IPsec-VPN configuration overview - VPN Gateway - Alibaba Cloud Documentation Center

This topic describes how to use IPsec-VPN to establish a private network connection between a data center and a virtual private cloud (VPC).

Select the resource with which you want to associate the IPsec-VPN connection

You can associate a VPN gateway or a transit router with an IPsec-VPN connection. Both a VPN gateway and a transit router can be used to connect a data center to a VPC. However, the features supported are different, as described in the following table. You can select a VPN gateway or a transit router based on your business requirements.

Item	Associated with a VPN gateway	Associated with a transit router
Associated resource	You must purchase a VPN gateway and associate the VPN gateway with a VPC to create an IPsec VPN connection. Your data center or office network can communicate with the associated VPC or with other networks through the associated VPC.	You do not need to purchase a VPN gateway or associate the VPN gateway with a VPC to create an IPsec VPN connection. You must create a Cloud Enterprise Network (CEN) instance and create a transit router on the CEN instance. Your data center or office network can communicate with all VPCs connected to the transit router or with other networks through the transit router.
Supported encryption algorithm	Commercial cryptographic algorithms that comply with international standards	Commercial cryptographic algorithms that comply with international standards
Tunnel mode supported by IPsec-VPN connections	Dual-tunnel mode Single-tunnel mode	Single-tunnel mode
Maximum bandwidth supported by each IPsec-VPN connection	1,000 Mbit/s. Note The maximum bandwidth supported by VPN gateways in some regions is 200 Mbit/s. For more information about the regions, see Limits on VPN gateways.	1 Gbit/s by default. The maximum bandwidth can be modified based on business requirements.
Maximum number of packets that can be transmitted through each IPsec-VPN connection per second	120,000 (256 bytes per packet)	120,000 (256 bytes per packet)
Supported network type	Public Indicates an encrypted connection over the Internet. Private Indicates an encrypted connection over an Express Connect circuit. Note Private VPN gateways are in invitational preview. You can submit a ticket or contact your account manager to apply for the permissions.	Public Indicates an encrypted connection over the Internet. Private Indicates an encrypted connection over an Express Connect circuit.
Method used to implement high availability	High availability implemented by using active/standby connections: Dual-tunnel mode, as shown in the Dual-tunnel mode figure Single-tunnel mode, as shown in the Single-tunnel mode figure	Equal-cost multi-path (ECMP) routing, as shown in the ECMP routing figure

Descriptions of tunnel modes

In scenarios where an IPsec-VPN connection is associated with a VPN gateway, the original single-tunnel mode is upgraded to the dual-tunnel mode. The dual-tunnel mode improves the availability of IPsec-VPN connections, as shown in the following figure. Compared with the single-tunnel mode, the dual-tunnel mode creates two encrypted tunnels for each IPsec-VPN connection. By default, data is transferred through the active tunnel specified by the system. If the active tunnel is down, the standby tunnel takes over.

For more information about the dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

Limits

You can associate an IPsec-VPN connection with a transit router in specific regions. For more information about the supported regions, see Regions that support different features of VPN Gateway.
In scenarios where an IPsec-VPN connection is associated with a transit router, the IPsec-VPN connection can be associated only with an Enterprise Edition transit router and supports only the single-tunnel mode.
If you purchase new VPN gateways in regions that support the dual-tunnel mode, IPsec-VPN connections of the new VPN gateways support only the dual-tunnel mode and do not support the single-tunnel mode.
However, IPsec-VPN connections of the existing VPN gateways in the supported regions support only the single-tunnel mode. You can upgrade a VPN gateway to support the dual-tunnel mode. After a VPN gateway is upgraded, you can no longer create IPsec-VPN connections in single-tunnel mode on the VPN gateway. For more information, see Upgrade a VPN gateway to enable the dual-tunnel mode.
IPsec-VPN connections in regions that do not support the dual-tunnel mode support only the single-tunnel mode.

Only the following regions and zones support the dual-tunnel mode.

Region	Zone
Thailand (Bangkok)	A
Germany (Frankfurt)	Zone A, Zone B, and Zone C
South Korea (Seoul)	A
Philippines (Manila)	A
Indonesia (Jakarta)	Zone A, Zone B, and Zone C
China (Hohhot)	Zone A and Zone B
Malaysia (Kuala Lumpur)	Zone A and Zone B
India (Mumbai)	Zone A and Zone B
UK (London)	Zone A and Zone B
Japan (Tokyo)	Zone A, Zone B, and Zone C

Prerequisites

Before you create an IPsec-VPN connection to connect a data center to a VPC, make sure that the following requirements are met:

If you want to associate the IPsec-VPN connection with a public VPN gateway or create a public IPsec-VPN connection that is associated with a transit router, you need to assign a public IP address to the on-premises gateway device in the data center.
If you want to associate the IPsec-VPN connection with a public VPN gateway and the region of the public VPN gateway supports the dual-tunnel mode, we recommend that you create two IPsec-VPN connections for high availability. To do this, you need to assign two public IP addresses to the on-premises gateway device, or deploy another on-premises gateway device and then assign a public IP address to each on-premises gateway device.
The on-premises gateway device must support IKEv1 or IKEv2 to establish IPsec-VPN connections with a VPN gateway.
The CIDR block of the data center does not overlap with the CIDR block of the VPC.
The security group rules that are applied to the Elastic Compute Service (ECS) instances in the VPC allow gateway devices in the data center to access cloud resources. For more information, see View security group rules and Add a security group rule.

Procedure

The procedure for configuring IPsec-VPN varies based on the instance that is associated with the IPsec-VPN connection. The following section describes the procedures for different scenarios.

Procedure for scenarios in which a VPN gateway is used

Step	References	Description
1	Create a VPN gateway	Create a VPN gateway and enable IPsec-VPN.
2	Create a customer gateway	Create a customer gateway and add the configuration of the gateway device in the data center to the customer gateway on Alibaba Cloud.
3	Create and manage an IPsec-VPN connection in dual-tunnel mode Create and manage an IPsec-VPN connection in single-tunnel mode	An IPsec-VPN connection is an encrypted VPN tunnel between a VPN gateway and a gateway device in the data center. Note When you create an IPsec-VPN connection, set Associate Resource to VPN Gateway.
4	Configure on-premises gateways	To connect the data center to the VPN gateway, you must add the configuration of IPsec-VPN to the gateway device in the data center.
5	Configure a route for the VPN gateway	You must configure a route that points to the data center for the VPN gateway and advertise the route to the VPC route table. This way, the data center can be connected to the VPC.
6	Test the network connectivity	Log on to an ECS instance that is not assigned a public IP address in the VPC. Then, run the ping command to ping the private IP address of a server in the data center.

Procedure for scenarios in which a transit router is used

Step	References	Description
1	Create a CEN instance	Before you create a transit router, you must first create a CEN instance.
2	Create a transit router	A transit router is used to forward data. You must create a transit router in the region where the data center is deployed or in a region near the data center. Important When you create a transit router, you must configure a CIDR block for the transit router. Otherwise, IPsec-VPN connections cannot be associated with the transit router. If you have already created a transit router, you can configure a CIDR block for the transit router. For more information, see Transit router CIDR blocks.
3	Create a customer gateway	Create a customer gateway and load the configuration of the gateway device in the data center to the customer gateway on Alibaba Cloud.
4	Create and manage an IPsec-VPN connection in single-tunnel mode	An IPsec-VPN connection is an encrypted VPN tunnel between Alibaba Cloud and a gateway device in the data center. After you associate a transit router with the IPsec-VPN connection, traffic from the data center can be forwarded to the transit router over the IPsec-VPN connection. Note When you create an IPsec-VPN connection, set Associate Resource to CEN or Do Not Associate.
5	Configure on-premises gateways	To connect the data center to Alibaba Cloud, you must add the configuration of IPsec-VPN to the gateway device in the data center.
6	Configure a route for an IPsec-VPN connection	You must configure a route that points to the data center for the IPsec-VPN connection and advertise the route to the route table of the transit router. This way, the data center can be connected to the VPC.
7	Test the network connectivity	Log on to an ECS instance that is not assigned a public IP address in the VPC. Then, run the ping command to ping the private IP address of a server in the data center.