All Products
Search
Document Center

Cloud Enterprise Network:Create a VPN connection

最終更新日:May 08, 2024

This topic describes how to attach an IPsec-VPN connection to a transit router. To allow a data center to communicate with other networks, such as virtual private clouds (VPCs) in the same region, VPCs in a different region, and other data centers, establish an IPsec-VPN connection between the data center and a transit router.

Prerequisites

  • IPsec-VPN connections to transit routers are supported only in some regions.

  • IPsec-VPN connections only in some regions can be attached to transit routers. For more information about the regions that support IPsec-VPN connections, see Regions that support different features of VPN Gateway.

  • After you attach an IPsec-VPN connection to an Enterprise Edition transit router, the transit router automatically adds a routing policy whose direction is Egress Regional Gateway, priority is 5000, and action is Reject to all the route tables of the transit router. This routing policy disables network communication among the IPsec-VPN connection, virtual border routers (VBRs), and Cloud Connect Network (CCN) instances.

  • If you directly connect your data center to a transit router by using an IPsec-VPN connection when the data center is already connected to the transit router over an IPsec-VPN connection and a VPC connection, the VPC connection and the IPsec-VPN connections do not support load balancing.

  • The following table describes the resource quotas.

    Item

    Default value

    Adjustable

    The maximum number of IPsec-VPN connections that can be attached to a transit router

    50

    You can use one of the following methods to increase the quota:

    The maximum number of VPC connections supported by a transit router for equal-cost multi-path (ECMP) routing

    16

    No

    The maximum number of transit routers to which an IPsec-VPN connection can be attached

    1

    No

Billing

After you attach an IPsec-VPN connection to a transit router, the billable items include the connection to the transit router, transit router data forwarding, the IPsec-VPN connection, data transfer, and outbound data transfer. The billable items vary based on the network type of the IPsec-VPN connection. The following table describes the billing rules for VPN connections.

Billing rules for Internet VPN connections

VPN连接计费示例图-公网

No.

Billable item

Description

References

Transit router connection

The attachment between the transit router and the IPsec-VPN connection

Transit router data forwarding

Data forwarding from the IPsec-VPN connection to the transit router

IPsec-VPN connection

The IPsec-VPN connection

Data transfer

Data transfer from the IPsec-VPN connection to the data center

Billing rules for private VPN connections

VPN连接计费示例图-私网

No.

Billable item

Description

References

Transit router connection

The connections between the VBR and IPsec-VPN connection

Transit router data forwarding

Data forwarding from the VBR to the transit router

IPsec-VPN connection

The IPsec-VPN connection

Outbound data transfer

Data transfer from the VBR to the data center

Procedure

Before you can attach an IPsec-VPN connection to a transit router, you must create an IPsec-VPN connection. You can attach the IPsec-VPN connection to the transit router to allow your data center to access Alibaba Cloud. The data center is also connected to the transit router over the IPsec-VPN connection and can communicate with other networks that are attached to the transit router.

You can create IPsec-VPN connections in the Cloud Enterprise Network (CEN) or VPN Gateway console. You can create IPsec-VPN connections that belong to a different Alibaba Cloud account. The following figure shows how to attach an IPsec-VPN connection that belongs to your Alibaba Cloud account or a different Alibaba Cloud account to a transit router in the CEN or VPN Gateway console.

Note
  • When you create an IPsec-VPN connection, you must specify a customer gateway. Make sure that a customer gateway is deployed before you create an IPsec-VPN connection.

  • If you create an IPsec-VPN connection in the VPN Gateway console, set Associate Resource to Do Not Associate.

创建VPN连接-操作流程

Prerequisites

A suitable method is selected to create an IPsec-VPN connection. Make sure that all prerequisites are met. For more information, see the following topics:

Attach an IPsec-VPN connection to a transit router

  1. Log on to the CEN console.

  2. On the Instances page, click the ID of the CEN instance that you want to manage.

  3. On the Basic Settings > Transfer Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

  4. On the Connection with Peer Network Instance page, set the parameters and click OK.

    The parameters vary based on the method that you use. The following table describes the parameters.

