You can create IPsec-VPN connections to establish encrypted communication. This allows you to implement connections between your on-premises data center and a virtual private cloud (VPC) over IPsec-VPN connections. This topic describes how to create and manage IPsec-VPN connections in single-tunnel mode.
Background information
When you create an IPsec-VPN connection, you can enable or disable the following features:
DPD: Dead Peer Detection (DPD).
After you enable the DPD feature, the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within the specified period of time, the connection fails. Then, the Internet Security Association and Key Management Protocol (ISAKMP) SA, IPsec SA, and IPsec tunnel are deleted. If a DPD packet timeout occurs, the IPsec-VPN connection automatically reinitiates IPsec-VPN negotiations with the tunnel.
This feature is enabled by default.
NAT Traversal: Network Address Translation (NAT) traversal.
After you enable NAT traversal, the initiator does not check UDP ports during Internet Key Exchange (IKE) negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.
This feature is enabled by default.
BGP: Border Gateway Protocol (BGP) dynamic routing.
After you enable BGP dynamic routing, the IPsec-VPN connection automatically learns and advertises routes. This facilitates network maintenance and configurations.
BGP dynamic routing is disabled by default.
Health Check: the health check feature of the IPsec-VPN connection.
In scenarios in which the same VPN gateway is used to create active and standby IPsec-VPN connections, you can configure health checks to check the connectivity of the active and standby connections. After you configure health checks, the system sends Internet Control Message Protocol (ICMP) packets to the destination IP address to check the connectivity of the IPsec-VPN connection. If the active connection is down, the standby connection automatically takes over. This improves the availability of your services.
If the IPsec-VPN connection fails health checks, the system resets the IPsec tunnel. In scenarios in which active/standby connections are not used, we recommend that you use the DPD feature instead of the health check feature to check connectivity.
The health check feature is disabled by default.
If the VPN gateway uses the latest version, DPD, NAT traversal, BGP dynamic routing, and health checks are supported. Otherwise, you can use only the features supported by the current version of the VPN gateway.
You can check whether the VPN gateway is the latest version by using the Upgrade button. If the VPN gateway is not the latest version, you can upgrade it by clicking the Upgrade button. For more information, see Upgrade a VPN gateway.
Prerequisites
Before you create an IPsec-VPN connection, you need to understand the procedure of using IPsec-VPN connections and complete all operations before you create an IPsec-VPN connection. For more information, see Procedure.
Create an IPsec-VPN connection
- Log on to the VPN gateway console.
In the left-side navigation pane, choose .
On the IPsec Connections page, click Bind VPN Gateway.
On the Create Ipsec Connection (VPN) page, configure the IPsec-VPN connection based on the following information, and then click OK.
Basic configurations
Parameter
Description
Name
Enter a name for the IPsec-VPN connection.
Region
Select the region where the VPN gateway to be associated with the IPsec-VPN connection is deployed.
The IPsec-VPN connection is created in the same region as the VPN gateway.
Resource Group
Select the resource group to which the VPN gateway belongs.
If you leave this parameter empty, the system displays the VPN gateways in all resource groups.
Bind VPN Gateway
Select the VPN gateway to be associated with the IPsec-VPN connection.
Routing Mode
Select a routing mode for the IPsec-VPN connection.
Destination Routing Mode (default): routes and forwards traffic based on the destination IP address.
Protected Data Flows: routes and forwards traffic based on the source and destination IP addresses.
If you select Protected Data Flows, you must configure Local Network and Remote Network. After the IPsec-VPN connection is configured, the system automatically adds policy-based routes to the policy-based route table of the VPN gateway.
By default, the policy-based routes are not advertised. You can determine whether to advertise the routes to the route table of the VPC based on your requirements. For more information, see Advertise policy-based routes.
If the IPsec-VPN connection is associated with a VPN gateway and the VPN gateway is of an earlier version, you do not need to select a routing mode.
Local Network
If Routing Mode is set to Protected Data Flows, enter the VPC CIDR block to be connected to the data center. Phase-2 negotiation is based on protected data flows on both sides. We recommend that you specify the same CIDR block for Local Network and the remote network on the data center side.
Click the
icon to the right of the text box to add multiple VPC CIDR blocks.If you configure multiple CIDR blocks, you must set ikev2 as the IKE version.
Remote Network
If Routing Mode is set to Protected Data Flows, enter the data center CIDR block to be connected to the VPC. Phase-2 negotiation is based on protected data flows on both sides. We recommend that you specify the same CIDR block for Remote Network and the local network on the data center side.
Click the
icon to the right of the text box to add multiple data center CIDR blocks.If you configure multiple CIDR blocks, you must set ikev2 as the IKE version.
