Create and manage IPsec-VPN connections in dual-tunnel mode - VPN Gateway

You can create IPsec-VPN connections to establish encrypted connections between data centers and transit routers. This topic describes how to create and manage IPsec-VPN connections in dual-tunnel mode.

Before you begin

Before you create an IPsec-VPN connection, we recommend that you learn about the network architecture of IPsec-VPN connections in dual-tunnel mode.
Complete all the steps before you create an IPsec-VPN connection based on the procedure.

Create an IPsec-VPN connection

Log on to the VPN gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
On the IPsec Connections page, click Bind CEN.

On the Create Ipsec-vpn Connection (CEN) page, configure the IPsec-VPN connection based on the following information, and then click OK.

Basic configurations

Note

When you create a VPN gateway or an IPsec-VPN connection associated with a transit router for the first time, the system automatically creates the service-linked role AliyunServiceRoleForVpn. The service-linked role allows a VPN gateway to access other cloud resources such as elastic network interfaces (ENIs) and security groups. This helps you create a VPN gateway or an IPsec-VPN connection. If the AliyunServiceRoleForVpn role already exists, the system does not create it again. For more information about AliyunServiceRoleForVpn, see AliyunServiceRoleForVpn.

Parameter	Description
Name	Specify a name for the IPsec-VPN connection.
Region	Select the region to which the transit router that you want to associate belongs. The IPsec-VPN connection is created in the same region as the transit router.
Resource Group	Select a resource group for the CEN instance. If you leave this parameter empty, the system displays the CEN instances in all resource groups.
Gateway Type	Select the type of gateway used by the IPsec-VPN connection. Public (default): The IPsec-VPN connection is established over the Internet. Private: The IPsec-VPN connection is established over a private network to encrypt private traffic.
Bind CEN	Select the account to which the transit router that you want to associate belongs. Current Account: If you select this option, you must specify a CEN instance that belongs to your account. When you create the IPsec-VPN connection, the system associates the IPsec-VPN connection with the transit router in the region of the CEN instance. Cross Account: If you select this option, the IPsec-VPN connection is not associated with a transit router after the connection is created. After you grant permissions on the IPsec-VPN connection to a transit router within another account, you can associate the IPsec-VPN connection with the transit router. If you do not grant the permissions, the IPsec-VPN connection can be associated only with a transit router within your account.
CEN Instance ID	Select the ID of the CEN instance to which the transit router belongs. The system displays the ID and CIDR block of the transit router that is created by the CEN instance in the current region. The IPsec-VPN connection will be associated with the transit router. Note You must configure this parameter only when Bind CEN is set to Current Account.
Routing Mode	Select a routing mode for the IPsec-VPN connection. Destination Routing Mode (default): Routes and forwards traffic based on destination IP addresses. Protected Data Flows: Routes and forwards traffic based on source and destination IP addresses. If you select Protected Data Flows, you must configure Local Network and Remote Network. After the IPsec-VPN connection is configured, the system automatically adds destination-based routes to the route table of the IPsec-VPN connection. By default, the routes are advertised to the route table of the transit router that is associated with the IPsec-VPN connection.
Local Network	If Routing Mode is set to Protected Data Flows, you must enter the CIDR block on the Alibaba Cloud side to be connected to the data center. Phase-2 negotiations is based on protected data flows on both sides. We recommend that you keep the value of Local Network on the Alibaba Cloud side the same as the remote network on the data center side. Click the icon on the right side of the text box to add multiple CIDR blocks on the Alibaba Cloud side. Note If you configure multiple CIDR blocks, you must set IKE Version to ikev2.
Remote Network	If Routing Mode is set to Protected Data Flows, you must enter the CIDR block on the data center side to be connected to Alibaba Cloud. Phase-2 negotiation is based on protected data flows on both sides. We recommend that you keep the value of Remote Network on the Alibaba Cloud side the same as the local network on the data center side. Click the icon on the right side of the text box to add multiple CIDR blocks on the data center side. Note If you configure multiple CIDR blocks, you must set IKE Version to ikev2.
Immediately Effective	Specify whether to immediately start IPsec negotiations after the configuration takes effect. Yes (default): The system immediately starts IPsec negotiations after the configuration is complete. No: The system starts IPsec negotiations only when traffic is detected.

Tunnel configurations

Important

When you create an IPsec-VPN connection in dual-tunnel mode, you must configure two tunnels and ensure that they are available. If you configure or use only one of the tunnels, you cannot experience the high redundancy of the dual-tunnel mode and zone-disaster recovery.

