Create and manage IPsec-VPN connections in single-tunnel mode - VPN Gateway

You can create IPsec-VPN connections to establish encrypted connections between data centers and transit routers. This topic describes how to create and manage IPsec-VPN connections in single-tunnel mode.

Important

IPsec-VPN connections that are associated with transit routers have been upgraded to dual-tunnel mode. To create an IPsec-VPN connection, see Create and manage IPsec-VPN connections in dual-tunnel mode. You can read this topic to manage and modify IPsec-VPN connections in single-tunnel mode.

Before you begin

Before you create an IPsec-VPN connection, learn about the procedure and make sure that the prerequisites are met. For more information, see Procedure.

Create an IPsec-VPN connection

Log on to the VPN gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
On the IPsec Connections page, click Bind CEN.

On the Create Ipsec-vpn Connection (CEN) page, configure the IPsec-VPN connection based on the following information, and then click OK.

Basic configurations

Note

When you create a VPN gateway or an IPsec-VPN connection associated with a transit router for the first time, the system automatically creates the service-linked role AliyunServiceRoleForVpn. The service-linked role allows a VPN gateway to access other cloud resources such as elastic network interfaces (ENIs) and security groups. This helps you create a VPN gateway or an IPsec-VPN connection. If the AliyunServiceRoleForVpn role already exists, the system does not create it again. For more information about AliyunServiceRoleForVpn, see AliyunServiceRoleForVpn.

Parameter	Description
Name	Enter a name for the IPsec-VPN connection.
Region	Select the region to which the transit router that you want to associate belongs. The IPsec-VPN connection is created in the same region as the transit router.
Resource Group	Select a resource group for the CEN instance. If you leave this parameter empty, the system displays the CEN instances in all resource groups.
Gateway Type	Select the type of gateway used by the IPsec-VPN connection. Public (default): establishes an IPsec-VPN connection over the Internet. Private: establishes an IPsec-VPN connection over a private network.
Bind CEN	Select the account to which the transit router that you want to associate belongs. Current Account: If you select this option, you must specify a CEN instance that belongs to your account. When you create the IPsec-VPN connection, the system associates the IPsec-VPN connection with the transit router in the region of the CEN instance. Cross Account: If you select this option, the IPsec-VPN connection is not associated with a transit router after the connection is created. After you grant permissions on the IPsec-VPN connection to a transit router within another account, you can associate the IPsec-VPN connection with the transit router. If you do not grant the permissions, the IPsec-VPN connection can be associated only with a transit router within your account.
CEN Instance ID	Select the ID of the CEN instance to which the transit router belongs. The system displays the ID and CIDR block of the transit router that is created by the CEN instance in the current region. The IPsec-VPN connection will be associated with the transit router. You need to configure this parameter only when you select Current Account for Bind CEN.
Zone	Select a zone. Resources are deployed in the selected zone. You need to configure this parameter only when you select Current Account for Bind CEN.
Routing Mode	Select a routing mode for the IPsec-VPN connection. Destination Routing Mode (default): routes and forwards traffic based on destination IP addresses. Protected Data Flows: routes and forwards traffic based on source and destination IP addresses. If you select Protected Data Flows, you must configure Local Network and Remote Network. After the IPsec-VPN connection is configured, the system automatically adds destination-based routes to the route table of the IPsec-VPN connection. By default, the routes are advertised to the route table of the transit router that is associated with the IPsec-VPN connection.
Local Network	If you set Routing Mode to Protected Data Flows, enter the CIDR block on the Alibaba Cloud side to be connected to the data center. Phase-2 negotiation is based on protected data flows on both sides. We recommend that you configure the same CIDR block for Local Network on the Alibaba Cloud side and the remote network on the data center side. Click the icon on the right side of the text box to add multiple CIDR blocks on the Alibaba Cloud side. Note If you configure multiple CIDR blocks, you must select ikev2 for the IKE version.
Remote Network	If you set Routing Mode to Protected Data Flows, enter the CIDR block on the data center side to be connected to Alibaba Cloud. Phase-2 negotiation is based on protected data flows on both sides. We recommend that you configure the same CIDR block for Remote Network on the Alibaba Cloud side and the local network on the data center side. Click the icon on the right side of the text box to add multiple CIDR blocks on the data center side. Note If you configure multiple CIDR blocks, you must select ikev2 for the IKE version.
Immediately Effective	Specify whether to immediately start IPsec negotiations after the configuration takes effect. Yes (default): The system immediately starts IPsec negotiations after the configuration is complete. No: The system starts IPsec negotiations only when traffic is detected.
Customer Gateway	Select the customer gateway that you want to associate with the IPsec-VPN connection.
Pre-shared Key	Enter the authentication key of the IPsec-VPN connection. The key is used for identity authentication between the transit router and the data center. The key must be 1 to 100 characters in length and can contain digits, uppercase letters, lowercase letters, and the following special characters: ~`!@#$%^&()_-+={}[]\\|;:',.<>/?. The key cannot contain space characters. If you do not specify a pre-shared key, the system generates a random 16-character string as the pre-shared key. After you create the IPsec-VPN connection, you can click Edit* to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection. Important The pre-shared keys configured on both sides of the IPsec-VPN connection must be the same. Otherwise, the IPsec-VPN connection cannot be established.
Enable BGP	If you want to use BGP routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off. Before you use BGP dynamic routing, we recommend that you learn about how it works and its limits. For more information, see Configure BGP dynamic routing.
Local ASN	If you enable BGP for the IPsec-VPN connection, enter the autonomous system number (ASN) of the IPsec-VPN connection on the Alibaba Cloud side. Default value: 45104. Valid values: 1 To 4294967295. You can enter the ASN in two segments and separate the first 16 bits from the following 16 bits with a period (.). Enter the number in each segment in the decimal format. For example, if you enter 123.456, the ASN is 123 × 65536 + 456 = 8061384. Note We recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. Refer to the relevant documentation for the private ASN range.

Encryption settings

Parameter	Description
Encryption Settings: IKE Configuration
Version	Select an IKE version. ikev1 ikev2 (default) Compared with IKEv1, IKEv2 simplifies SA negotiations and provides better support for scenarios in which multiple CIDR blocks are used. We recommend that you use IKEv2.
Negotiation Mode	Select a negotiation mode. main (default): The main mode provides higher security during negotiations. aggressive: The aggressive mode is faster and has a higher success rate during negotiations. The modes support the same security level for data transmission.
Encryption Algorithm	Select the encryption algorithm that is used in Phase 1 negotiations. Valid values: aes (aes128, default), aes192, aes256, des, and 3des. Note We recommend that you use aes, aes192, or aes256. We do not recommend that you use des or 3des. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES ensures secure data transmission and has little impact on network latency, throughput, and forwarding performance. 3des is a triple data encryption algorithm that requires a long encryption period and has high algorithm complexity and large computing workloads. Compared with AES, 3DES reduces forwarding performance.
Authentication Algorithm	Select the authentication algorithm that is used in Phase 1 negotiations. Valid values: sha1 (default), md5, sha256, sha384, and sha512.
DH Group	Select the DH key exchange algorithm that is used in Phase 1 negotiations. group1: DH group 1. group2 (default): DH group 2. group5: DH group 5. group14: DH group 14.
SA Lifetime (seconds)	Specify the lifecycle of the SA after Phase 1 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 To 86400.
LocalId	The identifier of the IPsec-VPN connection on the Alibaba Cloud side. The identifier is used in Phase 1 negotiations. The default identifier is the gateway IP address of the IPsec-VPN connection. This parameter is used only to identify Alibaba Cloud in IPsec-VPN negotiations. You can use an IP address or a fully qualified domain name (FQDN) as the ID. The value cannot contain spaces. We recommend that you use a private IP address as the identifier of the IPsec-VPN connection on the Alibaba Cloud side. If you use an FQDN as the LocalId, for example, example.aliyun.com, the peer ID of the IPsec-VPN connection on the data center side must be the same as the value of LocalId. We recommend that you select aggressive as the negotiation mode.
RemoteId	The identifier of the IPsec-VPN connection on the data center side. The identifier is used in Phase 1 negotiations. The default value is the IP address of the customer gateway. This parameter is used only to identify the data center in IPsec-VPN negotiations. You can use an IP address or an FQDN as the ID. The value cannot contain spaces. We recommend that you use a private IP address as the identifier of the IPsec-VPN connection on the data center side. If you use an FQDN as the RemoteId, for example, example.aliyun.com, the local ID of the IPsec-VPN connection on the data center side must be the same as the value of RemoteId. We recommend that you select aggressive as the negotiation mode.
Encryption Settings: Ipsec Configuration
Encryption Algorithm	Select the encryption algorithm that is used in Phase 2 negotiations. Valid values: aes (aes128, default), aes192, aes256, des, and 3des. Note We recommend that you use aes, aes192, or aes256. We do not recommend that you use des or 3des. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES ensures secure data transmission and has little impact on network latency, throughput, and forwarding performance. 3des is a triple data encryption algorithm that requires a long encryption period and has high algorithm complexity and large computing workloads. Compared with AES, 3DES reduces forwarding performance.
Authentication Algorithm	Select the authentication algorithm that is used in Phase 2 negotiations. Valid values: sha1 (default), md5, sha256, sha384, and sha512.
DH Group	Select the DH key exchange algorithm that is used in Phase 2 negotiations. disabled: The DH key exchange algorithm is not used. For clients that do not support PFS, select disabled. If you select a value other than disabled, the Perfect Forward Secrecy (PFS) feature is enabled by default. This way, each renegotiation requires a new key. Therefore, you must also enable PFS for the client. group1: DH group 1. group2 (default): DH group 2. group5: DH group 5. group14: DH group 14.
SA Lifetime (seconds)	Specify the lifecycle of the SA after Phase 2 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 To 86400.
DPD	Select whether to enable the dead peer detection (DPD) feature. By default, the DPD feature is enabled. After you enable the DPD feature, the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within the specified period of time, the connection fails. Then, the Internet Security Association and Key Management Protocol (ISAKMP) SA, IPsec SA, and IPsec tunnel are deleted. If a DPD packet timeout occurs, the IPsec-VPN connection automatically reinitiates IPsec-VPN negotiations with the tunnel. The timeout period of DPD packets is 30 seconds.
NAT Traversal	Select whether to enable the network address translation (NAT) traversal feature. By default, the NAT traversal feature is enabled. After you enable NAT traversal, the initiator does not check UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.