Effective Immediately
Specify whether to immediately start IPsec negotiations.
Yes (default): starts IPsec negotiations immediately after the configuration is complete.
No: starts IPsec negotiations only when traffic is detected.
Customer Gateway
Select the customer gateway to be associated with the IPsec-VPN connection.
Pre-shared Key
Enter the authentication key of the IPsec-VPN connection. The key is used for identity authentication between the VPN gateway and the data center.
The key must be 1 to 100 characters in length and can contain digits, uppercase letters, lowercase letters, and the following special characters:
~`!@#$%^&*()_-+={}[]\|;:',.<>/?. The key cannot contain spaces..If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After the IPsec-VPN connection is created, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection.
The pre-shared keys configured on both sides of the IPsec-VPN connection must be the same. Otherwise, the IPsec-VPN connection cannot be established.
Enable BGP
If you want to use BGP routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off.
Before you use BGP dynamic routing, we recommend that you learn more about how it works and its limits. For more information, see Configure BGP dynamic routing.
Local ASN
Enter the autonomous system number (ASN) of the IPsec-VPN connection on the Alibaba Cloud side. Default value: 45104. Valid values: 1 To 4294967295.
You can enter the ASN in two segments and separate the first 16 bits from the following 16 bits with a period (.). Enter the number in each segment in the decimal format.
For example, if you enter 123.456, the ASN is 123 × 65536 + 456 = 8061384.
We recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. For more information about the valid range of a private ASN, see the relevant documentation.
Encryption settings
Parameter
Description
Encryption Settings: IKE Configurations
Version
Select an IKE version.
ikev1
ikev2 (default)
Compared with IKEv1, IKEv2 simplifies SA negotiations and provides better support for scenarios in which multiple CIDR blocks are used. We recommend that you use IKEv2.
Negotiation Mode
Select a negotiation mode.
main (default): the main mode. This mode provides higher security during negotiations.
aggressive: the aggressive mode. This mode is faster and has a higher success rate during negotiations.
The modes support the same security level for data transmission.
Encryption Algorithm
Select the encryption algorithm that is used in Phase 1 negotiations.
The encryption algorithm can be aes (aes128, default), aes192, aes256, des, or 3des.
If the bandwidth of the VPN gateway is 200 Mbps or higher, we recommend that you use the aes, aes192, or aes256 encryption algorithm. We do not recommend that you use the 3des encryption algorithm.
Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES has little impact on network latency, throughput, and forwarding performance while ensuring data transmission security.
3des is a triple data encryption algorithm. It takes a long time to encrypt data and has a high algorithm complexity and a large amount of computation. Compared with AES, 3DES reduces forwarding performance.
Authentication Algorithm
Select the authentication algorithm that is used in Phase 1 negotiations.
The authentication algorithm can be sha1 (default), md5, sha256, sha384, or sha512.
When you add VPN configurations to your on-premises gateway device, you may need to specify the Probabilistic Random Forest (PRF) algorithm. Make sure that the PRF algorithm is also used as the authentication algorithm in IKE negotiation.
DH Group
Select the Diffie-Hellman (DH) key exchange algorithm that is used in Phase 1 negotiations.
group1: DH group 1.
group2 (default): DH group 2.
group5: DH group 5.
group14: DH group 14.
Lifecycle (seconds)
Specify the lifecycle of the SA after Phase 1 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 To 86400.
LocalId
Enter the identifier of the IPsec-VPN connection on the Alibaba Cloud side. The default value is the IP address of the VPN gateway.
This parameter is used only to identify Alibaba Cloud in IPsec-VPN negotiations. You can use an IP address or a fully qualified domain name (FQDN) as the ID. The value cannot contain spaces. We recommend that you use a private IP address as the identifier of the IPsec-VPN connection on the Alibaba Cloud side.
If you use an FQDN as LocalId, for example, example.aliyun.com, the peer ID of the IPsec-VPN connection on the data center side must be the same as the value of LocalId. We recommend that you select aggressive (the aggressive mode) as the negotiation mode.
RemoteId
Enter the identifier of the IPsec-VPN connection on the data center side. The default value is the IP address of the customer gateway.
This parameter is used only to identify the data center in IPsec-VPN negotiations. You can use an IP address or an FQDN as the ID. The value cannot contain spaces. We recommend that you use a private IP address as the identifier of the IPsec-VPN connection on the data center side.
If you use an FQDN as RemoteId, for example, example.aliyun.com, the local ID of the IPsec-VPN connection on the data center side must be the same as the value of RemoteId. We recommend that you select aggressive (the aggressive mode) as the negotiation mode.
Encryption Settings: Ipsec Configurations
Encryption Algorithm
Select the encryption algorithm that is used in Phase 2 negotiations.
The encryption algorithm can be aes (aes128, default), aes192, aes256, des, or 3des.
If the bandwidth of the VPN gateway is 200 Mbps or higher, we recommend that you use the aes, aes192, or aes256 encryption algorithm. We do not recommend that you use the 3des encryption algorithm.
Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES has little impact on network latency, throughput, and forwarding performance while ensuring data transmission security.
3des is a triple data encryption algorithm. It takes a long time to encrypt data and has a high algorithm complexity and a large amount of computation. Compared with AES, 3DES reduces forwarding performance.
Authentication Algorithm
Select the authentication algorithm that is used in Phase 2 negotiations.
The authentication algorithm can be sha1 (default), md5, sha256, sha384, or sha512.
DH Group
Select the DH key exchange algorithm that is used in Phase 2 negotiations.
disabled: does not use the DH key exchange algorithm.
If the client does not support Perfect Forward Secrecy (PFS), select disabled.
If you select a group other than disabled, the PFS feature is enabled by default. This way, a new key is required for each renegotiation. The client must also enable the PFS feature.
group1: DH group 1.
group2 (default): DH group 2.
group5: DH group 5.
group14: DH group 14.
Lifecycle (seconds)
Specify the lifecycle of the SA after Phase 2 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 To 86400.
DPD
Specify whether to enable the DPD feature. By default, the DPD feature is enabled. The timeout period of DPD packets is 30 seconds.
In scenarios where IPsec-VPN connections use IKEv2, the DPD timeout period of some existing VPN gateways may be 130 seconds or 3,600 seconds. You can upgrade your VPN gateway to the latest version.
NAT Traversal
Specify whether to enable the NAT traversal feature. By default, the NAT traversal feature is enabled.
BGP Configuration
If you enable BGP for the IPsec-VPN connection, you must specify the CIDR block of the BGP tunnel and the BGP IP address on the Alibaba Cloud side.
Parameter
Description
Tunnel CIDR Block
Enter the CIDR block of the IPsec tunnel.
The CIDR block must be a subnet with a subnet mask of /30 in the 169.254.0.0/16 CIDR block. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, or 169.254.169.252/30.
Local BGP IP address
Enter the BGP IP address of the IPsec-VPN connection on the Alibaba Cloud side.
This IP address must fall within the CIDR block of the IPsec tunnel.
Health check
By default, the health check feature is disabled. Before you add a health check configuration, enable the health check feature.
After you configure health checks for the IPsec-VPN connection, add a route to the data center. Set the destination CIDR block to Source IP Address, the subnet mask to 32 bits, and the next hop to the IPsec-VPN connection. This ensures that the health check feature of the IPsec-VPN connection works as expected.
Parameter
Description
Destination IP Address
Enter the IP address of the data center with which the VPC can communicate based on the IPsec-VPN connection.
Make sure that the destination IP address supports ICMP responses.
Source IP Address
Enter the IP address of the VPC with which the data center can communicate based on the IPsec-VPN connection.
Retry Interval
Specify the retry interval of the health check. Unit: seconds. Default value: 3.
Number of Retries
Enter the number of health check retries. Default value: 3.
Tags
When you create an IPsec-VPN connection, you can add tags to the IPsec-VPN connection to facilitate resource aggregation and search. For more information, see Tags.
Parameter
Description
Tag Key
The tag key of the IPsec-VPN connection. You can select or enter a tag key.
Tag Value
Select or enter a tag value. You can leave the tag value empty.
To configure VPN gateway routes later, click Cancel in the dialog box that appears.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage, and click Download Configuration in the Actions column.
In the IPsec-VPN Connection Configuration dialog box, copy the configuration and save it to a local path. You can use the configuration to configure your on-premises gateway device.
What to do next
Configure your on-premises gateway device based on the IPsec-VPN connection configuration you download.
Manage IPsec-VPN connections
Create and manage IPsec-VPN connections by calling the API
You can call the API to create and manage IPsec-VPN connections by using Alibaba Cloud SDK (recommended), Alibaba Cloud CLI, Terraform, or Resource Orchestration Service. The following API operations are available:
DeleteVpnConnection - Deletes a specified IPsec-VPN connection
ModifyVpnConnectionAttribute - Modifies the configuration of an IPsec-VPN connection
DescribeVpnConnection - Queries detailed information about a created IPsec-VPN connection
DescribeVpnConnections - Queries created IPsec-VPN connections
DownloadVpnConnectionConfig - Obtains the configuration information of an IPsec-VPN connection
