type xfrm dev eth0 if_id 1
sudo ip link add xfrm2 type xfrm dev eth0 if_id 2
sudo ip link set xfrm1 up
sudo ip link set xfrm2 up

# Add an ECMP route to load-balance traffic to the cloud CIDR block across both tunnels
sudo ip route add 10.0.0.0/16 nexthop dev xfrm1 weight 1 nexthop dev xfrm2 weight 1

Create an updown script that brings down the corresponding XFRM interface when a tunnel disconnects, allowing the kernel to redirect traffic to the active tunnel.

sudo tee /usr/local/bin/xfrm-updown.sh > /dev/null << 'EOF'
#!/bin/bash
XFRM_IF="xfrm${PLUTO_IF_ID_IN}"
case "${PLUTO_VERB}" in
    up-client)
        ip link set "${XFRM_IF}" up 2>/dev/null
        ;;
    down-client)
        ip link set "${XFRM_IF}" down 2>/dev/null
        ;;
esac
EOF
sudo chmod +x /usr/local/bin/xfrm-updown.sh
To persist XFRM interfaces and routes after reboot, add the commands to a startup script.

5. Configure strongSwan

  1. Back up the original configuration file:

    mv /etc/strongswan/swanctl/swanctl.conf /etc/strongswan/swanctl/swanctl.conf.bak
  2. Create a new configuration file:

    vi /etc/strongswan/swanctl/swanctl.conf
  3. Add the following configuration. Replace example IP addresses and keys with your actual values.

    # strongSwan dual-tunnel IPsec-VPN configuration
    # For an IPsec connection attached to an Alibaba Cloud Transit Router
    # with a single on-premises public IP, using destination-based routing.
    #
    # Only modify parameters marked with "(Modify)". Keep default values for other parameters.
    # This configuration uses XFRM interfaces (if_id) to differentiate tunnel traffic and ECMP for load balancing.
    
    connections {
    
       # === Tunnel 1 ===
       tunnel1 {
          version = 2
          dpd_delay = 10s
          rekey_time = 86400s
          proposals = aes128-sha1-modp1024
    
          local_addrs  = 172.16.0.1               # (Modify) Private IP of the strongSwan server's NIC. In a NAT environment, use the private IP.
          local {
             auth = psk
             id = XX.XX.3.3                         # (Modify) The on-premises public IP address.
          }
    
          remote_addrs = XX.XX.1.1                  # (Modify) The public IP address of Tunnel 1 on Alibaba Cloud.
          remote {
             auth = psk
             id = XX.XX.1.1                         # (Modify) Same public IP as remote_addrs above.
          }
    
          children {
             tunnel1-child {
                local_ts  = 0.0.0.0/0
                remote_ts = 0.0.0.0/0
                mode = tunnel
                esp_proposals = aes128-sha1-modp1024
                dpd_action = restart
                start_action = start
                close_action = start
                updown = /usr/local/bin/xfrm-updown.sh
                if_id_in = 1                        # Corresponds to the xfrm1 interface.
                if_id_out = 1
             }
          }
    
          if_id_in = 1
          if_id_out = 1
       }
    
       # === Tunnel 2 ===
       tunnel2 {
          version = 2
          dpd_delay = 10s
          rekey_time = 86400s
          proposals = aes128-sha1-modp1024
    
          local_addrs  = 172.16.0.1               # (Modify) Same private IP as for Tunnel 1.
          local {
             auth = psk
             id = XX.XX.3.3                         # (Modify) Same on-premises public IP as for Tunnel 1.
          }
    
          remote_addrs = XX.XX.2.2                  # (Modify) The public IP address of Tunnel 2 on Alibaba Cloud.
          remote {
             auth = psk
             id = XX.XX.2.2                         # (Modify) Same public IP as remote_addrs above.
          }
    
          children {
             tunnel2-child {
                local_ts  = 0.0.0.0/0
                remote_ts = 0.0.0.0/0
                mode = tunnel
                esp_proposals = aes128-sha1-modp1024
                dpd_action = restart
                start_action = start
                close_action = start
                updown = /usr/local/bin/xfrm-updown.sh
                if_id_in = 2                        # Corresponds to the xfrm2 interface.
                if_id_out = 2
             }
          }
    
