Create and manage IPsec-VPN connections in single-tunnel mode - VPN Gateway

You can create IPsec-VPN connections to establish encrypted connections. This topic describes how to create and manage IPsec-VPN connections in single-tunnel mode.

Background information

When you create an IPsec-VPN connection, you can enable or disable the following features:

DPD: the dead peer detection (DPD) feature.
After you enable DPD, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. Then, the ISAKMP Security Association (SA), IPsec SA, and IPsec tunnel are deleted.
This feature is enabled by default.
NAT Traversal: the network address translation (NAT) traversal feature.
After you enable NAT traversal, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.
This feature is enabled by default.
BGP: the Border Gateway Protocol (BGP) dynamic routing feature.
After you enable BGP dynamic routing, the IPsec-VPN connection automatically learns and advertises routes. This facilitates network maintenance and configuration.
This feature is disabled by default.
Health Check: the health check feature.
In scenarios in which the same VPN gateway is used to create active and standby IPsec-VPN connections, you can configure health checks to check the connectivity of the active and standby connections. After you configure health checks, the system sends Internet Control Message Protocol (ICMP) packets to the destination IP address to check the connectivity of the IPsec-VPN connection. If the active connection is down, the standby connection automatically takes over. This improves the availability of your services.
Note
If the IPsec-VPN connection fails health checks, the system resets the IPsec tunnel. In scenarios in which active/standby connections are not used, we recommend that you use the DPD feature instead of the health check feature to check connectivity.
This feature is disabled by default.

The supported features vary based on the resource associated with the IPsec-VPN connection, as described in the following section:

If you associate the IPsec-VPN connection with a transit router when you create the IPsec-VPN connection, DPD, NAT traversal, BGP dynamic routing, and health checks are supported.
If you associate the IPsec-VPN connection with a VPN gateway when you create the IPsec-VPN connection:
If the VPN gateway uses the latest version, DPD, NAT traversal, BGP dynamic routing, and health checks are supported. Otherwise, you can use only the features supported by the current version of the VPN gateway.
You can check whether your VPN gateway uses the latest version based on the status of the Upgrade button. If your VPN gateway does not use the latest version, you can click upgrade to update your VPN gateway. For more information, see Upgrade a VPN gateway.

Prerequisites

Before you create an IPsec-VPN connection, learn about the procedure and make sure that the prerequisites are met. For more information, see Procedure.

Create an IPsec-VPN connection

Log on to the VPN gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region where you want to create the IPsec-VPN connection.
Note
The IPsec-VPN connection and the VPN gateway or the transit router to be associated must belong to the same region.
On the IPsec Connections page, click Create IPsec-VPN Connection.

On the Create IPsec-VPN Connection page, set the parameters for the IPsec-VPN connection, and click OK.

The required parameters vary based on the resource that you want to associate with the IPsec-VPN connection. The following table lists all parameters.

