Use IPsec-VPN connections in dual-tunnel mode - VPN Gateway

You can create IPsec-VPN connections to establish encrypted communication. This topic describes how to create and manage IPsec-VPN connections in dual-tunnel mode.

Background information

When you create an IPsec-VPN connection, you can enable or disable the following features:

DPD: the dead peer detection (DPD) feature.
After you enable DPD, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within the specified period of time, the connection fails. Then, the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA), IPsec SA, and IPsec tunnel are deleted.
By default, this feature is enabled.
NAT traversal: the NAT traversal feature.
After you enable NAT traversal, the initiator does not check UDP ports during Internet Key Exchange (IKE) negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.
By default, this feature is enabled.
BGP: the Border Gateway Protocol (BGP) dynamic routing feature.
After you enable BGP dynamic routing, the IPsec-VPN connection can automatically learn and advertise routes. This facilitates network maintenance and configuration.
By default, this feature is disabled.

Prerequisites

The procedure for configuring IPsec-VPN is complete. For more information, see Procedure.

Create an IPsec-VPN connection

Log on to the VPN gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region in which you want to create an IPsec-VPN connection.
Note
The IPsec-VPN connection must be created in the region of the VPN gateway to be associated with the IPsec-VPN connection.
On the IPsec Connections page, click Create IPsec-VPN Connection.

On the Create IPsec-VPN Connection page, configure the parameters that are described in the following table and click OK.

Basic configurations

Parameter	Description
Name	The name of the IPsec-VPN connection.
Resource Group	The resource group to which the VPN gateway belongs. If you leave this parameter empty, the system displays the VPN gateways in all resource groups.
Associate Resource	The type of network resource to be associated with the IPsec-VPN connection. Select VPN Gateway.
VPN Gateway	The VPN gateway to be associated with the IPsec-VPN connection.
Routing Mode	The routing mode of the IPsec-VPN connection. Valid values: Destination Routing Mode (default): routes and forwards traffic based on the destination IP address. Protected Data Flows: routes and forwards traffic based on the source and destination IP addresses. After you select Protected Data Flows, you must configure the Local Network and Remote Network parameters. After you configure the IPsec-VPN connection, the system automatically adds a policy-based route to the policy-based route table of the VPN gateway. The source CIDR block of the route is the local CIDR block of the IPsec-VPN connection, which is specified by the Local Network parameter. The destination CIDR block of the route is the peer CIDR block of the IPsec-VPN connection, which is specified by the Remote Network parameter. The next hop of the route is the IPsec-VPN connection. By default, the policy-based route is not advertised. You can advertise the policy-based route to the route table of the virtual private cloud (VPC) to be connected based on your business requirements. For more information, see Advertise a policy-based route.
Local Network	The CIDR block of the VPC to be connected to your data center. This CIDR block is used in Phase 2 negotiations. Click the icon to the right of the field to add more CIDR blocks. Note If you specify multiple CIDR blocks, you must set the IKE version to ikev2.
Remote Network	The CIDR block of the data center to be connected to the VPC. This CIDR block is used in Phase 2 negotiations. Click the icon to the right of the field to add more CIDR blocks. Note If you specify multiple CIDR blocks, you must set the IKE version to ikev2.
Effective Immediately	Specifies whether to immediately start IPsec-VPN negotiations. Valid values: Yes (default): immediately starts IPsec-VPN negotiations after the IPsec-VPN connection is created. No: starts IPsec-VPN negotiations when inbound traffic is detected.
Enable BGP	Specifies whether to enable BGP dynamic routing for the tunnels. By default, BGP dynamic routing is disabled. After BGP dynamic routing is enabled, the tunnels can automatically learn and advertise data center routes and VPC routes over BGP. Before you use BGP dynamic routing, we recommend that you know more about how it works and its limits. For more information, see Configure BGP dynamic routing.
Local ASN	The local autonomous system number (ASN) of the tunnel. Default value: 45104. Valid values: 1 to 4294967295. Note We recommend that you use a private ASN to establish a connection to Alibaba Cloud over BGP. For more information about the valid values of a private ASN, see the relevant documentation.

