Create an IPsec-VPN connection that is associated with a VPN gateway in single-tunnel mode - VPN Gateway

You can create IPsec-VPN connections to establish encrypted connections between data centers and virtual private clouds (VPCs). This topic describes how to create and manage IPsec-VPN connections in single-tunnel mode.

Background information

When you create an IPsec-VPN connection, you can enable or disable the following features:

DPD: the dead peer detection (DPD) feature.
After you enable DPD, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within the specified period of time, the connection fails. Then, the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA), IPsec SA, and IPsec tunnel are deleted.
By default, this feature is enabled.
NAT traversal: the NAT traversal feature.
After you enable NAT traversal, the initiator does not check UDP ports during Internet Key Exchange (IKE) negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.
By default, this feature is enabled.
BGP: the Border Gateway Protocol (BGP) dynamic routing feature.
After you enable BGP dynamic routing, the IPsec-VPN connection can automatically learn and advertise routes. This facilitates network maintenance and configuration.
By default, this feature is disabled.
Health check: the health check feature.
If the same VPN gateway is used to create active and standby IPsec-VPN connections, you can configure the health check feature to check the connectivity of the active and standby connections. After the health check feature is configured, the system sends Internet Control Message Protocol (ICMP) packets to the destination IP address to check the connectivity of the IPsec-VPN connections. If the active connection is down, the standby connection automatically takes over. This improves the network availability.
Note
If the IPsec-VPN connection fails the health check, the system resets the IPsec tunnel. In scenarios in which the active and standby connections are not used, we recommend that you use the DPD feature instead of the health check feature to check connectivity.
By default, this feature is disabled.

If the VPN gateway uses the latest version, the DPD, NAT traversal, BGP dynamic routing, and health check features are supported. Otherwise, you can use only the features supported by the current version of the VPN gateway.

You can check whether your VPN gateway is of the latest version by viewing the Upgrade button on the details page of the VPN gateway. If your VPN gateway is not of the latest version, you can click Upgrade to upgrade the VPN gateway. For more information, see Upgrade a VPN gateway.

Before you begin

Before you create an IPsec-VPN connection, learn about the procedure and make sure that the prerequisites are met. For more information, see the Procedure section of the "Overview" topic.

Create an IPsec-VPN connection

Log on to the VPN gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region in which you want to create an IPsec-VPN connection.
Note
The IPsec-VPN connection must be created in the same region as the VPN gateway to be associated with the IPsec-VPN connection.
On the IPsec Connections page, click Create IPsec-VPN Connection.

On the Create IPsec-VPN Connection page, configure the parameters that are described in the following table and click OK.

Basic configurations

Parameter	Description
Name	The name of the IPsec-VPN connection.
Resource Group	The resource group to which the VPN gateway belongs. If you leave this parameter empty, the system displays the VPN gateways in all resource groups.
Associate Resource	The type of network resource to be associated with the IPsec-VPN connection. In this example, VPN Gateway is selected.
VPN Gateway	The VPN gateway to be associated with the IPsec-VPN connection.
Routing Mode	The routing mode of the IPsec-VPN connection. Valid values: Destination Routing Mode (default): routes and forwards traffic based on the destination IP address. Protected Data Flows: routes and forwards traffic based on the source and destination IP addresses. After you select Protected Data Flows, you must configure the Local Network and Remote Network parameters. After the IPsec-VPN connection is configured, the system automatically adds policy-based routes to the route table of the VPN gateway. By default, the policy-based routes are not advertised. You can determine whether to advertise the routes to the route table of the VPC based on your requirements. For more information, see the Advertise a policy-based route section of the "Configure policy-based routes" topic. Note If the IPsec-VPN connection is associated with a VPN gateway and the VPN gateway does not use the latest version, you do not need to specify the routing mode.
Local Network	The CIDR block of the VPC to be connected to your data center. This CIDR block is used in Phase 2 negotiations. Click the icon to the right of the field to add more CIDR blocks. Note If you specify multiple CIDR blocks, you must set the IKE version to ikev2.
Remote Network	The CIDR block of the data center to be connected to the VPC. This CIDR block is used in Phase 2 negotiations. Click the icon to the right of the field to add more CIDR blocks. Note If you specify multiple CIDR blocks, you must set the IKE version to ikev2.
Effective Immediately	Specifies whether to immediately start IPsec-VPN negotiations. Valid values: Yes (default): immediately starts IPsec-VPN negotiations after the IPsec-VPN connection is created. No: starts IPsec-VPN negotiations when inbound traffic is detected.
Customer Gateway	The customer gateway to be associated with the IPsec-VPN connection.
Pre-Shared Key	The pre-shared key that is used for authentication between the VPN gateway and the data center. The key must be 1 to 100 characters in length, and can contain digits, letters, and the following special characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ \| ; : ' , . < > / ? If you do not specify a pre-shared key, the system generates a random 16-character string as the pre-shared key. After an IPsec-VPN connection is created, you can click Edit in the Actions column to view the pre-shared key that is generated for the IPsec-VPN connection. For more information, see the Modify an IPsec-VPN connection section of this topic. Important The pre-shared keys must be the same on both sides. Otherwise, the system cannot establish an IPsec-VPN connection.
Enable BGP	Specifies whether to enable BGP dynamic routing for the IPsec-VPN connection. By default, Enable BGP is turned off. Before you use BGP dynamic routing, we recommend that you know more about how it works and its limits. For more information, see Configure BGP dynamic routing.
Local ASN	The autonomous system number (ASN) of the IPsec-VPN connection on the Alibaba Cloud side. Default value: 45104. Valid values: 1 to 4294967295. You can enter the ASN in two segments and separate the first 16 bits from the following 16 bits with a period (.). Enter the number in each segment in decimal format. For example, if you enter 123.456, the ASN is 123 × 65536 + 456 = 8061384. Note We recommend that you use a private ASN to establish a connection to Alibaba Cloud over BGP. For more information about the valid values of a private ASN, see the relevant documentation.

