Cloud Enterprise Network:Create a VPN connection

Limits

• Only Enterprise Edition transit routers support VPN connections.

• Only IPsec-VPN connections in certain regions can be attached to transit routers. For more information, see Regions that support IPsec-VPN.

• The dual-tunnel mode for VPN connections is in beta testing. VPN connections have been upgraded to dual-tunnel in Thailand (Bangkok), Philippines (Manila), Germany (Frankfurt), UK (London), and China (Ulanqab), while connections in other regions remain in single-tunnel mode. If you need to enable dual-tunnel mode, please contact your account manager. For more information on dual-tunnel mode, see Introduction to IPsec-VPN connections that are associated with transit routers in dual-tunnel mode.

• After you create a VPN connection, the system automatically adds a routing policy whose direction is Egress Regional Gateway with Policy Priority of 5000, and Policy Action of Reject to all route tables of the transit router. This routing policy will reject communication between the VPN connection, virtual border router (VBR) connection, and Cloud Connect Network (CCN) connection.

• Assume your data center has been connected to a transit router through an IPsec-VPN connection. In this case, if you create an additional VPN connection to the transit router, the VPC and VPN connection will not allow for traffic load balancing.

• The resource quotas are listed in the following table:

  Item	Default value	Adjustable
  The maximum number of IPsec-VPN connections that can be attached to a transit router	50	You can use one of the following methods to increase the quota: Request a quota increase on the Quotas page in the CEN console. For more information, see Manage CEN quotas. Request a quota increase in the Quota Center console. For more information, see Submit an application to increase a quota.
  The maximum number of VPC connections supported by a transit router for equal-cost multi-path (ECMP) routing	16	No
  The maximum number of transit routers to which an IPsec-VPN connection can be attached	1	No

Billing

When you use a VPN connection, the billable items include transit router connections, transit router data forwarding, IPsec-VPN connection instance fees, data transfer, and outbound data transfer. The billable items vary based on the network type of the IPsec-VPN connection. The following table describes the billing rules for VPN connections.

Billing rules for Internet VPN connections

Billing rules for private VPN connections

Procedure

Before you can attach an IPsec-VPN connection to a transit router, you must create an IPsec-VPN connection. You can attach the IPsec-VPN connection to the transit router to allow your data center to access Alibaba Cloud. The data center is also connected to the transit router over the IPsec-VPN connection and can communicate with other networks that are attached to the transit router.

You can create IPsec-VPN connections in the Cloud Enterprise Network (CEN) or VPN Gateway console. You can create IPsec-VPN connections that belong to a different Alibaba Cloud account. The following figure shows how to attach an IPsec-VPN connection that belongs to your Alibaba Cloud account or a different Alibaba Cloud account to a transit router in the CEN or VPN Gateway console.

Prerequisites

Create a VPN connection

1. Log on to the CEN console.

2. On the Instances page, click the ID of the CEN instance that you want to manage.

3. On the Basic Information > Transit Router tab, find the transit router instance in the target region. In the Actions column, click Create Network Instance Connection.

4. On the Connect Network Instance page, configure the VPN connection information based on the following information, and then click Confirm Creation.

   Depending on the procedure for creating an IPsec-VPN connection, you need to configure different configuration items. The following lists all configuration items for your reference.

   Note

   • When you perform this operation for the first time, the system automatically creates a service-linked role named AliyunServiceRoleForVpn. This role allows VPN gateways to manage resources such as ENIs and security groups. If the service-linked role AliyunServiceRoleForVpn already exists, the system does not create it again. For more information about AliyunServiceRoleForVpn, see AliyunServiceRoleForVpn.