Basic settings

Parameter	Description
Name	Specify a name for the IPsec-VPN connection.
Associate Resource	Select the type of resource to be associated with the IPsec-VPN connection. If you want to associate the IPsec-VPN connection with a transit router, select CEN or Do Not Associate. If you select CEN, the system automatically associates the IPsec-VPN connection with the specified transit router of the current Alibaba Cloud account. If you select Do Not Associate, the IPsec-VPN connection is not associated with a resource. You can manually associate the IPsec-VPN connection with a transit router of the current Alibaba Cloud account or a different Alibaba Cloud account in the Cloud Enterprise Network (CEN) console. For more information, see Attach an IPsec-VPN connection to a transit router. Note If you want to associate the IPsec-VPN connection with different transit routers, these transit routers must belong to different CEN instances. You can associate the IPsec-VPN connection with different transit routers in the CEN console. For more information, see Attach an IPsec-VPN connection to a transit router. If you want to associate the IPsec-VPN connection with a VPN gateway, select VPN Gateway.
Gateway Type	Select the network type of the IPsec-VPN connection. Public (default): The IPsec-VPN connection is established over the Internet. Private: The IPsec-VPN connection is established over private networks.
CEN Instance ID	Select the ID of the CEN instance to which the transit router belongs.
Zone	Select a zone. The system creates resources in the specified zone.
Transit Router	Select the transit router to be associated with the IPsec-VPN connection.
VPN Gateway	Select the VPN gateway to be associated with the IPsec-VPN connection.
Customer Gateway	Select the customer gateway to be associated with the IPsec-VPN connection.
Routing Mode	Select a routing mode for the IPsec-VPN connection. Destination Routing Mode (default): routes and forwards traffic based on the destination IP address. Protected Data Flows: routes and forwards traffic based on source and destination IP addresses. After you select Protected Data Flows, you must set Local Network and Remote Network. After you configure the IPsec-VPN connection: If the IPsec-VPN connection is associated with a VPN gateway, the system automatically adds policy-based routes to the route table of the VPN gateway. The policy-based routes are not advertised by default. You can determine whether to advertise the routes to the VPC route table based on your requirements. For more information, see Advertise a policy-based route. If the IPsec-VPN connection is associated with a transit router, the system automatically adds destination-based routes to the route table of the IPsec-VPN connection. The destination-based routes are automatically advertised to the route table of the associated transit router. Note If the IPsec-VPN connection is associated with a VPN gateway and the VPN gateway does not use the latest version, you do not need to specify the routing mode.
Local Network	Enter the CIDR block on the VPC side. The CIDR block is used in Phase 2 negotiations. Click the icon on the right side of the text box to add more CIDR blocks. Note If you specify multiple CIDR blocks, you must set the Internet Key Exchange (IKE) version to ikev2.
Remote Network	Enter the CIDR block on the data center side. This CIDR block is used in Phase 2 negotiations. Click the icon on the right side of the text box to add more CIDR blocks. Note If you specify multiple CIDR blocks, you must set the IKE version to ikev2.
Effective Immediately	Specify whether to immediately start IPsec negotiations. Yes: immediately starts IPsec negotiation after the settings are completed. This is the default value. No: starts IPsec negotiations when inbound traffic is detected.
Pre-Shared Key	Enter the pre-shared key that is used for authentication between the data center and the VPN gateway or transit router. The key must be 1 to 100 characters in length and can contain digits, letters, and the following characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ \| ; : ' , . < > / ?. If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection. Important The pre-shared keys must be the same on both sides. Otherwise, the system cannot establish an IPsec-VPN connection.

Encryption settings

Parameter	Description
Advanced settings: IKE settings
Version	The version of the IKE protocol. ikev1 ikev2 (default) Compared with IKEv1, IKEv2 simplifies SA negotiations and provides better support for scenarios in which communication is established among multiple CIDR blocks. We recommend that you use IKEv2.
Negotiation Mode	Select a negotiation mode. main (default): This mode offers higher security during negotiations. aggressive: This mode supports faster negotiations and supports a higher success rate. Connections negotiated in both modes ensure the same level of security for data transmission.
Encryption Algorithm	Select the encryption algorithm that is used in Phase 1 negotiations. Supported algorithms are aes (aes128 by default), aes192, aes256, des, and 3des. Note If the bandwidth of the VPN gateway is 200 Mbit /s or higher, aes, aes192, and aes256 are recommended. 3des is not recommended. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES has little impact on network latency, throughput, and forwarding performance while ensuring data transmission security. Triple DES (3DES) offers enhanced security through its triple-layered encryption technique. Compared with AES, 3DES encryption requires a large amount of computation, takes a long time, and downgrades forwarding performance.
Authentication Algorithm	Select the authentication algorithm that is used in phase 1 negotiations. Supported algorithms are sha1 (default), md5, sha256, sha384, and sha512.
DH Group	Select the Diffie-Hellman (DH) key exchange algorithm that is used in Phase 1 negotiations. group1: DH group 1 group2 (default): DH group 2 group5: DH group 5 group14: DH group 14
SA Life Cycle (seconds)	Enter a lifetime for the SA after Phase 1 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
LocalId	The identifier of the IPsec-VPN connection on the Alibaba Cloud side. The identifier is used in Phase 1 negotiations. If the IPsec-VPN connection is associated with a transit router, the default value is the gateway IP address of the IPsec-VPN connection. If the IPsec-VPN connection is associated with a VPN gateway, the default value is the IP address of the VPN gateway. You can set LocalId to a fully qualified domain name (FQDN). In this case, we recommend that you set Negotiation Mode to aggressive.
RemoteId	Specify the identifier of the IPsec-VPN connection on the data center side. The identifier is used in Phase 1 negotiations. The default identifier is the public IP address of the customer gateway. You can set RemoteId to an FQDN. In this case, we recommend that you set Negotiation Mode to aggressive.
Advanced settings: IPsec settings
Encryption Algorithm	Select the encryption algorithm that is used in phase 2 negotiations. Supported algorithms are aes (aes128 by default), aes192, aes256, des, and 3des. Note If the bandwidth of the VPN gateway is 200 Mbit /s or higher, aes, aes192, and aes256 are recommended. 3des is not recommended. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES has little impact on network latency, throughput, and forwarding performance while ensuring data transmission security. Triple DES (3DES) offers enhanced security through its triple-layered encryption technique. Compared with AES, 3DES encryption requires a large amount of computation, takes a long time, and downgrades forwarding performance.
Authentication Algorithm	Select the authentication algorithm that is used in phase 2 negotiations. Supported algorithms are sha1 (default), md5, sha256, sha384, and sha512.
DH Group	The DH key exchange algorithm that is used in Phase 2 negotiations. disabled: does not use the DH key exchange algorithm. For clients that do not support PFS, select disabled. If you select a value other than disabled, PFS is enabled by default. In this case, the key is updated for each negotiation. Therefore, you must enable PFS for the client. group1: DH group 1 group2 (default): DH group 2 group5: DH group 5 group14: DH group 14
SA Life Cycle (seconds)	Specify the lifetime of the SA after Phase 2 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
DPD	Specify whether to enable the DPD feature. This feature is enabled by default. For VPN gateways created between April, 2019 and January, 2023: If IKEv1 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 30 seconds. If IKEv2 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 3,600 seconds. For VPN gateways created after February, 2023: If IKEv1 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 30 seconds. If IKEv2 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 130 seconds.
NAT Traversal	Specify whether to enable the NAT traversal feature. This feature is enabled by default.

BGP Configuration

Before you use BGP dynamic routing, we recommend that you learn about how it works and its limits. For more information, see VPN Gateway supports BGP dynamic routing.

By default, the BGP feature is disabled. Before you add a BGP configuration, enable the BGP feature.

Parameter	Description
Tunnel CIDR Block	Enter the CIDR block of the IPsec tunnel. The CIDR block must fall into 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length.
Local BGP IP address	Enter the BGP IP address of the IPsec-VPN connection on the Alibaba Cloud side. This IP address falls within the CIDR block of the IPsec tunnel.
Local ASN	Enter the autonomous system number (ASN) of the IPsec-VPN connection on the Alibaba Cloud side. Default value: 45104. Valid values: 1 to 4294967295. You can enter the ASN in two segments and separate the first 16 bits from the following 16 bits with a period (.). Enter the number in each segment in the decimal format. For example, if you enter 123.456, the ASN is: 123 × 65536 + 456 = 8061384. Note We recommend that you use a private ASN to establish a connection to Alibaba Cloud over BGP. Refer to the relevant documentation for the valid range of a private ASN.

Health checks

By default, the health check feature is disabled. Before you add a health check configuration, enable the health check feature.

Important

After you enable health checks for the IPsec-VPN connection, add the following route to the data center: The destination CIDR block is Source IP Address, the subnet mask is 32 bits in length, and the next hop is the IPsec-VPN connection. This ensures that health checks run as expected.

Parameter	Description
Destination IP Address	Enter the IP address of the data center with which the VPC can communicate based on the IPsec-VPN connection. Note Make sure that the destination IP address supports ICMP responses.
Source IP Address	Enter the IP address of the VPC with which the data center can communicate based on the IPsec-VPN connection.
Retry Interval	Select the retry interval of the health check. Unit: seconds. Default value: 3.
Number of Retries	Specify the number of health check retries. Default value: 3.
Switch Route	Specify whether to allow the system to withdraw advertised routes after health checks fail. Default value: Yes. The system is allowed to withdraw advertised routes after health checks fail. If you clear Yes, the system is not allowed to withdraw advertised routes after health checks fail.

Advanced Configuration

When you create an IPsec-VPN connection, the system selects the following advanced features by default.

Parameter	Description
Automatic Advertising	After you enable this feature, the system automatically advertises routes of the route table of the transit router associated with the IPsec-VPN connection to the BGP route table associated with the IPsec-VPN connection. Note This feature takes effect only if BGP dynamic routing is enabled for the IPsec-VPN connection and data center. You can disable this feature by turning off Automatic Route Advertisement. For more information, see Disable route synchronization.
Associate with Default Route Table of Transit Router	After you enable this feature, the IPsec-VPN connection will be associated with the default route table of the transit router. The transit router queries the default route table to forward traffic from the IPsec-VPN connection.
Automatically Advertise System Routes to Default Route Table of Transit Router	After you enable this feature, the system advertises the routes of the destination-based route table and the BGP route table of the IPsec-VPN connection to the default route table of the transit router.

You can disable the preceding advanced features, and use the transit router to establish network communication based on business requirements. For more information, see Manage routes.

