All Products
Search
Document Center

VPN Gateway:Connect a VPC to a data center in single-tunnel mode

Last Updated:Apr 11, 2024

This topic describes how to create an IPsec-VPN connection in single-tunnel mode between a virtual private cloud (VPC) and a data center by using a public VPN gateway. The IPsec-VPN connection can enable private communication between the VPC and the data center.

Prerequisites

  • Before you associate an IPsec-VPN connection with a public VPN gateway, make sure that a public IP address is assigned to the gateway device in the data center.

  • The on-premises gateway device must support IKEv1 or IKEv2 to establish IPsec-VPN connections with a VPN gateway.

  • The CIDR block of the data center does not overlap with the CIDR block of the VPC.

Example

In this example, the following scenario is used. An enterprise has created a VPC on Alibaba Cloud. The CIDR block of the VPC is 192.168.0.0/16. The CIDR block of the data center is 172.16.0.0/12. The static public IP address of the gateway device in the data center is 211.XX.XX.68. To meet business requirements, the enterprise needs to connect the data center to the VPC. You can create an IPsec-VPN connection to enable encrypted communication between the VPC and the data center.

IPsec快速入门

Preparations

  • A VPC is created and applications are deployed on Elastic Compute Service (ECS) instances in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

  • You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see View security group rules and Add a security group rule.

Step 1: Create a VPN gateway

  1. Log on to the VPN gateway console.
  2. In the top navigation bar, select the region in which you want to create the VPN gateway.

    The VPN gateway and the VPC to be associated must belong to the same region.

  3. On the VPN Gateways page, click Create VPN Gateway.

  4. On the buy page, configure the following parameters, click Buy Now, and then complete the payment.

    Parameter

    Description

    Name

    Enter a name for the VPN gateway.

    In this example, VPN Gateway 1 is used.

    Resource Group

    Select the resource group to which the VPN gateway belongs. If you leave this parameter empty, the VPN gateway belongs to the default resource group.

    In this example, this parameter is left empty.

    Region

    Select the region in which you want to create the VPN gateway.

    Note

    The VPN gateway must belong to the same region as the VPC.

    Gateway Type

    Select a gateway type.

    Standard is selected by default.

    Network Type

    Select a network type for the VPN gateway.

    In this example, Public is selected.

    Tunnels

    The system displays the tunnel modes that are supported in this region. Valid values:

    • Single-tunnel

    • Dual-tunnel

    For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

    VPC

    Select the VPC with which you want to associate the VPN gateway.

    VSwitch

    Select a vSwitch from the selected VPC.

    • If you select Single-tunnel, you need to specify one vSwitch.
    • If you select Dual-tunnel, you need to specify two vSwitches.
    Note
    • The system selects a vSwitch by default. You can change or use the default vSwitch.
    • After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.

    vSwitch 2

    Ignore this parameter if you select Single-tunnel for the Tunnels parameter.

    Maximum Bandwidth

    Specify a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.

    Traffic

    Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.

    For more information, see Billing rules.

    IPsec-VPN

    Specify whether to enable IPsec-VPN.

    In this example, Enable is selected.

    SSL-VPN

    Specify whether to enable SSL-VPN.

    In this example, Disable is selected.

    Duration

    Select a billing cycle for the VPN gateway. By Hour is selected by default.

    Service-linked Role

    Click Create Service-linked Role. The system automatically creates the service-linked role AliyunServiceRoleForVpn.

    The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.

    If Created is displayed, the service-linked role is created and you do not need to create it again.

    For more information about the parameters, see the Create a VPN gateway section of the "Create and manage a VPN gateway" topic.

  5. Return to the VPN Gateways page to view the VPN gateway that you created.

    A newly created VPN gateway is in the Preparing state and changes to the Normal state in about 1 to 5 minutes. After the status changes to Normal, the VPN gateway is ready for use.

Step 2: Create a customer gateway

  1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.

  2. In the top navigation bar, select the region in which you want to create the customer gateway.

    Note

    Make sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.