   Single-tunnel mode

   Basic information

   Parameter	Description
   Instance Type	Select VPN.
   Region	Select the region where the transit router is deployed.
   Transit Router	The transit router in the selected region is displayed.
   Resource Owner ID	Select the Alibaba Cloud accounts to which the transit router and the IPsec-VPN connection belong. You can attach IPsec-VPN connections that belong to the current or a different Alibaba Cloud account to transit routers. If the IPsec-VPN connection and the transit router belong to the same Alibaba Cloud account, select Current Account. If the IPsec-VPN connection and the transit router belong to different Alibaba Cloud accounts, select Different Account, and enter the ID of the Alibaba Cloud account to which the IPsec-VPN connection belongs.
   Individual Resource	Create an IPsec-VPN connection or select an existing IPsec-VPN connection. Valid values: Create Resource: Create an IPsec-VPN connection. The system creates an IPsec-VPN connection and attaches it to the transit router. You can find the IPsec-VPN connection in the VPN Gateway console and click Edit to view the information about the IPsec-VPN connection. For more information, see Modify an IPsec-VPN connection. Select Resource: Select an existing IPsec-VPN connection.
   Attachment Name	Enter a name for the VPN connection.
   Tag	Add tags to the VPN connection. Tag Key: The tag key can be up to 64 characters in length. It cannot be an empty string or start with acs: or aliyun or contain http:// or https://. Tag Value: The tag value can be an empty string with a maximum length of 128 characters. It cannot start with acs: or aliyun or contain http:// or https://. You can add one or more tags to a VPN connection. For more information about tags, see Manage tags.
   Gateway Type	Select a network type for the IPsec-VPN connection. Valid values: Public: an encrypted connection over the Internet. This is the default value. Private: an encrypted private connection.
   Zone	Select a zone. Resources are deployed in the selected zone.
   Customer Gateway	Select the customer gateway to which you want to attach the IPsec-VPN connection.
   Routing Mode	Select a routing mode for the IPsec-VPN connection. Valid values: Destination Routing: Traffic is forwarded based on the destination IP address. This is the default value. Flow Protection: Traffic is forwarded based on the source and destination IP addresses. If you select Flow Protection, you must set the Local CIDR Block and Peer CIDR Block parameters. After the settings of the VPN connection are completed, the system automatically adds a destination-based route to the route table associated with the IPsec-VPN connection. By default, the destination-based route is advertised to the route tables of the transit router.
   Apply Immediately	Specify whether to immediately start IPsec negotiations after the configuration takes effect. Valid values: Yes: Immediately start IPsec negotiations after the settings are completed. No: Start IPsec negotiations only when traffic is received. This is the default value.
   Pre-shared Key	Enter a pre-shared key that is used for identity authentication between Alibaba Cloud and the data center. The key must be 1 to 100 characters in length. If you do not specify a pre-shared key, the system randomly generates a 16-bit string as the pre-shared key. To view the pre-shared key of the IPsec-VPN connection, find the IPsec-VPN connection in the VPN Gateway console and click Edit. For more information, see Modify an IPsec-VPN connection. Important The pre-shared key specified for the IPsec-VPN connection and in the data center must be the same. Otherwise, the IPsec-VPN connection fails.

   Encryption settings

   Parameter	Description
   IKE Settings
   Edition	Select the version of the IKE protocol. Valid values: ikev1 ikev2 (default) IKEv1 and IKEv2 are supported. Compared with IKEv1, IKEv2 simplifies the security association (SA) negotiation process and provides better support for scenarios in which multiple CIDR blocks are used. We recommend that you select IKEv2.
   Negotiation Mode	Select a negotiation mode. Valid values: main (default): This mode offers higher security during negotiations. aggressive: This mode supports faster negotiations and a higher success rate. The modes support the same security level for data transmission.
   Encryption Algorithm	Select an encryption algorithm for phase 1 negotiation. The following algorithms are supported: aes (aes128 by default), aes192, aes256, des, and 3des.
   Authentication Algorithm	Select an authentication algorithm for phase 1 negotiation. The following algorithms are supported: sha1 (default), md5, sha256, sha384, and sha512.
   DH Group	Select a Diffie-Hellman (DH) key exchange algorithm for phase 1 negotiation. Valid values: group1: DH group 1 group2 (default): DH group 2 group5: DH group 5 group14: DH group 14
   SA Lifetime (Seconds)	Enter a lifetime for the SA after phase 1 negotiation succeeds. Unit: seconds. Default value: 86400. Valid values: 0 to 86400
   LocalId	Enter the IPsec identifier on Alibaba Cloud. The IPsec identifier is used for phase 1 negotiation. The default identifier is the gateway IP address of the IPsec-VPN connection. LocalId supports fully qualified domain names (FQDNs). If you use an FQDN, we recommend that you set the negotiation mode to aggressive.
   RemoteId	Enter the IPsec identifier in the data center. The IPsec identifier is used for phase 1 negotiation. The default identifier is the public IP address of the customer gateway. RemoteId supports FQDNs. If you use an FQDN, we recommend that you set the negotiation mode to aggressive.
   IPsec Settings
   Encryption Algorithm	Select an encryption algorithm for phase 2 negotiation. The following algorithms are supported: aes (aes128 by default), aes192, aes256, des, and 3des.
   Authentication Algorithm	Select an authentication algorithm for phase 2 negotiation. The following algorithms are supported: sha1 (default), md5, sha256, sha384, and sha512.
   DH Group	Select a DH key exchange algorithm for phase 2 negotiation. Valid values: disabled: does not use the DH key exchange algorithm. For clients that do not support perfect forward secrecy (PFS), select disabled. If you select a value other than disabled, the PFS feature is enabled by default, which requires a key update for every renegotiation. Therefore, PFS must be enabled on the client. group1: DH group 1 group2 (default): DH group 2 group5: DH group 5 group14: DH group 14
   SA Lifetime (Seconds)	Enter a lifetime for the SA after phase 2 negotiation succeeds. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
   DPD	Specify whether to enable the dead peer detection (DPD) feature. After you enable DPD, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within the specified period of time, the connection fails. The ISAKMP SA, IPsec SA, and IPsec tunnel are deleted. This feature is enabled by default.
   NAT Traversal	Specify whether to enable the network address translation (NAT) traversal feature. After you enable NAT traversal, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel. This feature is enabled by default.

