When you use IPsec-VPN to connect a data center to Alibaba Cloud, you must configure the VPN gateway on Alibaba Cloud, and then add VPN configurations to the gateway device in the data center. This topic uses an H3C firewall device as an example to describe how to add VPN configurations to an on-premises gateway device.
Scenarios
The preceding scenario is used as an example in this topic. A company has deployed a virtual private cloud (VPC) on Alibaba Cloud. The CIDR block of the VPC is 192.168.10.0/24. Applications are deployed on Elastic Compute Service (ECS) instances in the VPC. The company has a data center whose CIDR block is 192.168.66.0/24. Due to business development, the company wants to connect the data center to the VPC. The company decides to use a VPN gateway to establish an IPsec-VPN connection between the data center and the VPC. This way, the data center can communicate with the VPC.The following table describes the network configurations in this example.
Parameter | Example | |
---|---|---|
VPC | Private CIDR block that needs to communicate with the data center | 192.168.10.0/24 |
VPN gateway | Public IP address of the VPN gateway | 101.XX.XX.127 |
Data center | Private CIDR block that needs to communicate with the VPC | 192.168.66.0/24 |
Public IP address of the on-premises gateway device | 122.XX.XX.248 | |
Interface used by the on-premises gateway to connect to the Internet | Reth1 | |
Interface used by the on-premises gateway to connect to the data center | G2/0/10 |
Prerequisites
- A VPN gateway, a customer gateway, and an IPsec-VPN connection are created on Alibaba Cloud. Routes are configured for the VPN gateway. For more information, see Connect a data center to a VPC.
- The configuration of the IPsec-VPN connection is downloaded. For more information,
see Download the configuration file of an IPsec-VPN connection.
The following table describes the configuration of the IPsec-VPN connection in this example.
Parameter Example Pre-shared key ff123TT**** IKE configurations IKE version ikev1 Negotiation mode main Encryption algorithm aes Note If the encryption algorithm of the IPsec-VPN connection is Advanced Encryption Standard (AES), the encryption algorithm of the H3C firewall device must be AES-CBC-128.Authentication algorithm sha1 DH group group2 SA life cycle (seconds) 86400 IPsec configurations Encryption algorithm aes Note If the encryption algorithm of the IPsec-VPN connection is AES, the encryption algorithm of the H3C firewall device must be AES-CBC-128.Authentication algorithm sha1 DH group group2 SA life cycle (seconds) 86400
Configure the H3C firewall device
Note The following content is for reference only. For actual operations, refer to the manual
of the device.