Parameter	Description
Enable BGP	If the IPsec-VPN connection needs to use the BGP routing protocol, you must enable BGP. BGP is disabled by default. Before you use BGP dynamic routing, make sure that your on-premises gateway device supports BGP. We also recommend that you learn about the working mechanism and limits of BGP dynamic routing.
Local ASN	After you enable BGP, enter the autonomous system number (ASN) of the tunnel on the Alibaba Cloud side. Both tunnels use the same ASN. Default value: 45104. Valid values: 1 To 4294967295. You can enter the ASN in two segments and separate the first 16 bits from the following 16 bits with a period (.). Enter the number in each segment in the decimal format. For example, if you enter 123.456, the ASN is 123 × 65536 + 456 = 8061384. Note We recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. For more information about the range of private ASNs, see the relevant documentation.
Customer Gateway	The customer gateway to be associated with the tunnels.
Pre-shared Key	The pre-shared key that is used to verify identities between the tunnels and peers. The key must be 1 to 100 characters in length and can contain digits, uppercase letters, lowercase letters, and the following special characters: ~`!@#$%^&()_-+={}[]\\|;:',.<>/?. The key cannot contain space characters. If you do not specify a pre-shared key, the system generates a random 16-character string as the pre-shared key. After you create the IPsec-VPN connection, you can view the pre-shared key generated by the system by clicking the Edit* button of the tunnel. For more information, see Modify tunnel configurations. Important Make sure that the tunnels and peers use the same pre-shared key. Otherwise, tunnel communication cannot be established.

Encryption Settings

Parameter	Description
Encryption Settings: IKE Settings
IKE Version	The IKE version. Valid values: ikev1 ikev2 (default) Compared with IKEv1, IKEv2 simplifies the SA negotiations and provides better support for scenarios in which multiple CIDR blocks are used. We recommend that you use IKEv2.
Negotiation Mode	The negotiation mode. Valid values: main (default): The main mode provides higher security during negotiations. aggressive: The aggressive mode is faster and has a higher success rate during negotiations. The modes support the same security level for data transmission.
Encryption Algorithm	The encryption algorithm that is used in Phase 1 negotiations. Valid values: aes (aes128, default), aes192, aes256, des, and 3des. Note We recommend that you use aes, aes192, or aes256. We do not recommend that you use des or 3des. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES ensures secure data transmission and has little impact on network latency, throughput, and forwarding performance. 3des is a triple data encryption algorithm that requires a long encryption period and has high algorithm complexity and large computing workloads. Compared with AES, 3DES reduces forwarding performance.
Authentication Algorithm	The authentication algorithm that is used in Phase 1 negotiations. Valid values: sha1 (default), md5, sha256, sha384, and sha512. Note When you add VPN configurations to your on-premises gateway device, you may need to specify the Probabilistic Random Forest (PRF) algorithm. Make sure that the PRF algorithm is also used as the authentication algorithm in IKE negotiation.
DH Group	The Diffie-Hellman (DH) key exchange algorithm that is used in Phase 1 negotiations. group1: DH group 1. group2 (default): DH group 2. group5: DH group 5. group14: DH group 14.
SA Life Cycle (seconds)	Specify the lifecycle of the SA after Phase 1 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 To 86400.
LocalId	Enter an identifier of the tunnel for Phase 1 negotiations. The default value is the gateway IP address of the tunnel. This parameter is used only to identify Alibaba Cloud in IPsec-VPN negotiations. You can use an IP address or a fully qualified domain name (FQDN) as the ID. The value cannot contain spaces. We recommend that you use a private IP address. If LocalId uses the FQDN format, for example, if you enter example.aliyun.com, the peer ID of the IPsec-VPN connection on the on-premises gateway device must be consistent with the value of LocalId. We recommend that you select aggressive (aggressive mode) as the negotiation mode.
RemoteId	Enter an identifier of the peer for Phase 1 negotiations. The default value is the IP address of the customer gateway. This parameter is used only to identify on-premises gateway devices in IPsec-VPN negotiations. You can use an IP address or an FQDN as the ID. The value cannot contain spaces. We recommend that you use a private IP address as the ID. If RemoteId uses the FQDN format, for example, if you enter example.aliyun.com, the local ID on the on-premises gateway device must be consistent with the value of RemoteId. We recommend that you set the negotiation mode to aggressive.
Encryption Settings: Ipsec Settings
Encryption Algorithm	The encryption algorithm that is used in Phase 2 negotiations. Valid values: aes (aes128, default), aes192, aes256, des, and 3des. Note We recommend that you use aes, aes192, or aes256. We do not recommend that you use des or 3des. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES ensures secure data transmission and has little impact on network latency, throughput, and forwarding performance. 3des is a triple data encryption algorithm that requires a long encryption period and has high algorithm complexity and large computing workloads. Compared with AES, 3DES reduces forwarding performance.
Authentication Algorithm	The authentication algorithm that is used in Phase 2 negotiations. Valid values: sha1 (default), md5, sha256, sha384, and sha512.
DH Group	The DH key exchange algorithm that is used in Phase 2 negotiations. disabled: The DH key exchange algorithm is not used. If the on-premises gateway device does not support PFS, select disabled. If you select a value other than disabled, the Perfect Forward Secrecy (PFS) feature is enabled by default. This feature ensures that a key is updated each time renegotiation occurs. In this case, you must also enable PFS on the on-premises gateway device. group1: DH group 1. group2 (default): DH group 2. group5: DH group 5. group14: DH group 14.
SA Life Cycle (seconds)	Specify the lifecycle of the SA after Phase 2 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 To 86400.
DPD	Specify whether to enable the dead peer detection (DPD) feature. By default, the DPD feature is enabled. After you enable the DPD feature, the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within the specified period of time, the connection fails. Then, the Internet Security Association and Key Management Protocol (ISAKMP) SA, IPsec SA, and IPsec tunnel are deleted. If a DPD packet timeout occurs, the IPsec-VPN connection automatically reinitiates IPsec-VPN negotiations with the tunnel. The timeout period of DPD packets is 30 seconds.
NAT Traversal	Select whether to enable the network address translation (NAT) traversal feature. By default, the NAT traversal feature is enabled. After you enable NAT traversal, the initiator does not check UDP ports during Internet Key Exchange (IKE) negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.