   BGP settings

   After you enable BGP, IPsec-VPN connections can use Border Gateway Protocol (BGP) dynamic routing to automatically learn and advertise routes. This reduces IT maintenance costs and minimizes network configuration errors.

   BGP is disabled by default. You must enable BGP before you can configure it.

   Parameter	Description
   Tunnel CIDR Block	Enter the tunnel CIDR block of the IPsec tunnel. The tunnel CIDR block must fall into 169.254.0.0/16. The subnet mask of the tunnel CIDR block must be 30 bits in length. The tunnel CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, or 169.254.169.252/30.
   Local BGP IP	Enter the IP address on Alibaba Cloud that the IPsec-VPN connection can access over BGP. This IP address falls within the CIDR block of the IPsec tunnel.
   Local ASN	Enter the autonomous system number (ASN) that the IPsec-VPN connection uses on Alibaba Cloud. Default value: 45104. Valid values: 1 to 4294967295. You can enter the ASN in two segments and separate the first 16 bits from the last 16 bits with a period (.). Enter the number in each segment in the decimal format. For example, if you enter 123.456, the ASN is calculated based on the following formula: 123 × 65536 + 456 = 8061384. Note To establish a connection to Alibaba Cloud over BGP, we recommend that you use a private ASN. For more information about the valid range of a private ASN, see the relevant documentation.

   Health checks

   After you enable the health check feature, the system automatically checks the connectivity of the IPsec-VPN connection between the data center and Alibaba Cloud. Routes are selected based on the health check result to ensure high network availability.

   The health check feature is disabled by default. You must enable the health check feature before you can configure it.

   Important

   After you complete the health check settings, add a route whose destination CIDR block is Source IP Address, subnet mask is 32 bits in length, and next hop is the IPsec-VPN connection. This ensures that health checks can run as expected.

   Parameter	Description
   Destination IP	Enter the IP address of the data center that Alibaba Cloud can access over the IPsec-VPN connection.
   Source IP	Enter the IP address on Alibaba Cloud that the data center can access over the IPsec-VPN connection.
   Retry Interval	Enter the interval between two consecutive health checks. Unit: seconds. Default value: 3.
   Retries	Enter the number of health check retries. Default value: 3.
   Switch Route	Specify whether to allow the system to withdraw routes if they fail health checks. Default value: Yes. If a route fails health checks, the route is withdrawn. If you clear Yes, routes are not withdrawn if they fail health checks.

   Advanced settings

   When you attach the IPsec-VPN connection to the transit router, the following advanced features are selected by default.