BGP Configuration

If you enable BGP for the IPsec-VPN connection, you must specify the CIDR block of the BGP tunnel and the BGP IP address on the Alibaba Cloud side.

Parameter

Description

Tunnel CIDR Block

Enter the CIDR block of the IPsec tunnel.

The CIDR block must fall into 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30.

Local BGP IP address

Enter the BGP IP address of the IPsec-VPN connection on the Alibaba Cloud side.

This IP address must fall into the CIDR block of the IPsec tunnel.

Health check

By default, the health check feature is disabled. Before you add a health check configuration, enable the health check feature.

Important

After you configure the health check feature for the IPsec-VPN connection, add a route to the data center. Set the destination CIDR block to Source IP Address, the subnet mask to 32 bits, and the next hop to the IPsec-VPN connection. This ensures that the health check feature of the IPsec-VPN connection works as expected.

Parameter	Description
Destination IP Address	Enter the IP address of the data center that Alibaba Cloud can access over the IPsec-VPN connection. Note Make sure that the destination IP address supports ICMP responses.
Source IP Address	Enter the IP address on Alibaba Cloud that the data center can access over the IPsec-VPN connection.
Retry Interval	Select the retry interval of the health check. Unit: seconds. Default value: 3.
Number of Retries	Enter the number of health check retries. Default value: 3.
Switch Route	Select whether to allow the system to withdraw routes if a health check fails. Default value: Yes. If you select Yes, the system withdraws advertised routes if a health check fails. If you clear Yes, the system does not withdraw advertised routes if a health check fails.

Advanced configuration

When you create an IPsec-VPN connection and directly associate it with a transit router of your account, the system selects the following three advanced features by default to help you configure routes. You can also unselect these advanced features and customize network connectivity by using the routing features of the transit router.