BGP Configuration

If BGP is enabled for the IPsec-VPN connection, you can configure the CIDR block of the BGP tunnel and the IP address of the BGP tunnel on the Alibaba Cloud side. If BGP is not enabled when you create an IPsec-VPN connection, you can enable BGP for the tunnels and add the required configurations after the IPsec-VPN connection is created.

Parameter

Description

Tunnel CIDR Block

Enter the CIDR block of the tunnel.

The CIDR block must fall into 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30.

Note

The two tunnels of an IPsec-VPN connection must use different CIDR blocks.

Local BGP IP address

Enter the BGP IP address of the local end of the tunnel.

This IP address must fall within the CIDR block of the tunnel.

Advanced configurations

When you create an IPsec-VPN connection and directly associate it with a transit router of your account, the system selects the following three advanced features by default to help you configure routes. You can also unselect these advanced features and customize network connectivity by using the routing features of the transit router.

Parameter	Description
Advertise Routes	After you enable this feature, the system automatically advertises routes in the route table of the transit router that is associated with the IPsec-VPN connection to the BGP route table of the IPsec-VPN connection. Note This feature takes effect only if the BGP dynamic routing feature is enabled for the IPsec-VPN connection and data center. You can also disable this feature by using the Advertise Routes feature. For more information, see Disable route synchronization.
Automatically Associate With The Default Route Table Of The Transit Router	After you enable this feature, the IPsec-VPN connection will be associated with the default route table of the transit router. The transit router queries the default route table to forward traffic from the IPsec-VPN connection.
Automatically Advertise System Routes To The Default Route Table Of The Transit Router	After this feature is enabled, the system advertises the routes in the destination-based route table and the BGP route table of the IPsec-VPN connection to the default route table of the transit router.

After the IPsec-VPN connection is created, find the IPsec-VPN connection on the IPsec Connections page, and then click Download Configuration in the Actions column.
In the IPsec-VPN Connection Configuration dialog box, copy and save the configuration to a local path. You can use the configuration to configure your on-premises gateway device.

What to do next

Configure routes for the IPsec-VPN connection.
Configure the on-premises gateway device based on the configuration of the IPsec-VPN connection you download.

View tunnel information of an IPsec-VPN connection

After you create an IPsec-VPN connection, you can view the status and information of the tunnels on the details page of the IPsec-VPN connection.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection and click its ID.

On the details page of the IPsec-VPN connection, view the status and information of the two tunnels of the IPsec-VPN connection.

Field	Description
Tunnel/Tunnel ID	The tunnel ID.
Gateway IP Address	The gateway IP address assigned by the system to the tunnel, which is used to establish an encrypted tunnel.
Pre-Shared Key	The pre-shared key used by the tunnel. The pre-shared key is encrypted by default. You can view the pre-shared key by moving the pointer over View.
Tunnel CIDR Block	If you enable BGP dynamic routing for the tunnel, the CIDR block of the tunnel is displayed.
Local BGP IP Address	If you enable BGP dynamic routing for the tunnel, the BGP IP address on the Alibaba Cloud side is displayed.
Connection Status	The status of the IPsec-VPN negotiations of the tunnel. If the IPsec-VPN negotiations succeed, Phase 2 Negotiations Succeeded is displayed in the console. If the IPsec-VPN negotiations fail, the failure information is displayed in the console. You can troubleshoot the issue based on the information. For more information, see Troubleshoot IPsec-VPN connection issues.
Customer Gateway	The customer gateway that is associated with the tunnel. The customer gateway is configured with an IP address and BGP ASN on the data center side.
Status	The status of the tunnel. Valid values: Normal Updating Deleting

Manage IPsec-VPN connections

Modify tunnel configurations

You can modify tunnel configurations after you create an IPsec-VPN connection.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection and click its ID.
On the details page of the IPsec-VPN connection, click the Tunnel tab, find the tunnel, and then click Edit in the Actions column.
On the edit page, modify the tunnel configurations and click OK.
For more information about the tunnel configuration parameters, see Tunnel configurations.