   Parameter	Description
   Automatically Advertise Routes to VPN	If you enable this feature, the system automatically advertises the routes in the route table of the transit router to the BGP route table that is used by the IPsec-VPN connection. Note This feature takes effect only if BGP dynamic routing is enabled for the IPsec-VPN connection and data center. You can disable this feature by turning off Automatic Route Advertisement. For more information, see Disable route synchronization.
   Associate with Default Route Table of Transit Router	If you enable this feature, the attachment between the transit router and IPsec-VPN connection is associated with the default route table of the transit router. The transit router queries the default route table to forward traffic from the IPsec-VPN connection.
   Advertise System Routes to Default Route Table of Transit Router	If you enable this feature, the attachment between the transit router and IPsec-VPN connection advertises the routes in the destination route table used by the IPsec-VPN connection and the routes in the BGP route table to the default route table of the transit router.

   You can disable the preceding advanced features, and configure custom routing features such as associated forwarding and routing learning for the transit router to establish network communication based on your business requirements. For more information, see Manage routes.

   Dual-tunnel mode

   Basic information

   Parameter	Description
   Instance Type	Select VPN.
   Region	Select the region where the transit router is deployed.
   Transit Router	Transit routers in the selected region are displayed.
   Resource Owner ID	Select the Alibaba Cloud accounts to which the transit router and the IPsec-VPN connection belong. You can attach IPsec-VPN connections that belong to the current or a different Alibaba Cloud account to transit routers. If the IPsec-VPN connection and the transit router belong to the same Alibaba Cloud account, select Current Account. If the IPsec-VPN connection and the transit router belong to different Alibaba Cloud accounts, select Different Account, and enter the ID of the Alibaba Cloud account to which the IPsec-VPN connection belongs.
   Individual Resource	Create an IPsec-VPN connection or select an existing IPsec-VPN connection. Valid values: Create Resource: Create an IPsec-VPN connection. The system creates an IPsec-VPN connection and attaches it to the transit router. You can find the IPsec-VPN connection in the VPN Gateway console and click Edit to view the information about the IPsec-VPN connection. For more information, see Modify an IPsec-VPN connection. Select Resource: Select an existing IPsec-VPN connection.
   Attachment Name	Enter a name for the VPN connection.
   Gateway Type	Select a network type for the IPsec-VPN connection. Valid values: Public: an encrypted connection over the Internet. This is the default value. Private: an encrypted private connection.
   Routing Mode	Select a routing mode for the IPsec-VPN connection. Valid values: Destination Routing: Traffic is forwarded based on the destination IP address. This is the default value. Flow Protection: Traffic is forwarded based on the source and destination IP addresses. If you select Flow Protection, you must set the Local CIDR Block and Peer CIDR Block parameters. After the settings of the VPN connection are completed, the system automatically adds a destination-based route to the route table associated with the IPsec-VPN connection. By default, the destination-based route is advertised to the route tables of the transit router.
   Apply Immediately	Specify whether to immediately start IPsec negotiations after the configuration takes effect. Valid values: Yes: Immediately start IPsec negotiations after the settings are completed. No: Start IPsec negotiations only when traffic is received. This is the default value.
   Enable BGP	Off: Static routes must be configured manually. This is the default value. On: Routes are dynamically learned and advertised through the IPsec-VPN connection using the BGP dynamic routing.
   Local ASN	Configure this item only if you turn BGP Settings to On. It is not required if BGP is disabled. Enter the autonomous system number (ASN) of the IPsec-VPN connection. The default value is 45104, with a valid range from 1 to 4294967295. You can enter the ASN in two segments and separate the first 16 bits from the last 16 bits with a period (.). Enter the number in each segment in the decimal format. For example, if you enter 123.456, the ASN is calculated based on the following formula: 123 × 65536 + 456 = 8061384. Note We recommend that you use a private ASN for the BGP connection with Alibaba Cloud. For more information about the valid range of a private ASN, see the relevant documentation.

   Tunnel settings

   In dual-tunnel mode, you need to configure both Tunnel 1 and Tunnel 2 to ensure their availability. Configuring or using a single tunnel will not provide the redundancy of the active/standby tunnels and the cross-zone disaster recovery capability.

   Parameter	Description
   Customer Gateway	The customer gateway to be associated with the tunnels.
   Pre-shared Key	The pre-shared key that is used to verify identities between the tunnels and peers. The key must be 1 to 100 characters in length, and can contain digits, letters, and the following special characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : ' , . < > / ?. The key cannot contain spaces. If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After the IPsec-VPN connection is created, you can click Edit in the Actions column of a tunnel to view the pre-shared key generated by the system. For more information, see the Modify the configurations of a tunnel section of this topic. Important Make sure that the tunnels and peers use the same pre-shared key. Otherwise, tunnel communication cannot be established.

   Encryption Settings

   Parameter	Description
   Encryption Configuration: IKE Configurations
   Version	The IKE version. Valid values: ikev1 ikev2 (default) Compared with IKEv1, IKEv2 simplifies SA negotiations and provides better support for scenarios in which communication is established among multiple CIDR blocks. We recommend that you use IKEv2.
   Negotiation Mode	The negotiation mode. Default value: main. Valid values: main: This mode offers higher security during negotiations. aggressive: This mode supports faster negotiations and supports a higher success rate. Connections negotiated in both modes ensure the same level of security for data transmission.
   Encryption Algorithm	Select the encryption algorithm that is used in Phase 1 negotiations. Valid values: aes, aes192, aes256, des, and 3des. Default value: aes, which specifies AES-128. Note Recommended: aes, aes192, and aes256. Not recommended: des and 3des. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES ensures secure data transmission and has little impact on network latency, throughput, and forwarding performance. Triple DES (3DES) offers enhanced security through its triple-layered encryption technique. Compared with AES, 3DES encryption requires a large amount of computation, takes a long time, and downgrades forwarding performance.
   Authentication Algorithm	Select the authentication algorithm that is used in Phase 1 negotiations. Supported algorithms are sha1 (default), md5, sha256, sha384, and sha512. Note When you add VPN configurations on your on-premises gateway device, you may need to specify the Probabilistic Random Forest (PRF) algorithm. The PRF algorithm can be consistent with the authentication algorithm in the IKE configurations.
   DH Group	The Diffie-Hellman (DH) key exchange algorithm that is used in Phase 1 negotiations. Default value: group2. Valid values: group1: DH group 1. group2: DH group 2. group5: DH group 5. group14: DH group 14.
   SA Life Cycle (seconds)	The lifetime of the SA after Phase 1 negotiations succeed. Unit: seconds Default value: 86400. Valid values: 0 to 86400.
   LocalId	Enter an identifier of the tunnel for Phase 1 negotiations. The default value is the gateway IP address of the tunnel. This parameter is used only to identify Alibaba Cloud in IPsec-VPN negotiations. You can use an IP address or a fully qualified domain name (FQDN) as the ID. The value cannot contain spaces. We recommend that you use a private IP address. If you set the LocalId parameter to an FQDN, such as example.aliyun.com, the peer ID of the IPsec-VPN connection on an on-premises gateway device must be the same as the value of the LocalId parameter. In this case, we recommend that you set the negotiation mode to aggressive.
   RemoteId	Enter an identifier of the peer for Phase 1 negotiations. The default value is the IP address of the customer gateway. This parameter is used only to identify on-premises gateway devices in IPsec-VPN negotiations. You can use an IP address or an FQDN as the ID. The value cannot contain spaces. We recommend that you use a private IP address. If you set the RemoteId parameter to an FQDN, such as example.aliyun.com, the local ID of the on-premises gateway device must be the same as the value of the RemoteId parameter. In this case, we recommend that you set the negotiation mode to aggressive.
   Encryption Configuration: IPsec Configurations
   Encryption Algorithm	Select the encryption algorithm that is used in Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des. By default, a value of aes specifies AES-128. Note Recommended: aes, aes192, and aes256. Not recommended: des and 3des. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES ensures secure data transmission and has little impact on network latency, throughput, and forwarding performance. Triple DES (3DES) offers enhanced security through its triple-layered encryption technique. Compared with AES, 3DES encryption requires a large amount of computation, takes a long time, and downgrades forwarding performance.
   Authentication Algorithm	Select the authentication algorithm that is used in Phase 2 negotiations. Supported algorithms are sha1 (default), md5, sha256, sha384, and sha512.
   DH Group	The DH key exchange algorithm that is used in Phase 2 negotiations. Default value: group2. Valid values: disabled: does not use a DH key exchange algorithm. If the local gateway device of the peer does not support PFS, select disabled. If you select a value other than disabled, PFS is enabled by default. In this case, the key is updated for each negotiation. Therefore, you must enable PFS for the local gateway device of the peer. group1: DH group 1. group2: DH group 2. group5: DH group 5. group14: DH group 14.
   SA Life Cycle (seconds)	Enter a lifetime for the SA after Phase 2 negotiations succeed. Unit: seconds Default value: 86400. Valid values: 0 to 86400.
   DPD	Specifies whether to enable the dead peer detection (DPD) feature. By default, the DPD feature is enabled. After you enable the DPD feature, the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within the specified period of time, the connection fails. Then, the Internet Security Association and Key Management Protocol (ISAKMP) SA, IPsec SA, and IPsec tunnel are deleted. If a DPD packet timeout occurs, the IPsec-VPN connection automatically reinitiates IPsec-VPN negotiations with the tunnel. If IKEv1 is used, the timeout period of DPD packets is 30 seconds. If IKEv2 is used, the timeout period of DPD packets is 130 seconds.
   NAT Traversal	Specifies whether to enable the NAT traversal feature. By default, the NAT traversal feature is enabled. After you enable NAT traversal, the initiator does not check UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.

