All Products
Search
Document Center

VPN Gateway:Configuration suggestions and FAQ about enabling communication among CIDR blocks

Last Updated:May 20, 2024

This topic provides answers to some frequently asked questions about enabling communication among CIDR blocks by using IPsec-VPN and provides configuration suggestions.

Configuration suggestions

  • If you want to establish an IPsec-VPN connection to enable communication between CIDR blocks, we recommend that you use IKEv2.

    Note

    If the peer gateway device does not support IKEv2, you can configure the IPsec-VPN connection and the peer gateway device to use IKEv1. In scenarios where IPsec-VPN connections use IKEv1, you can configure only one local CIDR block and one peer CIDR block for each IPsec-VPN connection. For more information, see the Recommended solutions section of this topic.

  • If the peer gateway device is provided by Cisco or H3C, we recommend that you use the following configurations:

    • The IPsec-VPN connection on Alibaba Cloud supports only one value for each of Encryption Algorithm, Authentication Algorithm, and DH Group in IKE Configurations and IPsec Configurations. Make sure that only one value is set for each of Encryption Algorithm, Authentication Algorithm, and DH Group (PFS) in IKE Configurations and IPsec Configurations of the peer gateway device.

    • If the Dead Peer Detection (DPD) feature is enabled for the IPsec-VPN connection, the customer gateway device must be configured with standard DPD settings.

    • The security association (SA) lifetime configured for the IPsec-VPN connection must be the same as that of the peer gateway device.

      If the peer gateway device allows you to set its traffic-based SA lifetime, you need to set it to the maximum value, which is 0 bytes for some device suppliers.

Recommended solutions

When you connect a data center to a virtual private cloud (VPC) to enable communication among CIDR blocks, we recommend that you use the following solutions.

Solution

Applicable IKE version

Description

Benefit or limit

Configuration example

Solution 1 (recommended)

  • IKEv1

  • IKEv2

Use one IPsec-VPN connection to connect the data center to the VPC. Set the routing mode of the IPsec-VPN connection to the destination-based routing mode, and set the source CIDR block and destination CIDR block of Protected Data Flows of the peer gateway device to 0.0.0.0/0 and 0.0.0.0/0. Then, configure Border Gateway Protocol (BGP) dynamic routing or static routing on the VPN gateway and data center based on your requirements.

Benefits:

  • If you want to add or delete CIDR blocks, you need to only modify the route configurations. You do not need to modify the configurations of the IPsec-VPN connection.

  • When you add or delete CIDR blocks, the IPsec-VPN connection is not interrupted and the traffic routed by other routers is not affected.

Configuration examples of Solution 1

Solution 2 (second choice)

  • IKEv1

  • IKEv2

Use one IPsec-VPN connection to connect the data center to the VPC. Aggregate the data center-side CIDR blocks into one CIDR block and the VPC-side CIDR blocks into another. Then, configure an aggregate route for the IPsec-VPN connection and the peer gateway device.

Limits:

If you want to add or delete CIDR blocks, you may need to configure a new aggregate route and modify the configurations of the IPsec-VPN connection and the peer gateway device. The modifications will cause IPsec renegotiation, which results in temporary traffic interruptions.

Configuration examples of Solution 2

Method 3

  • IKEv1

  • IKEv2

Establish multiple IPsec-VPN connections between the data center and the VPC. Each CIDR block uses one IPsec-VPN connection to communicate with another CIDR block. The IPsec-VPN connections must meet the following requirements:

  • All the IPsec-VPN connections are associated with the same VPN gateway and the same customer gateway.

  • All the IPsec-VPN connections have the same Pre-Shared Key and IKE Configurations, including the Version, Negotiation Mode, Encryption Algorithm, Authentication Algorithm, DH Group, and SA Life Cycle (seconds) (in seconds).

    The value of the LocalId parameter of each IPsec-VPN connection must be the same as the value of the RemoteId parameter of the customer gateway device. The value of the RemoteId parameter of each IPsec-VPN connection must be the same as the value of the LocalId parameter of the customer gateway device.

Note

If multiple IPsec-VPN connections are associated with the same VPN gateway and customer gateway, and use the same Internet Key Exchange (IKE) version, the IPsec-VPN connections share the same Phase 1 negotiation.

In scenarios where multiple IPsec-VPN connections share the same Phase 1 negotiation, the IPsec-VPN connections must have the same Pre-Shared Key and IKE Configurations, including the Version, Negotiation Mode, Encryption Algorithm, Authentication Algorithm, DH Group, and SA Life Cycle (seconds) (in seconds). This ensures that the IKE Configurations of each IPsec-VPN connection can be shared during IPsec negotiations.

Limits:

If you want to modify CIDR blocks, you need to modify the configurations of the IPsec-VPN connection and customer gateway device. The modifications will cause IPsec renegotiation, which results in temporary traffic interruptions.

Configuration example of Solution 3

Configuration examples

Configuration examples of Solution 1

The scenario shown in the following figure is used in this topic. In this scenario, the VPC CIDR blocks 10.1.1.0/24 and 10.1.2.0/24 need to communicate with the data center CIDR blocks 192.168.1.0/24 and 192.168.2.0/24. We recommend that you use the following configurations:

  • When you configure an IPsec-VPN connection on Alibaba Cloud, set Routing Mode to Destination Routing Mode. For more information, see the Create an IPsec-VPN connection section of the "Create and manage IPsec-VPN connections in single-tunnel mode" topic.