          if_id_in = 2
          if_id_out = 2
       }
    }
    
    secrets {
       ike-tunnel1 {
          id-1 = XX.XX.3.3                          # (Modify) The on-premises public IP address.
          id-2 = XX.XX.1.1                          # (Modify) The public IP address of Tunnel 1 on Alibaba Cloud.
          secret = "your-psk-here"                  # (Modify) The pre-shared key for Tunnel 1. Must match the key on Alibaba Cloud.
       }
       ike-tunnel2 {
          id-1 = XX.XX.3.3                          # (Modify) The on-premises public IP address.
          id-2 = XX.XX.2.2                          # (Modify) The public IP address of Tunnel 2 on Alibaba Cloud.
          secret = "your-psk-here"                  # (Modify) The pre-shared key for Tunnel 2. Must match the key on Alibaba Cloud.
       }
    }
    Important
    • The if_id_in and if_id_out parameters bind each tunnel to its corresponding XFRM interface (xfrm1 or xfrm2), ensuring that traffic from the two tunnels does not interfere.

    • The local_ts and remote_ts traffic selectors are set to 0.0.0.0/0. The routing table on the XFRM interface determines which traffic enters the tunnel. In destination-based routing, the cloud-side traffic selectors are also set to 0.0.0.0/0.

6. Start strongSwan and verify tunnel status

sudo systemctl enable strongswan
sudo systemctl restart strongswan
sudo swanctl --load-all
sudo swanctl --list-sas

If both tunnels show ESTABLISHED status and CHILD_SA shows INSTALLED, the IPsec connection is successfully established.

# Example of expected output (abbreviated)
tunnel1: #1, ESTABLISHED, IKEv2
  tunnel1-child: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96
tunnel2: #2, ESTABLISHED, IKEv2
  tunnel2-child: #2, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96

Verify the connection

Test connectivity

  1. Ensure the security group rules for the ECS instance allow ICMP traffic. Log on to the strongSwan device and ping the ECS instance:

    ping 10.0.0.1

    A reply confirms connectivity between the VPC and the on-premises IDC.

  2. Ensure the strongSwan device or another on-premises server allows ICMP traffic. Log on to the ECS instance (10.0.0.1) in the VPC and ping the strongSwan device:

    ping 172.16.0.1

    A reply confirms bidirectional connectivity.

Test high availability

By default, an IPsec connection attached to a Transit Router uses both tunnels simultaneously in an Equal-Cost Multi-Path (ECMP) configuration for load balancing and high availability. If one tunnel fails, traffic automatically fails over to the other active tunnel without manual intervention.

  1. Start a continuous ping from the ECS instance to a server in the on-premises IDC:

    ping 172.16.0.1 -c 10000
  2. Interrupt one tunnel. For example, modify the pre-shared key for Tunnel 1 in the console to cause a mismatch and disconnect the tunnel.

  3. Observe the ping results. Pings resume after a brief interruption, confirming automatic failover to Tunnel 2.

  4. Restore Tunnel 1 by reverting the pre-shared key to the correct value. After re-establishment, traffic is load-balanced across both tunnels again.

Troubleshooting

The following table describes common issues and their solutions.

Symptom

Possible cause

Solution

The tunnel status in the console shows Negotiation failed.

Network connectivity issue

Check if the strongSwan device can ping the Alibaba Cloud IPsec addresses. Verify that your on-premises IDC firewall allows traffic on UDP ports 500 and 4500.

Pre-shared key mismatch

Verify that the pre-shared keys are identical on both ends, including case and special characters.

IKE parameter mismatch

Check that the IKE version, encryption algorithm, authentication algorithm, and DH group match on both ends.

The tunnels are established, but pings fail.

Incorrect route configuration

Verify the VPC route table has a route to the IDC CIDR block with next hop set to the Transit Router. Also verify the Transit Router's route table has a static route to the IDC CIDR block with next hop set to the IPsec connection. With destination-based routing, this static route must be added manually.

Security group restrictions

Check if the ECS security group allows inbound ICMP traffic from the on-premises IDC CIDR block (172.16.0.0/16).

On-premises firewall restrictions

Check if the on-premises firewall allows traffic from the VPC CIDR block (10.0.0.0/16).

Missing routes on the strongSwan side

Verify IP forwarding is enabled on the strongSwan device. Ensure other IDC servers have a route to the VPC CIDR block with next hop set to the strongSwan device.