IPsec-VPN is a route-based network connection technology that provides flexible traffic routing methods and allows you to configure and maintain VPN policies. It also uses Internet Key Exchange (IKE) and Internet Protocol Security (IPsec) to encrypt data transmission. You can use IPsec-VPN to establish secure and reliable network connections between Alibaba Cloud and the data centers or office networks of your enterprise.
Alibaba Cloud VPN Gateway provides services in compliance with the policies and regulations of the Chinese mainland. You can use VPN Gateway to establish only intra-border connections. For more information, see What are cross-border connections and intra-border connections?
Network connection scenarios
You can associate an IPsec-VPN connection with the following types of resources: VPN gateways and transit routers. Network connection scenarios vary with the types of associated resources.
Associate an IPsec-VPN connection with a VPN gateway
You can use IPsec-VPN to establish connections between the data centers or office networks of your enterprise and virtual private clouds (VPCs). This way, you can access resources in VPCs from your data centers or office networks.
Associate an IPsec-VPN connection with a transit router
You can use IPsec-VPN to establish connections between the data centers or office networks of your enterprise and transit routers on Alibaba Cloud. This way, your data centers or office networks can communicate with other networks connected to transit routers and access resources in those networks, such as other data centers or VPCs in different regions. For more information about transit routers, see What is CEN?
IPsec-VPN components
Associate an IPsec-VPN connection with a VPN gateway
Component | Description |
VPN Gateway | Before you use IPsec-VPN, you must purchase a VPN gateway and enable IPsec-VPN for the VPN gateway. After you purchase a VPN gateway, Alibaba Cloud deploys VPN resources for you. |
Customer Gateway | A customer gateway is a resource created on Alibaba Cloud. It is used to register information about an on-premises gateway device, such as the IP address and BGP ASN, with Alibaba Cloud. |
IPsec-VPN Connection | An IPsec-VPN connection is an encrypted communication channel between a data center and a VPC. You can use the IPsec-VPN connection to control which networks the data center accesses. An IPsec-VPN connection contains two tunnels, which are used to encrypt and transmit data. |
On-premises Gateway Device | An on-premises gateway device refers to a physical device (a gateway device in most cases) or an application in a data center. The on-premises gateway device must support the VPN feature so that it can negotiate with the peer to establish an IPsec-VPN connection. Note For ease of illustration, the term "data center" is used in the following sections to refer to any data center or office network that needs to establish an IPsec-VPN connection with Alibaba Cloud. |
Associate an IPsec-VPN connection with a transit router
Component | Description |
Transit Router | A transit router is a component of Cloud Enterprise Network (CEN). It is used to connect networks in the same region and across regions on Alibaba Cloud. |
Customer Gateway | A customer gateway is a resource created on Alibaba Cloud. It is used to register information about an on-premises gateway device, such as the IP address and BGP ASN, with Alibaba Cloud. |
IPsec-VPN Connection | An IPsec-VPN connection is an encrypted communication channel between a data center and a transit router. You can use the IPsec-VPN connection to control which networks the data center accesses. An IPsec-VPN connection contains two tunnels, which are used to encrypt and transmit data. |
On-premises Gateway Device | An on-premises gateway device refers to a physical device (a gateway device in most cases) or an application in a data center. The on-premises gateway device must support the VPN feature so that it can negotiate with the peer to establish an IPsec-VPN connection. Note For ease of illustration, the term "data center" is used in the following sections to refer to any data center or office network that needs to establish an IPsec-VPN connection with Alibaba Cloud. |
Dual-tunnel mode
By default, an IPsec-VPN connection has two encrypted tunnels. In a region that has multiple zones, you can deploy the tunnels in different zones to implement zone-disaster recovery. If a region has only one zone, such as China (Nanjing - Local Region), the two tunnels are deployed in the same zone. In this case, cross-zone disaster recovery is not supported. However, the other tunnel can still take over if one tunnel is down.
An IPsec-VPN connection associated with a VPN gateway has two encrypted tunnels that work in active/standby mode. By default, traffic is transferred only through the active tunnel. If the active tunnel fails, the standby tunnel takes over. For more information, see Associate an IPsec-VPN connection with a VPN gateway.
An IPsec-VPN connection associated with a transit router has two tunnels for Equal-Cost Multipath (ECMP) routing. Both tunnels are used to transmit data. When one tunnel is down, traffic is switched to the other tunnel. For more information, see Use an IPsec-VPN connection that is associated with a transit router.
When you create an IPsec-VPN connection, you must configure two tunnels and ensure that they are available. If you configure or use only one of the tunnels, IPsec-VPN connection redundancy based on active/standby tunnels and zone-disaster recovery are not supported. In addition, the SLA of VPN Gateway is not guaranteed.
Associate an IPsec-VPN connection with a VPN gateway
Some IPsec-VPN connections associated with existing VPN gateways support only the single-tunnel mode. A single-tunnel IPsec-VPN connection may be interrupted when the tunnel fails. We recommend that you upgrade existing VPN gateways to use the dual-tunnel mode at the earliest opportunity. If the active tunnel of a dual-tunnel IPsec-VPN connection fails, the standby tunnel takes over. For more information about how to upgrade to use the dual-tunnel mode, see Upgrade a VPN gateway to enable the dual-tunnel mode.
Associate an IPsec-VPN connection with a transit router
Single-tunnel IPsec-VPN connections associated with transit routers are not highly available. We recommend that you delete these connections and then create dual-tunnel IPsec-VPN connections if this operation does not compromise network connectivity.
Feature comparison
The following table compares the features of IPsec-VPN connections in the preceding two scenarios.
Item | Associate an IPsec-VPN connection with a VPN gateway | Associate an IPsec-VPN connection with a transit router |
Network connectivity | Data centers can communicate only with the VPCs that are associated with VPN gateways. | Data centers can communicate with VPCs by using transit routers or with other networks that are connected to transit routers. |
Supported encryption algorithm | Commercial cryptographic algorithms that comply with international standards | Commercial cryptographic algorithms that comply with international standards |
Tunnel modes supported by IPsec-VPN connections | Dual-tunnel mode Note IPsec-VPN connections on some existing VPN gateways support only the single-tunnel mode. We recommend that you upgrade single-tunnel IPsec-VPN connections to dual-tunnel IPsec-VPN connections. For more information, see Upgrade a VPN gateway to enable the dual-tunnel mode. | Dual-tunnel mode Note Single-tunnel IPsec-VPN connections are not highly available. We recommend that you delete these connections and then create dual-tunnel IPsec-VPN connections if this operation does not compromise network connectivity. |
Maximum bandwidth supported by each IPsec-VPN connection | 1,000 Mbit/s. Note The maximum bandwidth supported by VPN gateways in some regions is 500 Mbit/s. For more information about the regions, see the Limits section of the "Create and manage a VPN gateway" topic. |
You can increase the bandwidth of an IPsec-VPN connection by using other methods. For more information, see the How do I increase the maximum bandwidth of IPsec-VPN connections? section of the "FAQ about VPN gateways" topic. |
Number of packets transmitted per second | The total number of inbound and outbound packets that can be transmitted per second through a VPN gateway is 120,000. Each packet is 256 bytes in size. Note If a VPN gateway has multiple IPsec-VPN connections, the sum of inbound and outbound packets transmitted through these connections per second must not exceed 120,000. Each packet is 256 bytes in size. |
|
Method used to implement high availability | Active/standby connections. | ECMP routing. |
Scenarios |
For more information, see Associate IPsec-VPN connections with VPN gateways. |
For more information, see Associate IPsec-VPN connections with transit routers. |