  • When you configure routes for the VPN gateway, we recommend that you use policy-based routes. For more information, see Configure policy-based routes.

  • Add a protected data flow whose source CIDR block and destination CIDR block are both 0.0.0.0/0 to the on-premises gateway device. For more information about the command, consult the supplier of the gateway device.

多网段方案一示例..png

Configuration example of solution 2

Example 1

The scenario shown in the following figure is used in this topic. In this scenario, the VPC CIDR blocks 10.1.1.0/24 and 10.1.2.0/24 need to communicate with the data center CIDR blocks 192.168.1.0/24 and 192.168.2.0/24. We recommend that you use the following configurations:

  • When you configure an IPsec-VPN connection on Alibaba Cloud, set Routing Mode to Protected Data Flows, set Local Network to 10.1.0.0/16, which is an aggregate CIDR block of the VPC, and set Remote Network to 192.168.0.0/16, which is an aggregate CIDR block of the data center. For more information, see the Create an IPsec-VPN connection section of the "Create and manage IPsec-VPN connections in single-tunnel mode" topic.

  • After you set Routing Mode to Protected Data Flows, the system automatically adds a policy-based route whose next hop is the IPsec-VPN connection to the Policy-based Route Table. The Source CIDR Block of the policy-based route is the Local Network of the IPsec-VPN connection and the Destination CIDR Block is the Remote Network. By default, this policy-based route is not advertised to the VPC.

    If you use the default policy-based route, you need to advertise the default policy-based route to the VPC. If you want to add a custom policy-based route, you must first delete the policy-based route that is automatically added by the system. For more information, see Configure policy-based routes.

多网段方案二示例1..png

Example 2

The scenario shown in the following figure is used in this topic. In this scenario, the VPC CIDR blocks 10.1.1.0/24 and 10.1.2.0/24 need to communicate with the data center CIDR blocks 192.168.1.0/24 and 172.16.1.0/24. We recommend that you use the following configurations:

  • When you configure an IPsec-VPN connection on Alibaba Cloud, set Routing Mode to Protected Data Flows, set Local Network to 10.1.0.0/16, which is an aggregate CIDR block of the VPC, and set Remote Network to 0.0.0.0/0. For more information, see the Create an IPsec-VPN connection section of the "Create and manage IPsec-VPN connections in single-tunnel mode" topic.

    Note

    The CIDR blocks of the data center cannot be aggregated into one CIDR block. Therefore, we recommend that you set Remote Network to 0.0.0.0/0.

  • After you set Routing Mode to Protected Data Flows, the system automatically adds a policy-based route whose next hop is the IPsec-VPN connection to the Policy-based Route Table. The Source CIDR Block of the policy-based route is the Local Network of the IPsec-VPN connection and the Destination CIDR Block is the Remote Network. By default, this policy-based route is not advertised to the VPC.

    We recommend that you do not configure a route whose destination CIDR block is 0.0.0.0/0 for the Policy-based Route Table. Instead, delete the policy-based route that is automatically added by the system and add a more specific policy-based route. For more information, see Configure policy-based routes.

多网段方案二示例2..png

Configuration examples of Solution 3

The scenario shown in the following figure is used in this topic. In this scenario, the VPC CIDR blocks 10.1.1.0/24 and 10.1.2.0/24 need to communicate with the data center CIDR blocks 192.168.1.0/24 and 172.16.1.0/24. We recommend that you use the following configurations:

  • Create multiple IPsec-VPN connections on Alibaba Cloud and set Routing Mode to Protected Data Flows for each IPsec-VPN connection. Specify one Local Network and one Remote Network for each IPsec-VPN connection. For more information, see the Create an IPsec-VPN connection section of the "Create and manage IPsec-VPN connections in single-tunnel mode" topic.

  • After you set Routing Mode to Protected Data Flows, the system automatically adds a policy-based route whose next hop is the IPsec-VPN connection to the Policy-based Route Table. The Source CIDR Block of the policy-based route is the Local Network of the IPsec-VPN connection and the Destination CIDR Block is the Remote Network. By default, this policy-based route is not advertised to the VPC.

    You need to advertise the four policy-based routes that are automatically added by the system to the VPC. For more information, see Configure policy-based routes.

多网段方案三示例..png

FAQ

Why does the system prompt that Phase 2 negotiations succeed but communication is successful only between some CIDR blocks?

Possible causes

In scenarios where a data center is connected to a VPC by using IPsec-VPN connections, if the peer gateway device is provided by Cisco or H3C, the routing mode of the IPsec-VPN connection is set to Protected Data Flows, and multiple CIDR blocks are specified, only one CIDR block can be used for communication.

This is because Alibaba Cloud VPN gateways are incompatible with the IPsec protocol used by the peer gateway device provided by Cisco or H3C. In this case, the Alibaba Cloud VPN gateway uses one SA to negotiate with the peer gateway device. However, the peer gateway device uses multiple SAs to negotiate with the VPN gateway.

Solutions

For more information, see the Recommended solutions section of this topic.

How do I enable communication among CIDR blocks if the on-premises gateway device does not support IKEv2?

If the on-premises gateway device does not support IKEv2, you can configure the IPsec-VPN connections and the on-premises gateway device to use IKEv1.

In scenarios where IPsec-VPN connections use IKEv1, you can configure only one local CIDR block and one peer CIDR block for each IPsec-VPN connection. For more information, see the Recommended solutions section of this topic.