Encrypt private connections by using static routing and BGP routing - VPN Gateway

This topic describes how to encrypt the private connection between a data center and a virtual private cloud (VPC) by using a private VPN gateway (hereafter referred to as "VPN gateway"). To encrypt the private connection between a data center and a VPC, you can configure BGP routing for the VPN gateway and configure static routing for the virtual border router (VBR) that connects the data center to the VPC.

Background information

Before you start, we recommend that you understand how private connections are encrypted and the configuration methods. For more information, see Overview of configuration methods.

Scenario

私网VPN网关--静态+静态---场景图

The preceding scenario is used as an example in this topic. An enterprise owns a data center in Hangzhou and has a VPC (VPC1) deployed in the China (Hangzhou) region. Applications are deployed on Elastic Compute Service (ECS) instances in VPC1. Due to business growth, the enterprise wants to connect the data center to VPC1 through an Express Connect circuit and Cloud Enterprise Network (CEN). In addition, the enterprise wants to encrypt the connection between the data center and VPC1 due to security concerns.

After the data center is connected to VPC1 through CEN and an Express Connect circuit, the enterprise can create a VPN gateway in VPC1 and establish an IPsec-VPN connection between the VPN gateway and an on-premises gateway device. Then, the enterprise can configure BGP routing for the VPN gateway and configure static routing for the VBR to encrypt the private connection.

Preparations

Private VPN gateways are in invitational preview. Make sure that you have acquired the required permissions from your account manager or submit a ticket to acquire the permissions.

You must plan networks for the data center and network instances. Make sure that the CIDR block of the data center does not overlap with those of the network instances. The following table describes the CIDR blocks in this example.

Item	CIDR block	IP address
VPC1	Primary CIDR block: 10.0.0.0/16 CIDR block of vSwitch1: 10.0.0.0/24 CIDR block of vSwitch2: 10.0.1.0/24	ECS1: 10.0.1.1 ECS2: 10.0.1.2
VBR	10.0.0.0/30	VLAN ID: 201 IPv4 address on the Alibaba Cloud side: 10.0.0.2/30 IPv4 address on the user side: 10.0.0.1/30 In this example, the IPv4 address on the user side is the IPv4 address of the gateway device in the data center.
Data center	Primary CIDR block: 192.168.0.0/16 Subnet1: 192.168.0.0/24 Subnet2: 192.168.1.0/24	Client: 192.168.1.1
On-premises gateway device	10.0.0.0/30 192.168.0.0/24	VPN IP address: 192.168.0.251 The VPN IP address refers to the IP address of the interface of the on-premises gateway device to be connected to the VPN gateway. IP address of the interface connected to the Express Connect circuit: 10.0.0.1/30 Autonomous system number (ASN): 65530

VPC1 is deployed in the China (Hangzhou) region and applications are deployed on the ECS instances in VPC1. For more information, see Create and manage a VPC.
Make sure that VPC1 in the China (Hangzhou) region contains at least two vSwitches in different zones that support Enterprise Edition transit routers. In addition, each vSwitch must have at least one idle IP address. This way, VPC1 can be attached to a CEN instance. For more information, see Connect VPCs.
In this example, VPC1 contains two vSwitches (vSwitch1 and vSwitch2). vSwitch1 is deployed in Zone H and vSwitch2 is deployed in Zone I. ECS instances are deployed on vSwitch2. vSwitch1 is used only to associate the VPN gateway.
Note
When you create a VPC, we recommend that you create a dedicated vSwitch in the VPC for the VPN gateway. This way, the vSwitch can allocate a private IP address to the VPN gateway.
Check the gateway device in the data center. Make sure that it supports standard IKEv1 and IKEv2 protocols. To check whether the gateway device supports the IKEv1 and IKEv2 protocols, contact the gateway vendor.
Take note of the security group rules that apply to the ECS instances in VPC1 and the access control list (ACL) rules that apply to the client in the data center. Make sure that the rules allow the ECS instances in VPC1 to communicate with the client in the data center. For more information, see View security group rules and Add a security group rule.

Procedure

私网VPN-静态+静态-配置流程

Step 1: Deploy Express Connect circuits

You must deploy an Express Connect circuit to connect the data center to Alibaba Cloud.

Create an Express Connect circuit.
You must apply for an Express Connect circuit in the China (Hangzhou) region. For more information, see Create and manage a dedicated connection over an Express Connect circuit or Overview of hosted connections.
In this example, a dedicated connection over an Express Connect circuit is created.

Create a VBR.

Log on to the Express Connect console.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
In the top navigation bar, select the region where you want to create a VBR.
In this example, the China (Hangzhou) region is selected.
On the Virtual Border Routers (VBRs) page, click Create VBR.

In the Create VBR panel, set the following parameters and click OK.

The following table describes only the key parameters. For more information, see Create and manage VBRs.

Parameter	Description
Account	In this example, Current Account is selected.
Name	In this example, `VBR` is used.
Physical Connection Information	In this example, Dedicated Physical Connection is selected, and the Express Connect circuit created in Step 1 is selected.
VLAN ID	In this example, `201` is used. Note Make sure that the VLAN ID of the VBR is the same as the VLAN ID of the interface that the on-premises gateway device uses to connect to the Express Connect circuit.
Set VBR Bandwidth Value	Select a maximum bandwidth value for the VBR.
IPv4 Address (Alibaba Cloud Gateway)	In this example, `10.0.0.2` is entered.
IPv4 Address (Data Center Gateway)	In this example, `10.0.0.1` is entered.
Subnet Mask (IPv4 Address)	In this example, `255.255.255.252` is entered.

Add a custom route for the VBR.

Add a custom route to advertise the on-premises CIDR block to Alibaba Cloud.

On the Virtual Border Routers (VBRs) page, click the ID of the VBR.
Click the Routes tab and click Add Route.

In the Add Route Entry panel, set the following parameters and click OK.

Parameter	Description
Next Hop Type	Select Physical Connection Interface.
Destination CIDR Block	The CIDR block of the data center. `192.168.0.0/16` is used in this example.
Next Hop	Select the Express Connect circuit created in Step 1.

Configure the on-premises gateway device.
You must add the following route to the on-premises gateway to route traffic destined for VPC1 from the data center to the Express Connect circuit.
The following configurations are for reference only. The commands may vary based on the network device vendor. Contact the vendor to obtain the information about specific commands.
```
ip route 10.0.0.0 255.255.0.0 10.0.0.2
```

Step 2: Configure a CEN instance

You must attach VPC1 and the VBR to a CEN instance. Then, the data center and VPC1 can communicate with each other through CEN.

Create a CEN instance.
1. Log on to the CEN console.
2. On the Instances page, click Create CEN Instance.
3. In the Create CEN Instance dialog box, configure the following parameters and click OK.
  - Name: Enter a name for the CEN instance.
    In this example, CEN is used.
  - Description: Enter a description for the CEN instance.
    In this example, CEN-for-test-private-VPN-Gateway is used.

Attach VPC1 to the CEN instance.

On the Instances page, click the ID of the CEN instance created in Step 1.
In the VPC section of the Basic Settings tab, click the icon.

On the Connection with Peer Network Instance page, configure the following parameters and click OK:

Parameter	Description
Network Type	Select the type of network instance that you want to attach. In this example, VPC is selected.
Region	Select the region where the network instance is deployed. In this example, the China (Hangzhou) region is selected.
Transit Router	The system automatically creates a transit router in the selected region.
Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs. In this example, Current Account is selected.
Billing Method	In this example, the default value Pay-As-You-Go is selected. For more information, see Billing.
Attachment Name	Enter a name for the network connection. In this example, `VPC1-test` is used.
Network Instance	Select the ID of the network instance that you want to attach. In this example, VPC1 is selected.
VSwitch	Select vSwitches that are deployed in zones supported by the transit router. If the Enterprise Edition transit router supports only one zone, select a vSwitch in the zone. If the Enterprise Edition transit router supports multiple zones, select at least two vSwitches. The two vSwitches must be in different zones. The two vSwitches support zone-disaster recovery to ensure uninterrupted data transmission between the VPC and the transit router. We recommend that you select a vSwitch in each zone to reduce network latency and improve network performance because data can be transmitted over a shorter distance. For more information, see Create a VPC connection.
Advanced Settings	By default, the system automatically enables the following advanced features. Associate with Default Route Table of Transit Router After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table. Propagate System Routes to Default Route Table of Transit Router After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router. Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops of the routes point to the VPC. The routes are used to forward traffic from the VPC to the transit router. By default, transit routers do not advertise routes to VPCs. The default settings are used in this example.

Attach the VBR to the CEN instance.

On the Connection with Peer Network Instance page, configure the following parameters and click OK:

Parameter	Description
Network Type	Select the type of network instance that you want to attach. In this example, Virtual Border Router (VBR) is selected.
Region	Select the region where the network instance is deployed. In this example, the China (Hangzhou) region is selected.
Transit Router	The transit router in the selected region is displayed.
Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs. In this example, Current Account is selected.
Attachment Name	Enter a name for the network connection. In this example, `VBR-test` is used.
Network Instance	Select the ID of the network instance that you want to attach. In this example, the VBR created in Step 1 is selected.
Advanced Settings	By default, the system automatically enables the following advanced features. Associate with Default Route Table of Transit Router After this feature is enabled, the VBR connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VBR based on the default route table. Propagate System Routes to Default Route Table of Transit Router After this feature is enabled, the system routes of the VBR are advertised to the default route table of the transit router. This way, the VBR can communicate with other network instances that are connected to the transit router. Propagate Routes to VBR After this feature is enabled, the system automatically advertises the routes in the transit router route table that is associated with the VBR connection to the VBR. The default settings are used in this example.

Step 3: Deploy a VPN gateway

After you complete the preceding steps, the data center is connected to VPC1 over a private connection. However, the private connection is not encrypted. To encrypt the private connection, you must deploy a VPN gateway in VPC1.

Create a VPN gateway.

Log on to the VPN Gateway console.
In the top navigation bar, select the region where you want to create the VPN gateway.
The VPN gateway and the VPC to be associated must belong to the same region. In this example, the China (Hangzhou) region is selected.
On the VPN Gateways page, click Create VPN Gateway.

On the buy page, configure the following parameters, click Buy Now, and then complete the payment.

Parameter	Description
Name	Enter a name for the VPN gateway. In this example, `VPNGateway1` is entered.
Region	Select the region where you want to deploy the VPN gateway. In this example, the China (Hangzhou) region is selected.
Gateway Type	Select the type of the VPN gateway. In this example, Standard is selected.
Network Type	Select the network type of the VPN gateway. Private is selected in this example.
Tunnels	The tunnel mode supported by IPsec-VPN connections in the region is displayed.
VPC	Select the VPC with which you want to associate the VPN gateway. In this example, VPC1 is selected.
VSwitch	Select a vSwitch from VPC1. If you select Single-tunnel, you need to specify one vSwitch. If you select Dual-tunnel, you need to specify two vSwitches. Note The system selects a vSwitch by default. You can change or use the default vSwitch. After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.
vSwitch 2	Select another vSwitch from VPC1. Ignore this parameter if you select Single-tunnel.
Maximum Bandwidth	Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
Traffic	Select a billing method for the VPN gateway. Default value: Pay-by-data-transfer. For more information, see Billing.
IPsec-VPN	Private VPN gateways support only the IPsec-VPN feature. In this example, the default value Enable is selected for the IPsec-VPN feature.
Duration	Select a billing cycle. Default value: By Hour.
Service-linked Role	Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn. The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn. If Created is displayed, the service-linked role is created and you do not need to create it again.

Return to the VPN Gateways page, check and record the private IP address of the VPN gateway that you created. This IP address is used when you configure IPsec-VPN connections.
A newly created VPN gateway is in the Preparing state. After about 1 to 5 minutes, it enters the Normal state. The Normal state indicates that the VPN gateway is initialized and ready for use.

Create a customer gateway.
1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.
2. On the Customer Gateway page, click Create Customer Gateway.
3. In the Create Customer Gateway panel, set the following parameters and click OK.
  The following content describes only the key parameters. For more information, see Create a customer gateway.
  - Name: Enter a name for the customer gateway.
    In this example, Customer-Gateway is used.
  - IP Address: Enter the VPN IP address of the on-premises device to be connected to the VPN gateway.
    In this example, 192.168.0.251 is used.
  - ASN: Enter the ASN of the on-premises gateway device.
    In this example, 65530 is used.

Create an IPsec-VPN connection.

In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
On the IPsec-VPN connection page, click Create IPsec-VPN Connection.

On the Create IPsec Connection page, set the parameters for the IPsec-VPN connection, and click OK.

The following content describes only the key parameters. For more information, see Create and manage an IPsec-VPN connection in single-tunnel mode.

Parameter	Description
Name	Enter a name for the IPsec-VPN connection. In this example, `IPsecConnection1` is used.
VPN Gateway	Select the VPN gateway that you created. In this example, VPNGateway1 is selected.
Customer Gateway	Select the customer gateway that you created. In this example, Customer-Gateway is selected.
Routing Mode	Select a routing mode. In this example, Destination Routing Mode is selected.
Effective Immediately	Specify whether to start connection negotiations immediately. Yes: starts negotiations after the configuration is completed. No: starts negotiations when inbound traffic is detected. Yes is selected in this example.
Pre-Shared Key	Enter a pre-shared key. If you do not enter a value, the system generates a random 16-character string as the pre-shared key. Important Make sure that the on-premises device and the IPsec-VPN connection use the same pre-shared key. In this example, `fddsFF123****` is used.
Encryption Configuration	In this example, ikev2 is selected for the Version parameter in the IKE Configurations section. The default values are used for the other parameters.
BGP Configuration	In this example, BGP Configuration is enabled. The following content describes the parameters. Tunnel CIDR Block: Enter the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. In this example, `169.254.10.0/30` is entered. Local BGP IP address: Enter the BGP IP address on the VPN gateway side. The IP address must fall within the CIDR block of the tunnel. In this example, `169.254.10.1` is used. The BGP IP address on the data center side is `169.254.10.2`. Local ASN: Enter the ASN on the VPN gateway side. In this example, `65531` is entered. Note We recommend that you use a private ASN to establish a connection to the data center over BGP. Refer to the relevant documentation for the valid range of a private ASN.
Health Check	In this example, the default settings are used.

After you create an IPsec-VPN connection, click OK in the Established dialog box.

Enable automatic BGP advertising for the VPN gateway.
After automatic BGP advertising is enabled and a peering connection is established between the VPN gateway and the on-premises gateway device, the VPN gateway learns and advertises the CIDR block of the data center to VPC1. The VPN gateway also advertises the routes in the system route table of VPC1 to the on-premises gateway device.
1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateway.
2. On the VPN Gateways page, find VPNGateway1 and choose > Enable Automatic BGP Propagation in the Actions column.
3. In the Enable Automatic BGP Propagation message, click OK.
Download the IPsec configurations of the on-premises gateway device.
1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
2. On the IPsec Connections page, find IPsecConnection1 and click Generate Peer Configuration in the Actions column.
  Save the downloaded IPsec configurations on your client.

Add VPN configurations, BGP configurations, and static routes to the on-premises gateway device.

Add VPN configurations, BGP configurations, and static routes to the on-premises gateway device based on the IPsec configurations that you downloaded.

The following configurations are for reference only. The commands may vary based on the network device vendor. Contact the vendor to obtain the information about specific commands.

Open the command-line interface (CLI) of the gateway device.

Run the following commands to configure an IKEv2 proposal and policy:

crypto ikev2 proposal alicloud  
encryption aes-cbc-128          //Configure the encryption algorithm. In this example, aes-cbc-128 is used. 
integrity sha1                  //Configure the authentication algorithm. In this example, sha1 is used. 
group 2                         //Configure the DH group. In this example, group 2 is used. 
exit
!
crypto ikev2 policy Pureport_Pol_ikev2
proposal alicloud
exit
!

Run the following command to configure an IKEv2 keyring:

crypto ikev2 keyring alicloud
peer alicloud
address 10.0.0.167               //Configure the private IP address of the VPN gateway. In this example, 10.0.0.167 is used. 
pre-shared-key fddsFF123****     //Configure the pre-shared key. In this example, fddsFF123**** is used. 
exit
!

Run the following command to configure an IKEv2 profile:

crypto ikev2 profile alicloud
match identity remote address 10.0.0.167 255.255.255.255    //Configure the private IP address of the VPN gateway. In this example, 10.0.0.167 is used. 
identity local address 192.168.0.251    //Configure the VPN IP address of the data center. In this example, 192.168.0.251 is used. 
authentication remote pre-share   //Set the authentication mode for the VPC to PSK (pre-shared key). 
authentication local pre-share    //Set the authentication mode of the data center to PSK. 
keyring local alicloud            //Invoke the IKEv2 keyring. 
exit
!

Run the following command to configure a transform set:

crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode tunnel
exit
!

Run the following command to configure an IPsec profile, and invoke the transform set, Perfect Forward Secrecy (PSF), and the IKEv2 profile:
```
crypto ipsec profile alicloud
set transform-set TSET
set pfs group2
set ikev2-profile alicloud
exit
!
```

Run the following commands to configure the IPsec tunnel:

interface Tunnel100
ip address 169.254.10.2 255.255.255.252    //Configure the tunnel address for the data center. In this example, 169.254.10.2 is used. 
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 10.0.0.167              //Configure the private IP address of the VPN gateway. In this example, 10.0.0.167 is used. 
tunnel protection ipsec profile alicloud
no shutdown
exit
!
interface GigabitEthernet1                 //Configure the IP address of the interface that is used to connect to the VPN gateway. 
ip address 192.168.0.251 255.255.255.0
negotiation auto
!

Run the following command to configure BGP:

Important

To ensure that traffic from the VPC to the data center is routed to the encrypted tunnel of the VPN gateway, you must advertise a CIDR block that is smaller than the CIDR block of the data center in the BGP configurations of the on-premises gateway device.

In this example, the CIDR block of the data center is 192.168.0.0/16. Therefore, you must advertise a CIDR block that is smaller than 192.168.0.0/16 in the BGP configurations of the on-premises gateway device. In this example, 192.168.1.0/24 is advertised.

router bgp 65530                         //Enable BGP and configure the BGP ASN of the data center. In this example, 65530 is used. 
bgp router-id 169.254.10.2               //Specify the ID of the BGP router. In this example, 169.254.10.2 is used. 
bgp log-neighbor-changes
neighbor 169.254.10.1 remote-as 65531    //Configure the ASN of the BGP peer. In this example, the BGP ASN of the VPN gateway 65531 is used. 
neighbor 169.254.10.1 ebgp-multihop 10   //Set the EBGP hop-count to 10.   
!
address-family ipv4
network 192.168.1.0 mask 255.255.255.0   //Advertise the CIDR block of the data center. In this example, 192.168.1.0/24 is advertised. 
neighbor 169.254.10.1 activate           //Activate the BGP peer. 
exit-address-family
!

Run the following command to configure a static route:

ip route 10.0.0.167 255.255.255.255 10.0.0.2  //Route traffic from the data center to the VPN gateway to the Express Connect circuit.

Step 4: Configure routes for the VPC and the VBR

After you complete the preceding steps, an encrypted tunnel can be established between the on-premises gateway device and the VPN gateway. You must configure routes for the VPC and the VBR to route traffic to the encrypted tunnel when the data center communicates with Alibaba Cloud.

Add a custom route to VPC1.

Log on to the VPC console.
In the left-side navigation pane, click Route Tables.
In the top navigation bar, select the region to which the route table belongs.
In this example, the China (Hangzhou) region is selected.
On the Route Tables page, find the route table that you want to manage and click its ID.
In this example, the ID of the system route table of VPC1 is clicked.
On the Route Entry List tab, click the Custom Route tab, and then click Add Route Entry.

In the Add Route Entry panel, configure the following parameters and click OK.

Parameter	Description
Name	Enter a name for the custom route.
Destination CIDR Block	Enter the destination CIDR block of the custom route. In this example, IPv4 CIDR Block is selected and the VPN IP address of the on-premises gateway device is used, which is `192.168.0.251/32`.
Next Hop Type	Select the type of the next hop. In this example, Transit Router is selected.
Transit Router	Select the next hop of the custom route. In this example, VPC1-test is selected.

Add a custom route for the VBR.

Log on to the Express Connect console.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
In the top navigation bar, select the region where the VBR is deployed.
In this example, the China (Hangzhou) region is selected.
On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
Click the Routes tab and click Add Route.

In the Add Route Entry panel, set the following parameters and click OK.

Parameter	Description
Next Hop Type	Select Physical Connection Interface.
Destination CIDR Block	Enter the VPN IP address of the on-premises gateway device. In this example, `192.168.0.251/32` is used.
Next Hop	Select the Express Connect circuit created in Step 1.

Step 5: Check the network connectivity

After you complete the preceding steps, the data center can communicate with VPC1 over private and encrypted connections. The following content describes how to check the connectivity between the data center and VPC1, and check whether the private connection is encrypted by the VPN gateway.

Check the network connectivity.
1. Log on to ECS 1. For more information, see Connect to an ECS instance.
2. Run the ping command to ping a client in the data center to check the network connectivity between the data center and VPC1.
```
ping <the IP address of a client in the data center>
```
  If an echo reply packet is returned, the data center is connected to VPC1.
Check whether the private connection is encrypted.
If you can view the monitoring data of data transfer on the details page of the IPsec-VPN connection, it indicates that the private connection is encrypted.
1. Log on to the VPN Gateway console.
2. In the top navigation bar, select the region where the VPN gateway is deployed.
  In this example, the China (Hangzhou) region is selected.
3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
4. On the IPsec Connections page, find the IPsec-VPN connection that you created in Step 3 and click its ID.
  Go to the details page of the IPsec-VPN connection to view the monitoring data of data transfer.