All Products
Search
Document Center

VPN Gateway:Create and manage IPsec-VPN connections in single-tunnel mode

Last Updated:Aug 14, 2023

You can create IPsec-VPN connections to establish encrypted connections. This topic describes how to create and manage IPsec-VPN connections in single-tunnel mode.

Background information

When you create an IPsec-VPN connection, you can enable or disable the following features:

  • DPD: the dead peer detection (DPD) feature.

    After you enable DPD, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. The ISAKMP Security Association (SA), IPsec SA, and IPsec tunnel are deleted.

    This feature is enabled by default.

  • NAT Traversal: the NAT traversal feature.

    After you enable NAT traversal, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.

    This feature is enabled by default.

  • BGP: the Border Gateway Protocol (BGP) dynamic routing feature.

    After you enable BGP dynamic routing, the IPsec-VPN connection automatically learns and advertises routes. This facilitates network maintenance and configuration.

    This feature is disabled by default.

  • Health Check: the health check feature.

    In scenarios in which the same VPN gateway is used to create active and standby IPsec-VPN connections, you can configure health checks to check the connectivity of the active and standby connections. After you configure health checks, the system sends Internet Control Message Protocol (ICMP) packets to the destination IP address to check the connectivity of the IPsec-VPN connection. If the active connection is down, the standby connection automatically takes over. This improves the availability of your services.

    Note If the IPsec-VPN connection fails health checks, the system resets the IPsec tunnel. In scenarios in which active/standby connections are not used, we recommend that you use the DPD feature instead of the health check feature to check connectivity.

    This feature is disabled by default.

The supported features vary based on the resource associated with the IPsec-VPN connection, as described in the following section:

  • If you associate the IPsec-VPN connection with a transit router when you create the IPsec-VPN connection, DPD, NAT traversal, BGP dynamic routing, and health checks are supported.
  • If you associate the IPsec-VPN connection with a VPN gateway when you create the IPsec-VPN connection:

    If the VPN gateway uses the latest version, DPD, NAT traversal, BGP dynamic routing, and health checks are supported. Otherwise, you can use only the features supported by the current version of the VPN gateway.

    You can check whether your VPN gateway uses the latest version based on the status of the Upgrade button. If your VPN gateway does not use the latest version, you can click upgrade to update your VPN gateway. For more information, see Upgrade a VPN gateway.

Prerequisites

Before you create an IPsec-VPN connection, learn about the procedure and make sure that the prerequisites are met. For more information, see Procedure.

Create an IPsec-VPN connection

  1. Log on to the VPN gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  3. In the top navigation bar, select the region where you want to create the IPsec-VPN connection.
    Note The IPsec-VPN connection and the VPN gateway or the transit router to be associated must belong to the same region.
  4. On the IPsec Connections page, click Create IPsec Connection.
  5. On the Create IPsec Connection page, set the parameters for the IPsec-VPN connection, and click OK.
    The required parameters vary based on the resource that you want to associate with the IPsec-VPN connection. The following table lists all parameters.

    Basic settings

    ParameterDescription
    Name

    Enter a name for the IPsec-VPN connection.

    Associate ResourceSelect the type of resource to be associated with the IPsec-VPN connection.
    • If you want to associate the IPsec-VPN connection with a transit router, select CEN or Do Not Associate.
      • If you select CEN, the system automatically associates the IPsec-VPN connection with the specified transit router of the current Alibaba Cloud account.
      • If you select Do Not Associate, the IPsec-VPN connection is not associated with a resource. You can manually associate the IPsec-VPN connection with a transit router of the current Alibaba Cloud account or a different Alibaba Cloud account in the Cloud Enterprise Network (CEN) console. For more information, see Attach an IPsec-VPN connection to a transit router.
      Note If you want to associate the IPsec-VPN connection with different transit routers, these transit routers must belong to different CEN instances. You can associate the IPsec-VPN connection with different transit routers in the CEN console. For more information, see Attach an IPsec-VPN connection to a transit router.
    • If you want to associate the IPsec-VPN connection with a VPN gateway, select VPN Gateway.
    Gateway TypeSelect the network type of the IPsec-VPN connection.
    • Public (default): The IPsec-VPN connection is established over the Internet.
    • Private: The IPsec-VPN connection is established over private networks.
    CEN Instance IDSelect the ID of the CEN instance to which the transit router belongs.
    ZoneSelect a zone.