Encryption configurations

Parameter	Description
Encryption Configuration: IKE Configurations
Version	The IKE version. Valid values: ikev1 ikev2 (default) Compared with IKEv1, IKEv2 simplifies SA negotiations and provides better support for scenarios in which communication is established among multiple CIDR blocks. We recommend that you use IKEv2.
Negotiation Mode	The negotiation mode. Valid values: main (default): This mode offers higher security during negotiations. aggressive: This mode supports faster negotiations and a higher success rate. Connections negotiated in both modes ensure the same level of security for data transmission.
Encryption Algorithm	The encryption algorithm that is used in Phase 1 negotiations. Valid values: aes, aes192, aes256, des, and 3des. By default, a value of aes specifies AES-128. Note If the bandwidth of the VPN gateway is 200 Mbit/s or higher, we recommend that you select aes, aes192, or aes256. 3des is not recommended. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES ensures secure data transmission and has little impact on network latency, throughput, and forwarding performance. Triple Data Encryption Standard (3DES) offers enhanced security by using its triple-layered encryption technique. Compared with AES encryption, 3DES encryption requires a large amount of computation, takes an extended period of time, and downgrades forwarding performance.
Authentication Algorithm	The authentication algorithm that is used in Phase 1 negotiations. Valid values: sha1, md5, sha256, sha384, and sha512. Default value: sha1.
DH Group	The Diffie-Hellman (DH) key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1: DH group 1. group2 (default): DH group 2. group5: DH group 5. group14: DH group 14.
SA Life Cycle (seconds)	The lifetime of the SA after Phase 1 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
LocalId	The ID of the IPsec-VPN connection on the Alibaba Cloud side. By default, this value is the IP address of the specified VPN gateway. This parameter is used only to identify Alibaba Cloud in IPsec-VPN negotiations. You can use an IP address or a fully qualified domain name (FQDN) as the ID. We recommend that you use a private IP address as the ID of the IPsec-VPN connection on the Alibaba Cloud side. If you set the LocalId parameter to an FQDN, such as example.aliyun.com, the peer ID of the IPsec-VPN connection on the data center side must be the same as the value of the LocalId parameter. In this case, we recommend that you set the negotiation mode to aggressive.
RemoteId	The ID of the IPsec-VPN connection on the data center side. By default, this value is the IP address of the customer gateway. This parameter is used only to identify the data center in IPsec-VPN negotiations. You can use an IP address or an FQDN as the ID. We recommend that you use a private IP address as the ID of the IPsec-VPN connection in the data center. If you set the RemoteId parameter to an FQDN, such as example.aliyun.com, the local ID of the IPsec-VPN connection on the data center side must be the same as the value of the RemoteId parameter. In this case, we recommend that you set the negotiation mode to aggressive.
Encryption Configuration: IPsec Configurations
Encryption Algorithm	The encryption algorithm that is used in Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des. By default, a value of aes specifies AES-128. Note If the bandwidth of the VPN gateway is 200 Mbit/s or higher, we recommend that you select aes, aes192, or aes256. 3des is not recommended. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES ensures secure data transmission and has little impact on network latency, throughput, and forwarding performance. Triple Data Encryption Standard (3DES) offers enhanced security by using its triple-layered encryption technique. Compared with AES encryption, 3DES encryption requires a large amount of computation, takes an extended period of time, and downgrades forwarding performance.
Authentication Algorithm	The authentication algorithm that is used in Phase 2 negotiations. Valid values: sha1, md5, sha256, sha384, and sha512. Default value: sha1.
DH Group	The DH key exchange algorithm that is used in Phase 2 negotiations. Valid values: disabled: does not use a DH key exchange algorithm. For clients that do not support perfect forward secrecy (PFS), select disabled. If you select a value other than disabled, PFS is enabled by default. In this case, the key is updated for each negotiation. Therefore, you must enable PFS for your client. group1: DH group 1. group2 (default): DH group 2. group5: DH group 5. group14: DH group 14.
SA Life Cycle (seconds)	The lifetime of the SA after Phase 2 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
DPD	Specifies whether to enable the DPD feature. By default, the DPD feature is enabled. For VPN gateways created from April 2019 to January 2023: If IKEv1 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 30 seconds. If IKEv2 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 3,600 seconds. For VPN gateways created after February 2023: If IKEv1 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 30 seconds. If IKEv2 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 130 seconds.
NAT Traversal	Specifies whether to enable the NAT traversal feature. By default, the NAT traversal feature is enabled.

BGP configurations

If BGP dynamic routing is enabled for the IPsec-VPN connection, you must specify the CIDR block of the BGP tunnel and the IP address of the BGP tunnel on the Alibaba Cloud side.

Parameter

Description

Tunnel CIDR Block

The CIDR block of the IPsec tunnel.

The CIDR block must fall into 169.254.0.0/16 and the mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, or 169.254.169.252/30.

Local BGP IP address

The BGP IP address of the IPsec-VPN connection on the Alibaba Cloud side.

This IP address must fall within the CIDR block of the tunnel.

Health check

By default, the health check feature is disabled. Before you add health check configurations, enable the health check feature.

Important

After you enable the health check feature for the IPsec-VPN connection, add the following route to the data center: The destination CIDR block is the source IP address, the subnet mask is 32 bits in length, and the next hop is the IPsec-VPN connection. This ensures that the health check runs as expected.

Parameter	Description
Destination IP Address	The IP address of the data center with which the VPC can communicate based on the IPsec-VPN connection. Note Make sure that the destination IP address supports ICMP responses.
Source IP Address	The IP address of the VPC with which the data center can communicate based on the IPsec-VPN connection.
Retry Interval	The retry interval of the health check. Unit: seconds. Default value: 3.
Number of Retries	The number of health check retries. Default value: 3.

What to do next

After the IPsec-VPN connection is created, you must download the peer configurations of the IPsec-VPN connection and upload the configurations to an on-premises gateway device. For more information, see the Download the configurations of an IPsec-VPN connection section of this topic and Configure local gateways.

Download the configurations of an IPsec-VPN connection

After an IPsec-VPN connection is created, you can download the configurations of the IPsec-VPN connection and load the configurations to an on-premises gateway device.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click Generate Peer Configuration in the Actions column.
In the IPsec-VPN Connection Configuration dialog box, click Copy and save the configurations to your on-premises machine to configure your on-premises gateway device.
For more information about how to configure an on-premises gateway device, see Configure local gateways.

Modify an IPsec-VPN connection

You cannot change the VPN gateway or customer gateway that is associated with an IPsec-VPN connection. However, you can modify the routing mode, pre-shared key, and encryption configurations of the IPsec-VPN connection.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click Edit in the Actions column.
On the Modify IPsec-VPN Connection page, modify the name, encryption configurations, and CIDR blocks based on your business requirements, and then click OK.
For more information about the parameters, see the Create an IPsec-VPN connection section of this topic.

Delete an IPsec-VPN connection

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to delete and click Delete in the Actions column.
In the message that appears, confirm the information and click OK.

Create and manage IPsec-VPN connections by calling API operations

You can use tools such as Alibaba Cloud SDKs, Alibaba Cloud CLI, Terraform, and Resource Orchestration Service (ROS) to create and manage IPsec-VPN connections by calling API operations. For more information about the API operations, see the following topics:

Parameter	Description
Tag Key	The tag key of the IPsec-VPN connection. You can select or enter a tag key.
Tag Value	The tag value of the IPsec-VPN connection. You can select or enter a tag value. You can leave the Tag Value parameter empty.

VPN Gateway:Create and manage IPsec-VPN connections in single-tunnel mode