  3. On the Customer Gateway page, click Create Customer Gateway.

  4. In the Create Customer Gateway panel, configure the following parameters and click OK.

    This topic describes only the following required parameters. You can use the default values for other parameters or leave them empty. For more information, see Create and manage a customer gateway.

    • Name: Enter a name for the customer gateway.

      In this example, Customer Gateway 1 is used.

    • IP Address: Enter the public IP address of the gateway device in the data center that you want to connect to the VPC.

      In this example, 211.XX.XX.68 is used.

Step 3: Create an IPsec-VPN connection

  1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  2. In the top navigation bar, select the region in which you want to create the IPsec-VPN connection.

    Note

    Make sure that the IPsec-VPN connection and the VPN gateway to be connected are deployed in the same region.

  3. On the IPsec Connections page, click Create IPsec-VPN Connection.

  4. On the Create IPsec-VPN Connection page, configure the parameters that are described in the following table and click OK.

    Parameter

    Description

    Name

    Enter the name of the IPsec-VPN connection.

    In this example, IPsec-VPN Connection 1 is used.

    Resource Group

    Select the resource group to which the VPN gateway belongs.

    In this example, the default resource group is selected.

    Associate Resource

    Select the type of network resource to be associated with the IPsec-VPN connection.

    In this example, VPN Gateway is selected.

    VPN Gateway

    Select the VPN gateway that you created.

    In this example, VPN Gateway 1 is selected.

    Routing Mode

    Select a routing mode.

    In this example, Destination Routing Mode is selected.

    Effective Immediately

    Specify whether the configuration immediately takes effect.

    • Yes: starts negotiations when the configuration is complete.

    • No: starts connection negotiations when traffic is received.

    In this example, Yes is selected.

    Customer Gateway

    Select the customer gateway that you created.

    In this example, Customer Gateway 1 is selected.

    Enable BGP

    If you want to use Border Gateway Protocol (BGP) routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off.

    In this example, BGP is disabled.

    Pre-Shared Key

    Enter a pre-shared key.

    • The pre-shared key must be 1 to 100 characters in length, and can contain digits, letters, and the following characters: ~`!@#$%^&*()_-+={}[]\|;:',.<>/?.

    • If you do not specify a pre-shared key, the system generates a random 16-bit string as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection.

    Important

    The IPsec-VPN connection and the peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.

    Encryption Configuration

    In this example, the Version parameter is set to ikev1 and the other parameters use the default values. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.

    Health Check

    In this example, the default value is used and no health check is configured for the IPsec-VPN connection.

    Tags

    Add tag-key pairs to the IPsec-VPN connection.

    In this example, this parameter is left empty.

  5. In the Created message, click OK.

Step 4: Load the configuration of the IPsec-VPN connection to the gateway device in the data center

  1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  2. On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click Generate Peer Configuration in the Actions column.

  3. Load the configuration of the IPsec-VPN connection to the gateway device in the data center. For more information, see Configure local gateways.

Step 5: Configure routes for the VPN gateway

  1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.

  2. On the VPN Gateway page, find the VPN gateway that you want to manage and click the ID of the VPN gateway.

  3. On the Destination-based Route Table tab, click Add Route Entry.

  4. In the Add Route Entry panel, configure the following parameters and click OK.

    Parameter

    Description

    Destination CIDR block

    Enter a destination CIDR block for the route.

    In this example, 172.16.0.0/12 is used.

    Next Hop Type

    Select the type of next hop.

    In this example, IPsec-VPN connection is selected.

    Next Hop

    Select the IPsec-VPN connection that you created.

    Advertise to VPC

    Specify whether to advertise the route to the VPC that is associated with the VPN gateway.

    In this example, Yes is selected.

    Weight

    Select a weight for the route. Valid values:

    • 100: specifies a high priority for the route.

    • 0: specifies a low priority for the route.

    In this example, the default value 100 is used.

Step 6: Test the network connectivity

  1. Log on to an ECS instance that is not assigned a public IP address in the VPC. For more information, see Connection method overview.

  2. Run the ping command to ping a server in the data center to test the network connectivity.

    If you can receive echo reply packets, the connection is established.