    The system creates resources in the specified zone.

    Transit RouterSelect the transit router to be associated with the IPsec-VPN connection.
    VPN GatewaySelect the VPN gateway to be associated with the IPsec-VPN connection.
    Customer GatewaySelect the customer gateway to be associated with the IPsec-VPN connection.
    Routing ModeSelect a routing mode for the IPsec-VPN connection.
    • Destination Routing Mode (default): routes and forwards traffic based on the destination IP address.
    • Protected Data Flows: routes and forwards traffic based on source and destination IP addresses.
      After you select Protected Data Flows, you must set Local Network and Remote Network. After you configure the IPsec-VPN connection:
      • If the IPsec-VPN connection is associated with a VPN gateway, the system automatically adds policy-based routes to the route table of the VPN gateway.

        The policy-based routes are not advertised by default. You can determine whether to advertise the routes to the VPC route table based on your requirements. For more information, see Advertise a policy-based route.

      • If the IPsec-VPN connection is associated with a transit router, the system automatically adds destination-based routes to the route table of the IPsec-VPN connection. The destination-based routes are automatically advertised to the route table of the associated transit router.
    Note If the IPsec-VPN connection is associated with a VPN gateway and the VPN gateway does not use the latest version, you do not need to specify the routing mode.
    Local NetworkEnter the CIDR block on the VPC side. The CIDR block is used in Phase 2 negotiations.
    Click 添加 next to the field to add multiple CIDR blocks on the VPC side.
    Note If you specify multiple CIDR blocks, you must set the Internet Key Exchange (IKE) version to ikev2.
    Remote NetworkEnter the CIDR block on the data center side. This CIDR block is used in Phase 2 negotiations.
    Click 添加 next to the field to add multiple CIDR blocks on the data center side.
    Note If you specify multiple CIDR blocks, you must set the IKE version to ikev2.
    Effective ImmediatelySpecify whether to immediately start IPsec negotiations.
    • Yes: starts IPsec negotiations immediately after the configuration is complete.
    • No (default): starts IPsec negotiations when inbound traffic is received.
    Pre-Shared KeyEnter the pre-shared key that is used for authentication between the data center and the VPN gateway or transit router.
    • The key must be 1 to 100 characters in length and can contain digits, letters, and the following characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : ' , . < > / ?.
    • If you do not specify a pre-shared key, the system generates a random 16-bit string as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection.
    Important The pre-shared keys must be the same on both sides. Otherwise, the system cannot establish an IPsec-VPN connection.

    Advanced Settings

    ParameterDescription
    Advanced Configuration: IKE Configurations
    VersionSelect an IKE version.
    • ikev1 (default)
    • ikev2

      Compared with IKEv1, IKEv2 simplifies the SA negotiations and provides better support for scenarios in which multiple CIDR blocks are used. We recommend that you use IKEv2.

    Negotiation ModeSelect a negotiation mode.
    • main (default): This mode offers higher security during negotiations.
    • aggressive: This mode supports faster negotiations and has a higher success rate.

    Connections negotiated in both modes ensure the same level of security for data transmission.

    Encryption AlgorithmThe encryption algorithm that is used in Phase 1 negotiations.

    Supported algorithms are aes (default), aes192, aes256, des, and 3des.

    Authentication AlgorithmSelect the authentication algorithm that is used in Phase 1 negotiations.

    Supported algorithms are sha1 (default), md5, sha256, sha384, and sha512.

    DH GroupSelect the Diffie-Hellman (DH) key exchange algorithm that is used in Phase 1 negotiations.
    • group1: DH group 1
    • group2 (default): DH group 2
    • group5: DH group 5
    • group14: DH group 14
    SA Life Cycle (seconds)Specify the lifetime of the SA after Phase 1 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
    LocalIdThe identifier of the IPsec-VPN connection on the Alibaba Cloud side. The identifier is used in Phase 1 negotiations.
    • If the IPsec-VPN connection is associated with a transit router, the default value is the gateway IP address of the IPsec-VPN connection.
    • If the IPsec-VPN connection is associated with a VPN gateway, the default value is the IP address of the VPN gateway.

    You can set LocalId to a fully qualified domain name (FQDN). In this case, we recommend that you set Negotiation Mode to aggressive.

    RemoteIdSpecify the identifier of the IPsec-VPN connection on the data center side. The identifier is used in Phase 1 negotiations. The default value is the IP address of the customer gateway.

    You can set RemoteId to an FQDN. In this case, we recommend that you set Negotiation Mode to aggressive.

    Advanced Settings: IPsec Settings
    Encryption AlgorithmSelect the encryption algorithm that is used in Phase 2 negotiations.

    Supported algorithms are aes (default), aes192, aes256, des, and 3des.

    Authentication AlgorithmSelect the authentication algorithm that is used in Phase 2 negotiations.

    Supported algorithms are sha1 (default), md5, sha256, sha384, and sha512.

    DH GroupThe DH key exchange algorithm that is used in Phase 2 negotiations.
    • disabled: does not use the DH key exchange algorithm.
      • For clients that do not support PFS, select disabled.
      • If you select a value other than disabled, PFS is enabled by default. In this case, the key is updated for each negotiation. Therefore, you must enable PFS for the client.
    • group1: DH group 1
    • group2 (default): DH group 2
    • group5: DH group 5
    • group14: DH group 14
    SA Lifetime (seconds)Specify the lifetime of the SA after Phase 2 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
    DPDSpecify whether to enable the DPD feature. This feature is enabled by default.
    • For VPN gateways created between April, 2019 and January, 2023:

      • If IKEv1 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 30 seconds.

      • If IKEv2 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 3,600 seconds.

    • For VPN gateways created after February, 2023:

      • If IKEv1 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 30 seconds.

      • If IKEv2 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 130 seconds.

    NAT TraversalSpecify whether to enable the NAT traversal feature. This feature is enabled by default.

    BGP Configuration

    Before you use BGP dynamic routing, we recommend that you learn about how it works and the limits. For more information, see VPN Gateway supports BGP dynamic routing.

    By default, the BGP feature is disabled. Before you add a BGP configuration, enable the BGP feature.

    ParameterDescription
    Tunnel CIDR BlockEnter the CIDR block of the IPsec tunnel.

    The CIDR block must fall within 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length.

    Local BGP IP addressEnter the BGP IP address of the IPsec-VPN connection on the Alibaba Cloud side.

    This IP address falls within the CIDR block of the IPsec tunnel.

    Local ASNEnter the autonomous system number (ASN) of the IPsec-VPN connection on the Alibaba Cloud side. Default value: 45104. Valid values: 1 to 4294967295.
    Note We recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. Refer to the relevant documentation for the valid range of a private ASN.

    Health checks

    By default, the health check feature is disabled. Before you add a health check configuration, enable the health check feature.

    Important After you enable health checks for the IPsec-VPN connection, add the following route to the data center: The destination CIDR block is Source IP, the subnet mask is 32 bits in length, and the next hop is the IPsec-VPN connection. This ensures that health checks run as expected.
    ParameterDescription
    Destination IPEnter the IP address on the data center side that the VPC can communicate with through the IPsec-VPN connection.
    Note Make sure that the destination IP address supports ICMP responses.
    Source IPEnter the IP address on the VPC side that the data center can communicate with through the IPsec-VPN connection.
    Retry IntervalSelect the retry interval of the health check. Unit: seconds. Default value: 3.
    Number of RetriesSpecify the number of health check retries. Default value: 3.
    Switch RouteSpecify whether to allow the system to withdraw advertised routes after health checks fail. Default value: Yes. The system is allowed to withdraw advertised routes after health checks fail.

    If you clear Yes, the system is not allowed to withdraw advertised routes after health checks fail.

Download the configuration of an IPsec-VPN connection

After you create an IPsec-VPN connection, you can download the configuration file of an IPsec-VPN connection and load the configuration to an on-premise gateway device.

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, find the IPsec-VPN connection that you created. In the Actions column, choose 更多 > Download Configuration.
  5. In the IPsec Connection Configuration dialog box, copy the configuration and save it to your on-premises machine to configure your on-premises gateway device.
    For more information about how to configure an on-premises gateway device, see Configure an on-premises device.

Grant the permissions on the IPsec-VPN connection to a transit router of another Alibaba Cloud account

You can associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account. However, you cannot associate an IPsec-VPN connection with a VPN gateway of another Alibaba Cloud account. Before you associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account, you must grant the permissions on the IPsec-VPN connection to the transit router.

Before you grant the permissions, make sure that the IPsec-VPN connection is not associated with a resource.
  • If the IPsec-VPN connection is already associated with a VPN gateway, you cannot associate the IPsec-VPN connection with a transit router of the same or another Alibaba Cloud account.
  • If the IPsec-VPN connection is already associated with a transit router, you must first disassociate the IPsec-VPN connection from the transit router. For more information, see Delete a network instance connection.
  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, find the IPsec-VPN connection and click its ID.
  5. On the details page, click the CEN Cross Account Authorization tab, and then click Authorize Cross Account Attach CEN.
  6. In the Attach to CEN dialog box, set the following parameters and click OK.
    ParameterDescription
    Peer Account UIDEnter the ID of the Alibaba Cloud account to which the transit router belongs.
    Peer Account CEN IDEnter the ID of the CEN instance to which the transit router belongs.
    PayerSelect the payer.
    • CEN Instance Owner (default): After the IPsec-VPN connection is associated with a transit router, the owner of the transit router pays the connection fee and data processing fee of the transit router.
    • VPN Owner: After the IPsec-VPN connection is associated with a transit router, the owner of the IPsec-VPN connection pays the connection fee and data processing fee of the transit router.
    Important
    • Proceed with caution. Your services may be interrupted if you change the payer. For more information, see Change the account that pays the bills.
    • After the IPsec-VPN connection is associated with a transit router, the owner of the IPsec-VPN connection pays the instance fee and data transfer fee of the IPsec-VPN connection.
  7. We recommend that you record the ID of the IPsec-VPN connection and the ID of the Alibaba Cloud account to which the IPsec-VPN connection belongs. This facilitates creating VPN connections. For more information, see Attach an IPsec-VPN connection to a transit router.
    You can view the account ID on the Account Center page.账号查看

Modify an IPsec-VPN connection

  • If the IPsec-VPN connection is already associated with a transit router, you cannot modify the following information about the IPsec-VPN connection: the associated transit router, zone, or gateway type. However, you can modify the following information: the customer gateway, routing mode, pre-shared key, and advanced configurations.
  • If the IPsec-VPN connection is already associated with a VPN gateway, you cannot modify the associated VPN gateway or customer gateway. However, you can modify the following information: the routing mode, pre-shared key, and advanced configurations.
  • If the IPsec-VPN connection is not associated with a resource, you cannot modify the associated customer gateway or gateway type. However, you can modify the following information: the routing mode, pre-shared key, and advanced configurations.
  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, find the IPsec-VPN connection that you want to manage, and click Edit in the Actions column.
  5. On the Modify IPsec Connections page, modify the name, the advanced configurations, and the CIDR blocks, and then click OK.
    For more information about the parameters, see Create an IPsec-VPN connection.

Revoke the permissions on the IPsec-VPN connection granted to a transit router of another Alibaba Cloud account

If you no longer need to associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account, you can revoke the permissions on the IPsec-VPN connection granted to the transit router.

If the IPsec-VPN connection is already associated with a transit router, you must first disassociate the IPsec-VPN connection from the transit router before you revoke the permissions. For more information, see Delete a network instance connection.

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, find the IPsec-VPN connection and click its ID.
  5. On the CEN Cross Account Authorization tab, find the authorization record and click Unauthorize in the Actions column.
  6. In the Unauthorize message, confirm the information and click OK.

Delete an IPsec-VPN connection

  • If the IPsec-VPN connection is associated with a transit router, disassociate the IPsec-VPN connection from the transit router before you delete the IPsec-VPN connection. For more information, see Delete a network instance connection.
  • If the IPsec-VPN connection is associated with a VPN gateway, you can directly delete the IPsec-VPN connection.
  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, find the IPsec-VPN connection that you want to delete, and click Delete in the Actions column.
  5. In the message that appears, confirm the information and click OK.