Download the configuration of an IPsec-VPN connection

After you create an IPsec-VPN connection, you can download the configuration file of an IPsec-VPN connection and load the configuration to an on-premise gateway device.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection and click Download Peer Configuration in the Actions column.
In the IPsec-VPN Connection Configuration dialog box, copy the configuration and save it to your on-premises machine to configure your on-premises gateway device.
For more information about how to configure on-premises gateway devices, see Configure on-premises gateways.

Grant the permissions on the IPsec-VPN connection to a transit router of another Alibaba Cloud account

You can associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account. However, you cannot associate an IPsec-VPN connection with a VPN gateway of another Alibaba Cloud account. Before you associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account, you must grant the permissions on the IPsec-VPN connection to the transit router.

Before you grant the permissions, make sure that the IPsec-VPN connection is not associated with a resource.

If the IPsec-VPN connection is already associated with a VPN gateway, you cannot associate the IPsec-VPN connection with a transit router of the same or another Alibaba Cloud account.
If the IPsec-VPN connection is already associated with a transit router, you must first disassociate the IPsec-VPN connection from the transit router. For more information, see Delete a network instance connection.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection and click its ID.
On the details page, click the CEN Cross Account Authorization tab, and then click Authorize Cross Account Attach CEN.

In the Attach to CEN dialog box, set the following parameters and click OK.

Parameter	Description
Peer Account UID	Enter the ID of the Alibaba Cloud account to which the transit router belongs.
Peer Account CEN ID	Enter the ID of the CEN instance to which the transit router belongs.
Payer	Select the payer. CEN Instance Owner (default): After the IPsec-VPN connection is associated with a transit router, the owner of the transit router pays the connection fee and data processing fee of the transit router. VPN Owner: After the IPsec-VPN connection is associated with a transit router, the owner of the IPsec-VPN connection pays the connection fee and data processing fee of the transit router. Important Proceed with caution. Your services may be interrupted if you change the payer. For more information, see Change the account that pays the bills. After the IPsec-VPN connection is associated with a transit router, the owner of the IPsec-VPN connection pays the instance fee and data transfer fee of the IPsec-VPN connection.

We recommend that you record the ID of the IPsec-VPN connection and the ID of the Alibaba Cloud account to which the IPsec-VPN connection belongs. This facilitates creating VPN connections. For more information, see Attach an IPsec-VPN connection to a transit router.
You can view the account ID on the Account Center page.

Modify an IPsec-VPN connection

If the IPsec-VPN connection is already associated with a transit router, you cannot modify the following information about the IPsec-VPN connection: the associated transit router, zone, or gateway type. However, you can modify the following information: the customer gateway, routing mode, pre-shared key, and advanced configurations.
If the IPsec-VPN connection is already associated with a VPN gateway, you cannot modify the associated VPN gateway or customer gateway. However, you can modify the following information: the routing mode, pre-shared key, and advanced configurations.
If the IPsec-VPN connection is not associated with a resource, you cannot modify the associated customer gateway or gateway type. However, you can modify the following information: the routing mode, pre-shared key, and advanced configurations.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage, and click Edit in the Actions column.
On the Modify IPsec-VPN Connection page, modify the name, advanced settings, and CIDR blocks as needed, and then click OK.
For more information about the parameters, see Create an IPsec-VPN connection.

Revoke the permissions on the IPsec-VPN connection granted to a transit router of another Alibaba Cloud account

If you no longer need to associate an IPsec-VPN connection with a transit router of another Alibaba Cloud account, you can revoke the permissions on the IPsec-VPN connection granted to the transit router.

If the IPsec-VPN connection is already associated with a transit router, you must first disassociate the IPsec-VPN connection from the transit router before you revoke the permissions. For more information, see Delete a network instance connection.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection and click its ID.
On the CEN Cross Account Authorization tab, find the authorization record and click Unauthorize in the Actions column.
In the Unauthorize message, confirm the information and click OK.

Delete an IPsec-VPN connection

If the IPsec-VPN connection is associated with a transit router, disassociate the IPsec-VPN connection from the transit router before you delete the IPsec-VPN connection. For more information, see Delete a network instance connection.
If the IPsec-VPN connection is associated with a VPN gateway, you can directly delete the IPsec-VPN connection.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to delete, and click Delete in the Actions column.
In the message that appears, confirm the information and click OK.

Parameter	Description
Tag Key	Select or enter a tag key.
Tag Value	Select or enter a tag value. You can leave the tag value empty.

VPN Gateway:Create and manage IPsec-VPN connections in single-tunnel mode