This topic describes how to create an IPsec-VPN connection. After you create a VPN gateway and a customer gateway, you can create an IPsec-VPN connection between the two gateways for encrypted data transmission.

Background information

When you create an IPsec-VPN connection, you can enable or disable the following features:
  • DPD: the dead peer detection (DPD) feature.

    After you enable DPD, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. Then, the ISAKMP SA, IPsec SA, and IPsec tunnel are deleted. This feature is enabled by default.

  • NAT Traversal: the network address translation (NAT) traversal feature.

    After you enable NAT traversal, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel. This feature is enabled by default.

  • BGP: the Border Gateway Protocol (BGP) dynamic routing feature.

    After you enable BGP routing, the VPN gateway can automatically learn routes by using BGP. This reduces network maintenance costs and network configuration errors. This feature is disabled by default.

  • Health Check: the health check feature.

    You can configure health checks to check the connectivity of IPsec-VPN connections and detect issues at the earliest opportunity. This feature is disabled by default.

Note
  • DPD, NAT traversal, BGP dynamic routing, and health checks are available for only users in a whitelist. If you are not included in the whitelist but want to use the features,submit a ticket.
  • You cannot disable BGP after you enable BGP.

Procedure

  1. Log on to the VPN gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  3. In the top navigation bar, select the region where you want to create the IPsec-VPN connection.
  4. On the IPsec Connections page, click Create IPsec Connection.
  5. On the Create IPsec Connection page, configure the IPsec-VPN connection based on the following information and click OK.
    Parameter Description
    Name

    Enter a name for the IPsec-VPN connection.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    VPN Gateway Select the VPN gateway to be connected through the IPsec-VPN connection.
    Customer Gateway Select the customer gateway to be connected through the IPsec-VPN connection.
    Routing Mode Select a routing mode. The default value is Destination Routing Mode.
    • Destination Routing Mode: forwards traffic to specified destination IP addresses.

      After you create an IPsec-VPN connection, you must add destination-based routes to the destination route table of the VPN gateway. For more information, see Manage destination-based routes.

    • Protected Data Flows: forwards traffic based on source and destination IP addresses.

      If you select Protected Data Flows when you create an IPsec-VPN connection, you must configure Local Network and Remote Network. After you complete the configurations, the system automatically adds policy-based routes to the route table of the VPN gateway.

      After the system adds policy-based routes to the route table of the VPN gateway, the routes are not advertised by default. You must manually advertise the routes to the VPC.

    Note If you use an earlier version of VPN Gateway, you do not need to select a routing mode. After you create an IPsec-VPN connection, you must manually add destination-based routes or policy-based routes to the VPN gateway. For more information, see Route overview.
    Local Network Enter the CIDR block of the VPC to be connected to the data center. The CIDR block is used in Phase 2 negotiations.
    Click Add next to the field to add multiple CIDR blocks of the VPC.
    Note You can add multiple CIDR blocks only if IKEv2 is used.
    Remote Network Enter the CIDR block of the data center to be connected to the VPC. This CIDR block is used in Phase 2 negotiations.
    Click Add next to the field to add multiple CIDR blocks of the data center.
    Note You can add multiple CIDR blocks only if IKEv2 is used.
    Effective Immediately Specify whether to start connection negotiations immediately.
    • Yes: starts connection negotiations after the configuration is completed.
    • No: starts negotiations when traffic is detected.
    Advanced Configuration: IKE Configurations
    Pre-Shared Key Enter the pre-shared key used for authentication between the VPN gateway and the customer gateway. You can specify a key, or use the default key that is randomly generated by the system.
    Version Select an IKE version.
    • ikev1
    • ikev2

    IKEv1 and IKEv2 are supported. Compared with IKEv1, IKEv2 simplifies the Security Association (SA) negotiation process and provides better support for scenarios where multiple CIDR blocks are used. We recommend that you select IKEv2.

    Negotiation Mode Select a negotiation mode.
    • main: This mode offers higher security during negotiations.
    • aggressive: This mode is faster and has a higher success rate.

    Connections negotiated in both modes ensure the same security level of data transmission.

    Encryption Algorithm Select the encryption algorithm to be used in Phase 1 negotiations. Supported algorithms are aes, aes192, aes256, des, and 3des.
    Authentication Algorithm Select the authentication algorithm to be used in Phase 1 negotiations. Supported algorithms are sha1, md5, sha256, sha384, and sha512.
    DH Group Select the Diffie-Hellman key exchange algorithm to be used in Phase 1 negotiations.
    SA Life Cycle (seconds) Specify the lifecycle of the SA after Phase 1 negotiations succeed. Default value: 86400. Unit: seconds.
    LocalId Specify the ID of the VPN gateway. The ID is used in Phase 1 negotiations. The default value is the public IP address of the VPN gateway. If you set LocalId to FQDN, we recommend that you set Negotiation Mode to Aggressive.
    RemoteId Specify the ID of the customer gateway. The ID is used in Phase 1 negotiations. The default value is the public IP address of the customer gateway. If you set RemoteId to FQDN, we recommend that you select set Negotiation Mode to Aggressive.
    Advanced configuration: IPSec configuration
    Encryption Algorithm Select the encryption algorithm to be used in Phase 2 negotiations. Supported algorithms are aes, aes192, aes256, des, and 3des.
    Authentication Algorithm Select the authentication algorithm to be used in Phase 2 negotiations. Supported algorithms are sha1, md5, sha256, sha384, and sha512.
    DH Group Select the Diffie-Hellman key exchange algorithm to be used in Phase 2 negotiations.
    • If you select a value other than disabled, the PFS feature is enabled by default, which necessitates key update for every renegotiation. Therefore, you must also enable PFS for the client.
    • For clients that do not support PFS, select disabled.
    SA Life Cycle (seconds) Specify the lifecycle of the SA after Phase 2 negotiations succeed. Default value: 86400. Unit: seconds.
    DPD Specify whether to enable the DPD feature. This feature is enabled by default.
    NAT Traversal Specify whether to enable the NAT traversal feature. This feature is enabled by default.
    BGP Configuration
    Tunnel CIDR Block Enter the CIDR block of the IPsec tunnel.

    The CIDR block must fall within 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length.

    Local BGP IP address Enter the BGP IP address of the VPC.

    This IP address falls within the CIDR block of the IPsec tunnel.

    Note Make sure that the BGP IP addresses of the VPC and the data center do not conflict with each other.
    Local ASN Enter the autonomous system number (ASN) of the VPC.
    Health Check
    Destination IP The IP address of the data center that the VPC can communicate with through the IPsec-VPN connection.
    Source IP The IP address of the VPC that the data center can communicate with through the IPsec-VPN connection.
    Retry Interval The interval between two consecutive health checks. Unit: seconds.
    Number of Retries The maximum number of health check retries.