How do I upgrade a VPN gateway to enable the dual-tunnel mode? - VPN Gateway

An IPsec-VPN connection in dual-tunnel mode has an active tunnel and a standby tunnel. If the active tunnel is down, the standby tunnel takes over to ensure service availability. This topic describes how to upgrade a VPN gateway to enable the dual-tunnel mode.

Supported regions and zones

The following table describes the regions and zones in which you can upgrade IPsec-VPN connections to the dual-tunnel mode.

Region	Zone
China (Hangzhou)	Zone K, Zone J, Zone I, Zone H, and Zone G
China (Shanghai)	Zone K, Zone L, Zone M, Zone N, Zone B, Zone D, Zone E, Zone F, and Zone G
China (Nanjing - Local Region)	Zone A
China (Shenzhen)	Zone A, Zone E, Zone D, and Zone F
China (Heyuan)	Zone A and Zone B
China (Guangzhou)	Zone A and Zone B
China (Qingdao)	Zone B and Zone C
China (Beijing)	Zone F, Zone E, Zone H, Zone G, Zone A, Zone C, Zone J, Zone I, Zone L, and Zone K
China (Zhangjiakou)	Zone A, Zone B, and Zone C
China (Hohhot)	Zone A and Zone B
China (Ulanqab)	Zone A, Zone B, and Zone C
China (Chengdu)	Zone A and Zone B
China (Hong Kong)	Zone B, Zone C, and Zone D
Singapore	Zone A, Zone B, and Zone C
Thailand (Bangkok)	Zone A
Japan (Tokyo)	Zone A, Zone B, and Zone C
South Korea (Seoul)	Zone A
Philippines (Manila)	Zone A
Indonesia (Jakarta)	Zone A, Zone B, and Zone C
Malaysia (Kuala Lumpur)	Zone A and Zone B
India (Mumbai)	Zone A and Zone B
UK (London)	Zone A and Zone B
Germany (Frankfurt)	Zone A, Zone B, and Zone C
US (Silicon Valley)	Zone A and Zone B
US (Virginia)	Zone A and Zone B

Prerequisites

Before you upgrade a VPN gateway, make sure that the following requirements are met:

IPsec-VPN and SSL-VPN are not enabled at the same time.
If both IPsec-VPN and SSL-VPN are enabled, you can downgrade the VPN gateway to disable IPsec-VPN or SSL-VPN. For more information, see Downgrade.
Before you disable IPsec-VPN or SSL-VPN, make sure that no IPsec-VPN connection or SSL server exists on the VPN gateway. For more information, see Delete an IPsec-VPN connection or Delete an SSL server.

Routes with the same source CIDR block and destination CIDR block in policy-based or destination-based route tables do not point to different IPsec-VPN connections.

The following table provides some sample scenarios and solutions.

Route table	Source CIDR block	Destination CIDR block	Next hop	Support upgrade	Solution
Policy-based route table	10.10.10.0/24	172.16.10.0/24	IPsec-VPN Connection 1	No You cannot upgrade the VPN gateway because the routes in the policy-based route table have the same source CIDR block and destination CIDR block but point to different IPsec-VPN connections.	Delete one of the routes, or modify the source CIDR block or destination CIDR block for one of the routes. For more information, see Manage policy-based routes.
Policy-based route table	10.10.10.0/24	172.16.10.0/24	IPsec-VPN Connection 2
Destination-based route table	N/A	192.168.10.0/24	IPsec-VPN Connection 3	No You cannot upgrade the VPN gateway because the routes in the destination-based route table have the same destination CIDR block but point to different IPsec-VPN connections.	Delete one of the routes, or modify the destination CIDR block for one of the routes. For more information, see Manage destination-based routes.
Destination-based route table	N/A	192.168.10.0/24	IPsec-VPN Connection 4

Route tables in the VPC associated with the VPN gateway cannot contain such routes: The destination CIDR block is a subnet of the client CIDR block of the SSL server, or the subnet of the client CIDR block of the IPsec server, and the next hop is the VPN gateway.
For example, if the client CIDR block of an SSL server is 192.168.10.0/24, route tables in the VPC associated with the VPN gateway cannot contain such routes: The destination CIDR block is a subnet of 192.168.10.0/24, such as 192.168.10.0/25 and 192.168.10.0/26, and the next hop is the VPN gateway.
You can manage custom routes in VPC route tables. For more information, see Add and delete routes.
If multiple IPsec-VPN connections exist on a VPN gateway and all IPsec-VPN connections use BGP, the BGP tunnel CIDR block of each IPsec-VPN connection must be unique.
You can modify the CIDR block of a BGP tunnel. For more information, see Modify an IPsec-VPN connection.
You need to specify two vSwitches from the VPC associated with the VPN gateway, and make sure that the vSwitches have sufficient idle IP addresses.
- Make sure that the zones where the vSwitches are deployed support the dual-tunnel mode. For more information, see Supported regions and zones.
- If multiple zones in the current region support the dual-tunnel mode, the two vSwitches that you specify must belong to different zones to implement zone disaster recovery for the IPsec-VPN connection. Each vSwitch must have at least two idle IP addresses.
- If only one zone in the current region supports the dual-tunnel mode, you need to specify two vSwitches in this zone:
  - If you specify the same vSwitch, make sure that the vSwitch has at least four idle IP addresses.
  - If you specify two different vSwitches, make sure that each vSwitch has at least two idle IP addresses.

Descriptions of the upgrade

Warning

A VPN gateway is unavailable during the upgrade. The existing connections are interrupted. We recommend that you upgrade a VPN gateway during a network maintenance window to prevent service interruptions.

The upgrade takes about 10 minutes. During this period, the VPN gateway cannot forward traffic.
You cannot manage the VPN gateway during the upgrade process.

Procedure

Log on to the VPN gateway console.
In the top navigation bar, select the region of the VPN gateway.
On the VPN Gateways page, find the VPN gateway that you want to manage and click its ID.
In the upper-right corner of the details page, click Enable Zone Redundancy.
In the Enable Zone Redundancy dialog box, specify a vSwitch and enable environment verification. Make sure that the requirements are met and click Enable.
- If the environment verification failed, refer to the Prerequisites section of this topic for troubleshooting.
- After you click Enable, the system starts the upgrade.

What to do next

In scenarios where the VPC that is associated with the VPN gateway is connected to Cloud Enterprise Network (CEN), if a custom route that points to the VPN gateway exists in the route table of the VPC and has been advertised to CEN, this route becomes unadvertised after the upgrade is complete. In this case, you need to advertise this route to CEN again. For more information, see Advertise routes to a transit router.
If the IPsec-VPN feature remains enabled, the standby tunnel is unavailable by default. You need to configure the peer gateway device to enable the standby tunnel. For more information, see Connect a VPC to a data center in dual-tunnel mode and Connect a VPC to a data center in dual-tunnel and BGP routing mode.
- After the upgrade is complete, the VPN gateway has two IP addresses, one of which is the IP address owned by the VPN gateway before the upgrade. The other is allocated by the system. The two IP addresses are used to establish encrypted tunnels.
- After the upgrade is complete, each IPsec-VPN connection has an active tunnel and a standby tunnel. The tunnels are associated with the same customer gateway by default. By default, the tunnel that already exists before the upgrade serves as the active tunnel and its configurations remain unchanged. The standby tunnel is unavailable by default.
If the SSL-VPN feature remains enabled, the SSL-VPN configurations remain unchanged after the upgrade is complete. You can enable the IPsec-VPN feature and create an IPsec-VPN connection in dual-tunnel mode. For more information, see Enable IPsec-VPN and Create and manage an IPsec-VPN connection in dual-tunnel mode.
After the upgrade is complete, the IP address of the VPN gateway is used only by the SSL-VPN feature. After you enable the IPsec-VPN feature, the system reallocates two IP addresses to the VPN gateway to establish an IPsec-VPN connection in dual-tunnel mode.