Parameter	Description
Advertise Routes	After you enable this feature, the system automatically advertises routes of the route table of the transit router associated with the IPsec-VPN connection to the BGP route table associated with the IPsec-VPN connection. Note This feature takes effect only if the BGP dynamic routing feature is enabled for the IPsec-VPN connection and data center. You can also disable this feature by using the Advertise Routes feature. For more information, see Disable route synchronization.
Associate With The Default Route Table Of The Transit Router	After this feature is enabled, the IPsec-VPN connection is associated with the default route table of the transit router. The transit router queries the default route table to forward traffic from the IPsec-VPN connection.
Advertise System Routes To The Default Route Table Of The Transit Router	After this feature is enabled, the system advertises the routes in the destination-based route table and the BGP route table of the IPsec-VPN connection to the default route table of the transit router.

What to do next

Configure routes for the IPsec-VPN connection.
Configure the on-premises gateway device based on the configuration of the IPsec-VPN connection you download.

Manage IPsec-VPN connections

Grant permissions on an IPsec-VPN connection to a transit router of another Alibaba Cloud account

You can associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account. Before you perform the association, you must grant the permissions on the IPsec-VPN connection to the transit router.

Before you grant the permissions, make sure that the IPsec-VPN connection is not associated with a transit router. If the IPsec-VPN connection is already associated with a transit router, you must first disassociate the IPsec-VPN connection from the transit router. For more information, see Delete a network instance connection.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the Ipsec-vpn Connections page, find the IPsec-VPN connection and click its ID.
On the details page of the IPsec-VPN connection, click the Cross-account Authorization tab and then click Cross-account Authorization.

In the Join CEN dialog box, configure the following parameters and click OK.

Parameter	Description
Account UID	Enter the ID of the Alibaba Cloud account to which the transit router belongs.
CEN Instance ID	Enter the ID of the Cloud Enterprise Network (CEN) instance to which the transit router belongs.
Payment Account	Select the payer. CEN Account (default): The account to which the transit router belongs pays the connection fee and traffic processing fee of the transit router after the transit router is associated with the IPsec-VPN connection. VPN Account: The account to which the IPsec-VPN connection belongs pays the connection fee and traffic processing fee of the transit router after the transit router is associated with the IPsec-VPN connection. Important Proceed with caution. Your services may be interrupted if you change the payment account. For more information, see Change the payment account of a network instance. After the IPsec-VPN connection is associated with a transit router, the owner account of the IPsec-VPN connection pays the instance fee and data transfer fee of the IPsec-VPN connection.

Record the ID of the IPsec-VPN connection and the ID of the Alibaba Cloud account to which the IPsec-VPN connection belongs. You need the IDs when you create a VPN connection. For more information, see Create a VPN connection.
You can view your account ID on the Account Management page.

Revoke permissions on an IPsec-VPN connection from a transit router of another Alibaba Cloud account

If you no longer need to associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account, you can revoke the permissions on the IPsec-VPN connection from the transit router.

If the IPsec-VPN connection is already associated with a transit router, disassociate the IPsec-VPN connection from the transit router before you revoke the permissions. For more information, see Delete a network instance connection.

Modify an IPsec-VPN connection

If the IPsec-VPN connection is already associated with a transit router, you cannot modify the following information about the IPsec-VPN connection: the associated transit router, zone, or gateway type. However, you can modify the following information: the customer gateway, routing mode, pre-shared key, and advanced configurations.
If the IPsec-VPN connection is not associated with any resource, you cannot modify the gateway type of the IPsec-VPN connection. However, you can modify the customer gateway, routing mode, pre-shared key, and advanced configurations of the IPsec-VPN connection.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the Ipsec-vpn Connections page, find the IPsec-VPN connection and click Edit in the Actions column.
On the Edit Ipsec-vpn Connection page, modify the name, encryption settings, and CIDR blocks of the IPsec-VPN connection, and then click OK.
For more information about the parameters, see Create an IPsec-VPN connection.

Delete an IPsec-VPN connection

If the IPsec-VPN connection is associated with a transit router, disassociate the IPsec-VPN connection from the transit router before you delete the IPsec-VPN connection. For more information, see Delete a network instance connection.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the Ipsec-vpn Connections page, find the IPsec-VPN connection and click Delete in the Actions column.
In the dialog box that appears, confirm the information and click OK.

Create and manage IPsec-VPN connections by calling the API

You can use Alibaba Cloud SDK (recommended), Alibaba Cloud CLI, Terraform, and Resource Orchestration Service to call the API to create and manage IPsec-VPN connections. The following API operations are available: