Configure a route for an IPsec-VPN connection - VPN Gateway

This topic describes how to configure a route for an IPsec-VPN connection after you create an IPsec-VPN connection. After you configure a route, traffic can be routed between Alibaba Cloud and a data center over private connections.

Configuration overview

The route configurations supported and default route behavior vary based on the resource associated with the IPsec-VPN connection, as described in the following table.

Associated resource	Supported routing protocol	Routing method	Default route behavior
Transit router	Static routing: Destination-based routes Border Gateway Protocol (BGP) dynamic routing	Static routing You must manually configure destination-based routes for an IPsec-VPN connection. For more information, see Configure destination-based routes for an IPsec-VPN connection. BGP dynamic routing After you configure BGP peering for the IPsec-VPN connection and on-premises gateway device, the IPsec-VPN connection and the on-premises gateway device can automatically learn routes from each other. For more information, see VPN Gateway supports BGP dynamic routing and BGP configurations.	If static routing is configured for the IPsec-VPN connection, the system automatically advertises the static routes to a route table of the transit router. If BGP dynamic routing is configured for the IPsec-VPN connection, the system automatically advertises the routes learned from the on-premises gateway device to a route table of the transit router. On the transit router, you can control whether to advertise the routes learned from other instances to the IPsec-VPN connection. For more information, see Attach an IPsec-VPN connection to a transit router. Note When you create an IPsec-VPN connection, if you associate the IPsec-VPN connection with a transit router of the same Alibaba Cloud account: The IPsec-VPN connection is associated with the default route table of the transit router. The transit router forwards traffic from the IPsec-VPN connection based on the default route table. The destination-based routes that you configure for the IPsec-VPN connection and the routes learned by the IPsec-VPN connection through BGP dynamic routing are advertised to the default route table of the transit router. You can change the route table associated with the IPsec-VPN connection and the route table used for route advertisement. For more information, see Route learning and Associated forwarding.
VPN gateway	Static routing: Destination-based routes Policy-based routes BGP dynamic routing	Static routing You must manually configure destination-based routes or policy-based routes for the VPN gateway. For more information, see Route overview. BGP dynamic routing After you configure BGP peering for the VPN gateway, IPsec-VPN connection, and on-premises gateway device, the IPsec-VPN connection and the on-premises gateway device can automatically learn routes from each other. For more information, see VPN Gateway supports BGP dynamic routing and Connect a VPC to a data center by using an IPsec-VPN connection in single-tunnel mode and enable BGP routing.	If you configure static routing for the IPsec-VPN connection, the system determines whether to advertise routes to the system route table of the virtual private cloud (VPC) with which the VPN gateway is associated based on the configuration. If you configure BGP dynamic routing for the IPsec-VPN connection, the IPsec-VPN connection automatically learns routes from the data center and the system route table of the VPC. In addition, the IPsec-VPN connection automatically advertises routes from the system route table of the VPC to the data center. If you enable automatic route advertisement for the VPN gateway, the IPsec-VPN connection automatically advertises routes from the data center to the system route table of the VPC.

Configure destination-based routes for an IPsec-VPN connection

The operations for configuring destination-based routes for an IPsec-VPN connection vary based on the resource associated with the IPsec-VPN connection:

If the IPsec-VPN connection is associated with a transit router, you must configure destination-based routes on the IPsec-VPN connection. For more information, see the following section.
If the IPsec-VPN connection is associated with a VPN gateway, you must configure destination-based routes on the VPN gateway. For more information, see Create a destination-based route.

Before you configure destination-based routes for an IPsec-VPN connection, take note of the following information:

You cannot create a destination-based route whose destination CIDR block is 0.0.0.0/0.
Do not add a destination-based route whose destination CIDR block is a subnet of 100.64.0.0/10 or 100.64.0.0/10, or a CIDR block that contains 100.64.0.0/10. If such a route is added, the status of the IPsec-VPN connection cannot be displayed in the console or IPsec negotiations fail.

Log on to the VPN Gateway console.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection and click its ID.
On the Destination-based routing tab, click Add Route Entry.

In the Add Route Entry panel, set the following parameters and click OK.

Parameter	Description
Destination CIDR Block	Enter the CIDR block on the data center side.
Next Hop Type	Select IPsec Connection.
Next Hop	Select an IPsec-VPN connection.
Weight	Select a weight for the route. Valid values: 100: specifies a high priority. 0: specifies a low priority. Note If a route table contains multiple destination-based routes that have the same destination CIDR block and different weights, the destination-based route with the highest priority is used to route traffic. If a route table contains multiple destination-based routes that have the same destination CIDR block and weight, a destination-based route is randomly selected to forward traffic.