    Note

    When you perform this operation, the system automatically creates a service-linked role named AliyunServiceRoleForVpn. This role allows VPN gateways to manage resources such as ENIs and security groups. If the service-linked role AliyunServiceRoleForVpn already exists, the system does not create it again. For more information, see AliyunServiceRoleForVpn.

    Basic settings

    Parameter

    Description

    Network Type

    Select VPN.

    Region

    Select the region where the transit router is deployed.

    Transit Router

    The transit router in the selected region is displayed.

    Resource Owner ID

    Select the Alibaba Cloud accounts to which the transit router and the IPsec-VPN connection belong.

    You can attach IPsec-VPN connections that belong to the current or a different Alibaba Cloud account to transit routers.

    • If the IPsec-VPN connection and the transit router belong to the same Alibaba Cloud account, select Current Account.

    • If the IPsec-VPN connection and the transit router belong to different Alibaba Cloud accounts, select Different Account, and enter the ID of the Alibaba Cloud account to which the IPsec-VPN connection belongs.

    Individual Resource

    Create an IPsec-VPN connection or select an existing IPsec-VPN connection. Valid values:

    • Create Resource: Create an IPsec-VPN connection.

      The system creates an IPsec-VPN connection and attaches it to the transit router. You can find the IPsec-VPN connection in the VPN Gateway console and click Edit to view the information about the IPsec-VPN connection. For more information, see Modify an IPsec-VPN connection.

    • Select Resource: Select an existing IPsec-VPN connection.

    Attachment Name

    Enter a name for the VPN connection.

    Tag

    Add tags to the VPN connection.

    • Tag Key: The tag key cannot be an empty string. The tag key can be up to 64 characters in length. The key cannot start with acs: or aliyun or contain http:// or https://.

    • Tag Value: The tag value can be an empty string. The tag value can be up to 128 characters in length. The tag value cannot start with acs: or aliyun or contain http:// or https://.

    You can add one or more tags to a VPN connection. For more information about tags, see Manage tags.

    Gateway Type

    Select a network type for the IPsec-VPN connection. Valid values:

    • Public: an encrypted connection over the Internet. This is the default value.

    • Private: an encrypted private connection.

    Zone

    Select a zone.

    Resources are deployed in the selected zone.

    Customer Gateway

    Select the customer gateway to which you want to attach the IPsec-VPN connection.

    Routing Mode

    Select a routing mode for the IPsec-VPN connection. Valid values:

    • Destination Routing: Traffic is forwarded based on the destination IP address. This is the default value.

    • Flow Protection: Traffic is forwarded based on the source and destination IP addresses.

      If you select Flow Protection, you must set the Local CIDR Block and Peer CIDR Block parameters. After the settings of the VPN connection are completed, the system automatically adds a destination-based route to the route table associated with the IPsec-VPN connection. By default, the destination-based route is advertised to the route tables of the transit router.

    Apply Immediately

    Specify whether to immediately start IPsec negotiations after the configuration takes effect. Valid values:

    • Yes: Immediately start IPsec negotiations after the settings are completed.

    • No: Start IPsec negotiations only when traffic is received. This is the default value.

    Pre-shared Key

    Enter a pre-shared key that is used for identity authentication between Alibaba Cloud and the data center.

    The key must be 1 to 100 characters in length. If you do not specify a pre-shared key, the system randomly generates a 16-bit string as the pre-shared key.

    To view the pre-shared key of the IPsec-VPN connection, find the IPsec-VPN connection in the VPN Gateway console and click Edit. For more information, see Modify an IPsec-VPN connection.

    Important

    The pre-shared key specified for the IPsec-VPN connection and in the data center must be the same. Otherwise, the IPsec-VPN connection fails.

    Encryption settings

    Parameter

    Description

    IKE Settings

    Edition

    Select an IKE version. Valid values:

    • ikev1

    • ikev2

    IKEv1 and IKEv2 are supported. Compared with IKEv1, IKEv2 simplifies the security association (SA) negotiation process and provides better support for scenarios in which multiple CIDR blocks are used. We recommend that you select IKEv2.

    Negotiation Mode

    Select a negotiation mode. Valid values:

    • main (default): This mode offers higher security during negotiations.

    • aggressive: This mode supports faster negotiations and a higher success rate.

    The modes support the same security level for data transmission.

    Encryption Algorithm

    Select an encryption algorithm for phase 1 negotiation.

    The following algorithms are supported: aes (aes128 by default), aes192, aes256, des, and 3des.

    Authentication Algorithm

    Select an authentication algorithm for phase 1 negotiation.

    The following algorithms are supported: sha1 (default), md5, sha256, sha384, and sha512.

    DH Group

    Select a Diffie-Hellman (DH) key exchange algorithm for phase 1 negotiation. Valid values:

    • group1: DH group 1

    • group2 (default): DH group 2

    • group5: DH group 5

    • group14: DH group 14

    SA Lifetime (Seconds)

    Enter a lifetime for the SA after phase 1 negotiation succeeds. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.

    LocalId

    Enter the IPsec identifier on Alibaba Cloud. The IPsec identifier is used for phase 1 negotiation. The default identifier is the gateway IP address of the IPsec-VPN connection.

    LocalId supports fully qualified domain names (FQDNs). If you use an FQDN, we recommend that you set the negotiation mode to aggressive.

    RemoteId

    Enter the IPsec identifier in the data center. The IPsec identifier is used for phase 1 negotiation. The default identifier is the public IP address of the customer gateway.

    RemoteId supports FQDNs. If you use an FQDN, we recommend that you set the negotiation mode to aggressive.

    IPsec Settings

    Encryption Algorithm

    Select an encryption algorithm for phase 2 negotiation.

    The following algorithms are supported: aes (aes128 by default), aes192, aes256, des, and 3des.

    Authentication Algorithm

    Select an authentication algorithm for phase 2 negotiation.

    The following algorithms are supported: sha1 (default), md5, sha256, sha384, and sha512.

    DH Group

    Select a DH key exchange algorithm for phase 2 negotiation. Valid values:

    • disabled: does not use the DH key exchange algorithm.

      • For clients that do not support perfect forward secrecy (PFS), select disabled.

      • If you select a value other than disabled, the PFS feature is enabled by default, which requires a key update for every renegotiation. Therefore, PFS must be enabled on the client.

    • group1: DH group 1

    • group2 (default): DH group 2

    • group5: DH group 5

    • group14: DH group 14

    SA Lifetime (Seconds)

    Enter a lifetime for the SA after phase 2 negotiation succeeds. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.

    DPD

    Specify whether to enable the dead peer detection (DPD) feature.

    After you enable DPD, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within the specified period of time, the connection fails. The ISAKMP SA, IPsec SA, and IPsec tunnel are deleted. This feature is enabled by default.

    NAT Traversal

    Specify whether to enable the network address translation (NAT) traversal feature.

    After you enable NAT traversal, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel. This feature is enabled by default.

    BGP settings

    After you enable BGP, IPsec-VPN connections can use BGP dynamic routing to automatically learn and advertise routes. This reduces IT maintenance costs and minimizes network configuration errors.

    BGP is disabled by default. You must enable BGP before you can configure it.

    Parameter

    Description

    Tunnel CIDR Block

    Enter the CIDR block of the IPsec tunnel.

    The CIDR block must fall into 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, or 169.254.169.252/30.

    Local BGP IP

    Enter the IP address on Alibaba Cloud that the IPsec-VPN connection can access over BGP.

    This IP address falls within the CIDR block of the IPsec tunnel.

    Local ASN

    Enter the autonomous system number (ASN) that the IPsec-VPN connection uses on Alibaba Cloud. Default value: 45104. Valid values: 1 to 4294967295.

    You can enter the ASN in two segments and separate the first 16 bits from the last 16 bits with a period (.). Enter the number in each segment in the decimal format.

    For example, if you enter 123.456, the ASN is calculated based on the following formula:123 × 65536 + 456 = 8061384.

    Note

    To establish a connection to Alibaba Cloud over BGP, we recommend that you use a private ASN. For more information about the valid range of a private ASN, see the relevant documentation.

    Health checks

    After you enable the health check feature, the system automatically checks the connectivity of the IPsec-VPN connection between the data center and Alibaba Cloud. Routes are selected based on the health check result to ensure high network availability.

    The health check feature is disabled by default. You must enable the health check feature before you can configure it.

    Important

    After you complete the health check settings, add a route whose destination CIDR block is Source IP Address, subnet mask is 32 bits in length, and next hop is the IPsec-VPN connection. This ensures that health checks can run as expected.

    Parameter

    Description

    Destination IP

    Enter the IP address of the data center that Alibaba Cloud can access over the IPsec-VPN connection.

    Source IP

    Enter the IP address on Alibaba Cloud that the data center can access over the IPsec-VPN connection.

    Retry Interval

    Enter the interval between two consecutive health checks. Unit: seconds. Default value: 3.

    Retries

    Enter the number of health check retries. Default value: 3.

    Switch Route

    Specify whether to allow the system to withdraw routes if they fail health checks. Default value: Yes. If a route fails health checks, the route is withdrawn.

    If you clear Yes, routes are not withdrawn if they fail health checks.

    Advanced settings

    When you attach the IPsec-VPN connection to the transit router, the following advanced features are selected by default.

    Parameter

    Description

    Automatically Advertise Routes to VPN

    If you enable this feature, the system automatically advertises the routes in the route table of the transit router to the BGP route table that is used by the IPsec-VPN connection.

    Note
    • This feature takes effect only if BGP dynamic routing is enabled for the IPsec-VPN connection and data center.

    • You can disable this feature by turning off Automatic Route Advertisement. For more information, see Disable route synchronization.

    Automatically associate with the default route table of the transit router

    If you enable this feature, the attachment between the transit router and IPsec-VPN connection is associated with the default route table of the transit router. The transit router queries the default route table to forward traffic from the IPsec-VPN connection.

    Automatically advertise system routes to the default route table of the transit router

    If you enable this feature, the attachment between the transit router and IPsec-VPN connection advertises the routes in the destination route table used by the IPsec-VPN connection and the routes in the BGP route table to the default route table of the transit router.

    You can disable the preceding advanced features, and configure custom routing features such as associated forwarding and routing learning for the transit router to establish network communication based on your business requirements. For more information, see Manage routes.

Associate the VPN connection with another transit router route table

After you attach an IPsec-VPN connection to a transit router, you can change the transit router route table associated with the VPN connection.

Warning

If route synchronization is enabled for the VPN connection, the routes advertised to the IPsec-VPN connection are automatically withdrawn after the route table is changed. Then, routes in the new route table are synchronized to the BGP route table used by the IPsec-VPN connection. For more information, see Route synchronization.

  1. Log on to the CEN console.

  2. On the Instances page, click the ID of the CEN instance that you want to manage.

  3. On the Basic Settings > Transit Router tab, click the ID of the transit router that you want to manage.

  4. On the Intra-region Connections tab, click the ID of the connection that you want to manage.

  5. In the Attachment Details panel, find the Basic Information section and click Modify next to Associated Route Table.

  6. In the Modify Route Table dialog box, select a route table and click OK.

Attach an IPsec-VPN connection to a transit router by calling API operations

Alibaba Cloud provides various tools that allow you to attach IPsec-VPN connections to transit routers by calling API operations, such as Alibaba Cloud SDKs (recommended), Alibaba Cloud CLI, Terraform, and Resource Orchestration Service (ROS). For more information, see the following API references: