An IPsec-VPN connection in dual-tunnel mode has an active tunnel and a standby tunnel. If the active tunnel is down, the standby tunnel takes over to ensure service availability. This topic describes how to upgrade a VPN gateway to enable the dual-tunnel mode.
Supported regions and zones
Only IPsec-VPN connections in the following regions and zones can be upgraded to the dual-tunnel mode.
Before you upgrade a VPN gateway, make sure that the following requirements are met:
You cannot enable IPsec-VPN and SSL-VPN at the same time.
If both IPsec-VPN and SSL-VPN are enabled, you can downgrade the VPN gateway to disable IPsec-VPN or SSL-VPN. For more information, see Downgrade.
Before you disable IPsec-VPN or SSL-VPN, make sure that no IPsec-VPN connection or SSL server exists on the VPN gateway. For more information, see Delete an IPsec-VPN connection or Delete an SSL server.
Routes with the same source CIDR block and destination CIDR block in policy-based or destination-based route tables cannot point to different IPsec-VPN connections.
The following table provides some sample scenarios and solutions.
Source CIDR block
Destination CIDR block
Policy-based route table
IPsec-VPN Connection 1
You cannot upgrade the VPN gateway because the routes in the policy-based route table have the same source CIDR block and destination CIDR block but point to different IPsec-VPN connections.
Delete one of the routes, or modify the source CIDR block or destination CIDR block for one of the routes. For more information, see Manage policy-based routes.
IPsec-VPN Connection 2
Destination-based route table
IPsec-VPN Connection 3
You cannot upgrade the VPN gateway because the routes in the destination-based route table have the same destination CIDR block but point to different IPsec-VPN connections.
Delete one of the routes, or modify the destination CIDR block for one of the routes. For more information, see Work with destination-based routes.
IPsec-VPN Connection 4
Route tables in the VPC associated with the VPN gateway cannot contain such routes: The destination CIDR block is a subnet of the Client Subnet of the SSL server, or the subnet of the Client Subnet of the IPsec server, and the next hop is the VPN gateway.
For example, if the Client Subnet of an SSL server is 192.168.10.0/24, route tables in the VPC associated with the VPN gateway cannot contain such routes: The destination CIDR block is a subnet of 192.168.10.0/24, such as 192.168.10.0/25 and 192.168.10.0/26, and the next hop is the VPN gateway.
You can manage custom routes in VPC route tables. For more information, see Add and delete routes.
If multiple IPsec-VPN connections exist on a VPN gateway and all IPsec-VPN connections use BGP, the BGP tunnel CIDR block of each IPsec-VPN connection must be unique.
You can modify the CIDR block of a BGP tunnel. For more information, see Modify an IPsec-VPN connection.
You need to specify two vSwitches from the VPC associated with the VPN gateway, and make sure that the vSwitches have sufficient idle IP addresses.
Make sure that the zones where the vSwitches are deployed support the dual-tunnel mode. For more information, see Supported regions and zones.
If multiple zones in the current region support the dual-tunnel mode, the two vSwitches that you specify must belong to different zones to implement zone disaster recovery for the IPsec-VPN connection. Each vSwitch must have at least two idle IP addresses.
If only one zone in the current region supports the dual-tunnel mode, you need to specify two vSwitches in this zone:
If you specify the same vSwitch, make sure that the vSwitch has at least four idle IP addresses.
If you specify two different vSwitches, make sure that each vSwitch has at least two idle IP addresses.
Descriptions of the upgrade
A VPN gateway is unavailable during the upgrade and existing connections are interrupted. We recommend that you upgrade a VPN gateway during a network maintenance window to avoid service interruptions.
The upgrade takes about 10 minutes. During this period, the VPN gateway cannot forward traffic.
You cannot manage the VPN gateway during the upgrade process.
- Log on to the VPN gateway console.
- In the top navigation bar, select the region of the VPN gateway.
On the VPN Gateways page, find the VPN gateway that you want to manage and click its ID.
In the upper-right corner of the details page, click Enable Zone Redundancy.
In the Enable Zone Redundancy dialog box, specify a vSwitch and enable environment verification. Make sure that the requirements are met and click Enable.
If the environment verification failed, refer to Prerequisites for troubleshooting.
After you click Enable, the system starts the upgrade.
What to do next
If the IPsec-VPN feature remains enabled, the standby tunnel is unavailable by default. You need to configure the peer gateway device to enable the standby tunnel. For more information, see Connect a VPC to a data center in dual-tunnel mode and Connect a VPC to a data center in dual-tunnel mode and enable BGP.
After the upgrade is complete, the VPN gateway has two IP addresses, one of which is the IP address owned by the VPN gateway before the upgrade. The other is allocated by the system. The two IP addresses are used to establish encrypted tunnels.
After the upgrade is complete, each IPsec-VPN connection has an active tunnel and a standby tunnel. The tunnels are associated with the same customer gateway by default. By default, the tunnel that already exists before the upgrade serves as the active tunnel and its configurations remain unchanged. The standby tunnel is unavailable by default.
If the SSL-VPN feature remains enabled, the SSL-VPN configurations remain unchanged after the upgrade is complete. You can enable the IPsec-VPN feature and create an IPsec-VPN connection in dual-tunnel mode. For more information, see Enable the IPsec-VPN feature and Create and manage an IPsec-VPN connection in dual-tunnel mode.
After the upgrade is complete, the IP address of the VPN gateway is used only by the SSL-VPN feature. After you enable the IPsec-VPN feature, the system reallocates two IP addresses to the VPN gateway to establish an IPsec-VPN connection in dual-tunnel mode.