Tunnel configurations

The following table describes the tunnel parameters. By default, Tunnel 1 is the primary tunnel and Tunnel 2 is the secondary tunnel. You cannot change the primary or secondary role of the tunnels.

Parameter

Description

Customer Gateway

The customer gateway to be associated with the tunnels.

Both tunnels can be associated with the same customer gateway.

Pre-Shared Key

The pre-shared key that is used to verify identities between the tunnels and peers.

The key must be 1 to 100 characters in length, and can contain digits, letters, and the following special characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : ' , . < > / ?
If you do not specify a pre-shared key, the system generates a random 16-character string as the pre-shared key. After the IPsec-VPN connection is created, you can click Edit to view the pre-shared key generated by the system. For more information, see Modify the configurations of a tunnel.

Important

Make sure that the tunnels and peers use the same pre-shared key. Otherwise, tunnel communication cannot be established.

Encryption configurations: IKE configurations

Parameter	Description
Version	The IKE version. Valid values: ikev1 ikev2 (default) Compared with IKEv1, IKEv2 simplifies SA negotiations and provides better support for scenarios in which communication is established among multiple CIDR blocks. We recommend that you use IKEv2.
Negotiation Mode	The negotiation mode. Valid values: main (default): This mode offers higher security during negotiations. aggressive: This mode supports faster negotiations and a higher success rate. Connections negotiated in both modes ensure the same level of security for data transmission.
Encryption Algorithm	The encryption algorithm that is used in Phase 1 negotiations. Valid values: aes, aes192, aes256, des, and 3des. By default, a value of aes specifies AES-128. Note If the bandwidth of the VPN gateway is 200 Mbit/s or higher, we recommend that you select aes, aes192, or aes256. 3des is not recommended. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES ensures secure data transmission and has little impact on network latency, throughput, and forwarding performance. Triple Data Encryption Standard (3DES) offers enhanced security by using its triple-layered encryption technique. Compared with AES encryption, 3DES encryption requires a large amount of computation, takes an extended period of time, and downgrades forwarding performance.
Authentication Algorithm	The authentication algorithm that is used in Phase 1 negotiations. Valid values: sha1, md5, sha256, sha384, and sha512. Default value: sha1.
DH Group	The Diffie-Hellman (DH) key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1: DH group 1. group2 (default): DH group 2. group5: DH group 5. group14: DH group 14.
SA Life Cycle (seconds)	The lifetime of the SA after Phase 1 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
LocalId	The local ID of the tunnel. The default value is the IP address of the VPN gateway. This parameter is used only to identify Alibaba Cloud in IPsec-VPN negotiations. You can use an IP address or a fully qualified domain name (FQDN) as the ID. We recommend that you use a private IP address. If you set the LocalId parameter to an FQDN, such as example.aliyun.com, the peer ID of the IPsec-VPN connection on an on-premises gateway device must be the same as the value of the LocalId parameter. In this case, we recommend that you set the negotiation mode to aggressive.
RemoteId	The peer ID of the tunnel. The default value is the IP address of the customer gateway. This parameter is used only to identify on-premises gateway devices in IPsec-VPN negotiations. You can use an IP address or an FQDN as the ID. We recommend that you use a private IP address. If you set the RemoteId parameter to an FQDN, such as example.aliyun.com, the local ID of the IPsec-VPN connection on an on-premises gateway device must be the same as the value of the RemoteId parameter. In this case, we recommend that you set the negotiation mode to aggressive.