Modify an IPsec-VPN connection

If the IPsec-VPN connection is associated with a transit router, you cannot modify the transit router or gateway type associated with the IPsec-VPN connection. You can modify only the Routing Mode and Immediately Effective parameters.
If the IPsec-VPN connection is not associated with a transit router, you cannot modify the gateway type of the IPsec-VPN connection. You can modify only the Routing Mode and Immediately Effective parameters.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the Ipsec-vpn Connections page, find the IPsec-VPN connection and click Operation Edit in the column.
On the Edit Ipsec-vpn Connection page, modify the name, Routing Mode, and Immediately Effective parameters of the IPsec-VPN connection, and then click OK.
For more information about the parameters, see Basic configurations of the IPsec-VPN connection.

Enable BGP for tunnels

If BGP is not enabled when you create an IPsec-VPN connection, you can enable BGP for the tunnels after the IPsec-VPN connection is created.

Before you enable BGP dynamic routing for an IPsec-VPN connection, make sure that the customer gateway associated with the IPsec-VPN connection has a BGP ASN. If no BGP ASN is configured for the customer gateway, BGP dynamic routing cannot be enabled for the IPsec-VPN connection.

You can create a customer gateway, configure a BGP ASN, change the customer gateway associated with the tunnel, and then enable BGP for the tunnel.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection and click its ID.
In the IPsec Connections section of the IPsec-VPN connection details page, click the button on the right side of Enable BGP.
In the BGP Configuration dialog box, add BGP configurations and click OK.
You must configure BGP for both tunnels. For more information about the BGP configuration parameters, see BGP Settings.
If you want to disable BGP for the IPsec-VPN connection, click the button on the right side of Enable BGP, and then click OK in the Disable BGP Configuration dialog box.

Grant permissions on an IPsec-VPN connection to a transit router of another account

You can associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account. Before you perform the association, you must grant the permissions on the IPsec-VPN connection to the transit router.

Before you grant the permissions, make sure that the IPsec-VPN connection is not associated with a transit router. If the IPsec-VPN connection is already associated with a transit router, you must first disassociate the IPsec-VPN connection from the transit router. For more information, see Delete a network instance connection.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the Ipsec-vpn Connections page, find the IPsec-VPN connection and click its ID.
On the details page of the IPsec-VPN connection, click the Cross-account Authorization tab, and then click Cross-account Authorization.

In the Join CEN dialog box, configure the following parameters and click OK.

Parameter	Description
Account ID	The ID of the Alibaba Cloud account to which the transit router belongs.
CEN Instance ID	The ID of the Cloud Enterprise Network (CEN) instance to which the transit router belongs.
Payment Account	Select the account that pays the fees. CEN Account (default): The account to which the transit router belongs pays the connection fee and traffic processing fee of the transit router after the transit router is associated with the IPsec-VPN connection. VPN Account: The account to which the IPsec-VPN connection belongs pays the connection fee and traffic processing fee of the transit router after the transit router is associated with the IPsec-VPN connection. Important Proceed with caution. Your services may be interrupted if you change the payment account. For more information, see Change the payment account of a network instance. After the IPsec-VPN connection is associated with a transit router, the owner of the IPsec-VPN connection pays the instance fee and data transfer fee of the IPsec-VPN connection.

We recommend that you record the ID of the IPsec-VPN connection and the ID of the Alibaba Cloud account to which the IPsec-VPN connection belongs. The IDs are used when you associate an IPsec-VPN connection with a transit router of another account. For more information, see Create a VPN connection.
You can view your account ID on the Account Management page.

Revoke permissions on an IPsec-VPN connection from a transit router of another account

If you no longer need to associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account, you can revoke the permissions on the IPsec-VPN connection from the transit router. Before you revoke the permissions, you must disassociate the IPsec-VPN connection from the transit router. For more information, see Delete a network instance connection.

Delete an IPsec-VPN connection

Before you delete an IPsec-VPN connection, make sure that the IPsec-VPN connection is disassociated from the transit router. For more information, see Delete a network instance connection.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the Ipsec-vpn Connections page, find the IPsec-VPN connection and click Operation Delete in the column.
In the dialog box that appears, confirm the information and click OK.

Create and manage an IPsec-VPN connection by calling the API

You can call the API to create and manage an IPsec-VPN connection by using Alibaba Cloud SDK (recommended), Alibaba Cloud CLI, Terraform, or Resource Orchestration Service. The following API operations are available: