This topic describes how to create an IPsec-VPN connection in single-tunnel mode between a virtual private cloud (VPC) and a data center by using a public VPN gateway. The IPsec-VPN connection can enable private communication between the VPC and the data center.
Prerequisites
Before you associate an IPsec-VPN connection with a public VPN gateway, make sure that a public IP address is assigned to the gateway device in the data center.
The on-premises gateway device must support IKEv1 or IKEv2 to establish IPsec-VPN connections with a VPN gateway.
The CIDR block of the data center does not overlap with the CIDR block of the VPC.
Example
In this example, the following scenario is used. An enterprise has created a VPC on Alibaba Cloud. The CIDR block of the VPC is 192.168.0.0/16. The CIDR block of the data center is 172.16.0.0/12. The static public IP address of the gateway device in the data center is 211.XX.XX.68. To meet business requirements, the enterprise needs to connect the data center to the VPC. You can create an IPsec-VPN connection to enable encrypted communication between the VPC and the data center.
Preparations
A VPC is created and applications are deployed on Elastic Compute Service (ECS) instances in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see View security group rules and Add a security group rule.
Step 1: Create a VPN gateway
- Log on to the VPN gateway console.
In the top navigation bar, select the region in which you want to create the VPN gateway.
The VPN gateway and the VPC to be associated must belong to the same region.
On the VPN Gateways page, click Create VPN Gateway.
On the buy page, configure the following parameters, click Buy Now, and then complete the payment.
Parameter
Description
Name
Enter a name for the VPN gateway.
In this example, VPN Gateway 1 is used.
Resource Group
Select the resource group to which the VPN gateway belongs. If you leave this parameter empty, the VPN gateway belongs to the default resource group.
In this example, this parameter is left empty.
Region
Select the region in which you want to create the VPN gateway.
NoteThe VPN gateway must belong to the same region as the VPC.
Gateway Type
Select a gateway type.
Standard is selected by default.
Network Type
Select a network type for the VPN gateway.
In this example, Public is selected.
Tunnels
The system displays the tunnel modes that are supported in this region. Valid values:
Single-tunnel
Dual-tunnel
For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
VPC
Select the VPC with which you want to associate the VPN gateway.
VSwitch
Select a vSwitch from the selected VPC.
- If you select Single-tunnel, you need to specify one vSwitch.
- If you select Dual-tunnel, you need to specify two vSwitches.
Note- The system selects a vSwitch by default. You can change or use the default vSwitch.
- After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.
vSwitch 2
Ignore this parameter if you select Single-tunnel for the Tunnels parameter.
Maximum Bandwidth
Specify a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
Traffic
Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.
For more information, see Billing rules.
IPsec-VPN
Specify whether to enable IPsec-VPN.
In this example, Enable is selected.
SSL-VPN
Specify whether to enable SSL-VPN.
In this example, Disable is selected.
Duration
Select a billing cycle for the VPN gateway. By Hour is selected by default.
Service-linked Role
Click Create Service-linked Role. The system automatically creates the service-linked role AliyunServiceRoleForVpn.
The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.
If Created is displayed, the service-linked role is created and you do not need to create it again.
For more information about the parameters, see the Create a VPN gateway section of the "Create and manage a VPN gateway" topic.
Return to the VPN Gateways page to view the VPN gateway that you created.
A newly created VPN gateway is in the Preparing state and changes to the Normal state in about 1 to 5 minutes. After the status changes to Normal, the VPN gateway is ready for use.
Step 2: Create a customer gateway
In the left-side navigation pane, choose .
In the top navigation bar, select the region in which you want to create the customer gateway.
NoteMake sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.
On the Customer Gateway page, click Create Customer Gateway.
In the Create Customer Gateway panel, configure the following parameters and click OK.
This topic describes only the following required parameters. You can use the default values for other parameters or leave them empty. For more information, see Create and manage a customer gateway.
Name: Enter a name for the customer gateway.
In this example, Customer Gateway 1 is used.
IP Address: Enter the public IP address of the gateway device in the data center that you want to connect to the VPC.
In this example, 211.XX.XX.68 is used.
Step 3: Create an IPsec-VPN connection
In the left-side navigation pane, choose .
In the top navigation bar, select the region in which you want to create the IPsec-VPN connection.
NoteMake sure that the IPsec-VPN connection and the VPN gateway to be connected are deployed in the same region.
On the IPsec Connections page, click Create IPsec-VPN Connection.
On the Create IPsec-VPN Connection page, configure the parameters that are described in the following table and click OK.
Parameter
Description
Name
Enter the name of the IPsec-VPN connection.
In this example, IPsec-VPN Connection 1 is used.
Resource Group
Select the resource group to which the VPN gateway belongs.
In this example, the default resource group is selected.
Associate Resource
Select the type of network resource to be associated with the IPsec-VPN connection.
In this example, VPN Gateway is selected.
VPN Gateway
Select the VPN gateway that you created.
In this example, VPN Gateway 1 is selected.
Routing Mode
Select a routing mode.
In this example, Destination Routing Mode is selected.
Effective Immediately
Specify whether the configuration immediately takes effect.
Yes: starts negotiations when the configuration is complete.
No: starts connection negotiations when traffic is received.
In this example, Yes is selected.
Customer Gateway
Select the customer gateway that you created.
In this example, Customer Gateway 1 is selected.
Enable BGP
If you want to use Border Gateway Protocol (BGP) routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off.
In this example, BGP is disabled.
Pre-Shared Key
Enter a pre-shared key.
The pre-shared key must be 1 to 100 characters in length, and can contain digits, letters, and the following characters:
~`!@#$%^&*()_-+={}[]\|;:',.<>/?
.If you do not specify a pre-shared key, the system generates a random 16-bit string as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection.
ImportantThe IPsec-VPN connection and the peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.
Encryption Configuration
In this example, the Version parameter is set to ikev1 and the other parameters use the default values. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.
Health Check
In this example, the default value is used and no health check is configured for the IPsec-VPN connection.
Tags
Add tag-key pairs to the IPsec-VPN connection.
In this example, this parameter is left empty.
In the Created message, click OK.
Step 4: Load the configuration of the IPsec-VPN connection to the gateway device in the data center
In the left-side navigation pane, choose .
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click Generate Peer Configuration in the Actions column.
Load the configuration of the IPsec-VPN connection to the gateway device in the data center. For more information, see Configure local gateways.
Step 5: Configure routes for the VPN gateway
In the left-side navigation pane, choose .
On the VPN Gateway page, find the VPN gateway that you want to manage and click the ID of the VPN gateway.
On the Destination-based Route Table tab, click Add Route Entry.
In the Add Route Entry panel, configure the following parameters and click OK.
Parameter
Description
Destination CIDR block
Enter a destination CIDR block for the route.
In this example, 172.16.0.0/12 is used.
Next Hop Type
Select the type of next hop.
In this example, IPsec-VPN connection is selected.
Next Hop
Select the IPsec-VPN connection that you created.
Advertise to VPC
Specify whether to advertise the route to the VPC that is associated with the VPN gateway.
In this example, Yes is selected.
Weight
Select a weight for the route. Valid values:
100: specifies a high priority for the route.
0: specifies a low priority for the route.
In this example, the default value 100 is used.
Step 6: Test the network connectivity
Log on to an ECS instance that is not assigned a public IP address in the VPC. For more information, see Connection method overview.
Run the ping command to ping a server in the data center to test the network connectivity.
If you can receive echo reply packets, the connection is established.