Encryption configurations: IPsec configurations

Parameter	Description
Encryption Algorithm	The encryption algorithm that is used in Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des. By default, a value of aes specifies AES-128. Note If the bandwidth of the VPN gateway is 200 Mbit/s or higher, we recommend that you select aes, aes192, or aes256. 3des is not recommended. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES ensures secure data transmission and has little impact on network latency, throughput, and forwarding performance. Triple Data Encryption Standard (3DES) offers enhanced security by using its triple-layered encryption technique. Compared with AES encryption, 3DES encryption requires a large amount of computation, takes an extended period of time, and downgrades forwarding performance.
Authentication Algorithm	The authentication algorithm that is used in Phase 2 negotiations. Valid values: sha1, md5, sha256, sha384, and sha512. Default value: sha1.
DH Group	The DH key exchange algorithm that is used in Phase 2 negotiations. Valid values: disabled: does not use a DH key exchange algorithm. For clients that do not support perfect forward secrecy (PFS), select disabled. If you select a value other than disabled, PFS is enabled by default. In this case, the key is updated for each negotiation. Therefore, you must enable PFS for your client. group1: DH group 1. group2 (default): DH group 2. group5: DH group 5. group14: DH group 14.
SA Life Cycle (seconds)	The lifetime of the SA after Phase 2 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
DPD	Specifies whether to enable the DPD feature. By default, the DPD feature is enabled. For VPN gateways created from April 2019 to January 2023: If IKEv1 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 30 seconds. If IKEv2 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 3,600 seconds. For VPN gateways created after February 2023: If IKEv1 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 30 seconds. If IKEv2 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 130 seconds.
NAT Traversal	Specifies whether to enable the NAT traversal feature. By default, the NAT traversal feature is enabled.

BGP configurations

If you enable BGP dynamic routing for the IPsec-VPN connection, you can configure the BGP parameters that are described in the following table. If you disable BGP dynamic routing for the IPsec-VPN connection, you can enable this feature for the tunnels after the IPsec-VPN connection is created. For more information, see Enable BGP dynamic routing for the tunnels after an IPsec-VPN connection is created.

Parameter

Description

Tunnel CIDR Block

The CIDR block of the tunnel.

The CIDR block must fall into 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, or 169.254.169.252/30.

Note

On a VPN gateway, the CIDR block of each tunnel must be unique.

Local BGP IP address

The BGP IP address of the tunnel.

This IP address must fall within the CIDR block of the tunnel.

Tags

When you create an IPsec-VPN connection, you can add tags to the IPsec-VPN connection to facilitate resource aggregation and search. For more information, see Overview.

Parameter	Description
Tag Key	The tag key of the IPsec-VPN connection. You can select or enter a tag key.
Tag Value	The tag value of the IPsec-VPN connection. You can select or enter a tag value. You can leave the Tag Value parameter empty.

In the message that appears, click OK.

Download the peer configurations of an IPsec-VPN connection

After an IPsec-VPN connection is created, you can download the peer configurations of the IPsec-VPN connection and upload the configurations to an on-premises gateway device.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click Generate Peer Configuration in the Actions column.
In the IPsec-VPN Connection Configuration dialog box, click Copy and save the configurations to your on-premises machine to configure your on-premises gateway device.
For more information about how to configure an on-premises gateway device, see Configure local gateways.

Enable BGP dynamic routing for the tunnels after an IPsec-VPN connection is created

If BGP dynamic routing is not enabled when you create an IPsec-VPN connection, you can enable this feature for the tunnels after the IPsec-VPN connection is created.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click its ID.
On the details page of the IPsec-VPN connection, turn on Enable BGP in the IPsec Connections section.
In the BGP Configuration dialog box, configure BGP dynamic routing and click OK.
You must configure BGP dynamic routing for both tunnels. For more information about the BGP parameters, see BGP configurations.

Modify the configurations of a tunnel

You can modify tunnel configurations after you create an IPsec-VPN connection. However, you cannot change the customer gateway that is associated with the tunnels.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click its ID.
On the details page of the IPsec-VPN connection, find the tunnel that you want to manage and click Edit in the Actions column.
In the dialog box that appears, modify the configurations of the tunnel and click OK.
For more information about the parameters, see Tunnel configurations.

Modify the configurations of an IPsec-VPN connection

If an IPsec-VPN connection is associated with a VPN gateway, you cannot change the associated VPN gateway. You can modify only the Routing Mode and Effective Immediately parameters.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click Edit in the Actions column.
On the Modify IPsec-VPN Connection page, modify the configurations of the IPsec-VPN connection, such as the name and CIDR blocks, and click OK.
For more information about the parameters, see Create an IPsec-VPN connection.

Delete an IPsec-VPN connection

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click Delete in the Actions column.
In the message that appears, confirm the information and click OK.