When you use IPsec-VPN to connect a data center to Alibaba Cloud, you must configure the VPN gateway on Alibaba Cloud, and then add VPN configurations to the gateway device in the data center. This topic describes how to add VPN configurations to an H3C firewall device.
Scenario
The preceding scenario is used in this example. A company has deployed a virtual private cloud (VPC) on Alibaba Cloud. The CIDR block of the VPC is 192.168.10.0/24. Applications are deployed on Elastic Compute Service (ECS) instances in the VPC. The company has a data center whose CIDR block is 192.168.66.0/24. Due to business development, the company wants to connect the data center to the VPC. The company decides to use a VPN gateway to establish an IPsec-VPN connection between the data center and the VPC. This way, the data center can communicate with the VPC.
The following table describes the network configurations in this example.
Item | Example | |
VPC | Private CIDR block of the VPC to be connected to the data center | 192.168.10.0/24 |
VPN gateway | Public IP address of the VPN gateway | 101.XX.XX.127 |
Data center | Private CIDR block of the data center to be connected to the VPC | 192.168.66.0/24 |
Public IP address of the on-premises gateway device | 122.XX.XX.248 | |
Interface used by the on-premises gateway to connect to the Internet | Reth1 | |
Interface used by the on-premises gateway to connect to the data center | G2/0/10 |
Prerequisites
A VPN gateway, a customer gateway, and an IPsec-VPN connection are created on Alibaba Cloud. Routes are configured for the VPN gateway. For more information, see Connect a VPC to a data center in dual-tunnel mode.
The configurations of the IPsec-VPN connection is downloaded. For more information, see Download the peer configurations of an IPsec-VPN connection.
The following table describes the configurations of the IPsec-VPN connection in this example.
Item
Example
Pre-shared key
ff123TT****
Internet Key Exchange (IKE) configurations
IKE version
ikev1
Negotiation mode
main
Encryption algorithm
aes
NoteIf the encryption algorithm of the IPsec-VPN connection is Advanced Encryption Standard (AES), the encryption algorithm of the H3C firewall device must be AES-CBC-128.
Authentication algorithm
sha1
Diffie-Hellman (DH) group
group2
Security association (SA) lifecycle (seconds)
86400
IPsec configurations
Encryption algorithm
aes
NoteIf the encryption algorithm of the IPsec-VPN connection is AES, the encryption algorithm of the H3C firewall device must be AES-CBC-128.
Authentication algorithm
sha1
DH group
group2
SA lifecycle (seconds)
86400
Configure the H3C firewall device
The following content is for reference only. For actual operations, refer to the manual of the device.
Log on to the web console of the H3C firewall device.
In the left-side navigation pane, choose . On the Create IPsec Policy page, configure the IPsec policy based on the configurations of the IPsec-VPN connection that you downloaded.
In the Protected Data Stream section, add the data stream to be encrypted.
Set the source IP address to the private CIDR block of the data center, which is 192.168.66.0/24 in this example. Set the destination IP address to the private CIDR block of the VPC, which is 192.168.10.0/24 in this example.
In the left-side navigation pane, choose and click Create to add IKE configurations.
In the left-side navigation pane, choose . Find the IPsec policy that you created and click Advanced Settings to add IPsec configurations.
ImportantAlibaba Cloud VPN Gateway supports only time-based SA lifecycle configuration. Traffic-based SA lifecycle configuration is not supported. The traffic-based SA lifecycle on the VPN gateway side is fixed at zero bytes. When you configure an H3C firewall device, set the traffic-based SA lifecycle to the maximum value.
In the left-side navigation pane, choose to create an upstream security policy and a downstream security policy.
The upstream security policy controls traffic from the data center to the VPC.
The downstream security policy controls traffic from the VPC to the data center.
In the left-side navigation pane, choose . On the Create IPv4 Static Route page, add a static route.
Add a static route to route traffic from the data center to the VPC.
Add a static route to route traffic from the VPC to the data center.
NoteIn this example, this route is not required because a direct route is used. You can add a static route based on your business requirements.