   BGP Settings

   If BGP is enabled for the IPsec-VPN connection, you can configure the CIDR block of the BGP tunnel and the IP address of the BGP tunnel on the Alibaba Cloud side. If you disable BGP dynamic routing for the IPsec-VPN connection, you can enable this feature for the tunnels after the IPsec-VPN connection is created. For more information, see the Enable BGP dynamic routing for the tunnels after an IPsec-VPN connection is created section of this topic.

   Parameter	Description
   Tunnel CIDR Block	Enter the CIDR block of the tunnel. The CIDR block must fall into 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30. Note The two tunnels of an IPsec-VPN connection must use different CIDR blocks.
   Local BGP IP address	The BGP IP address of the tunnel. This IP address must fall within the CIDR block of the tunnel.

   Advanced settings

   When you attach the IPsec-VPN connection to the transit router, the following advanced features are selected by default:

   Parameter	Description
   Automatic Advertising	After this feature is enabled, the system automatically advertises routes in the route table of the transit router that is associated with the IPsec-VPN connection to the BGP route table of the IPsec-VPN connection. Note This feature takes effect only if the BGP dynamic routing feature is enabled for the IPsec-VPN connection and data center. You can disable this feature by turning off Route Synchronization. For more information, see the Disable route synchronization section of the Route Synchronization topic.
   Associate with Default Route Table of Transit Router	After this feature is enabled, the IPsec-VPN connection is associated with the default route table of the transit router. The transit router queries the default route table to forward traffic from the IPsec-VPN connection.
   Advertise System Routes to Default Route Table of Transit Router	After this feature is enabled, the system advertises the routes in the destination-based route table and the BGP route table of the IPsec-VPN connection to the default route table of the transit router.

   You can also disable the preceding advanced features and use the transit router to establish network communication based on your business requirements. For more information, see Manage routes.

   Tags

   When you create an IPsec-VPN connection, you can add tags to the IPsec-VPN connection to facilitate resource aggregation and search. For more information, see Overview.

   Parameter	Description
   Tag Key	The tag key of the IPsec-VPN connection. You can select or enter a tag key.
   Tag Value	The tag value of the IPsec-VPN connection. You can select or enter a tag value. You can leave the Tag Value parameter empty.

Associate the VPN connection with another transit router route table

After you attach an IPsec-VPN connection to a transit router, you can change the transit router route table associated with the VPN connection.

1. Log on to the CEN console.

2. On the Instances page, click the ID of the CEN instance that you want to manage.

3. Go to the Basic Information > Transit Router tab and click the ID of the transit router in the target region.

4. On the Intra-region Connections tab, click the ID of the connection that you want to manage.

5. In the Attachment Details panel, find the Basic Information section, click Modify next to Associated Route Table.

6. In the Modify Route Table dialog box, select a router route table and click OK.

Create a VPN connection by calling an API

To create or modify a VPN connection, you can utilize tools such as Alibaba Cloud SDK (recommended), Alibaba Cloud CLI, Terraform, and Resource Orchestration Service. For more information, see the following API references:

• CreateTransitRouterVpnAttachment: Attach an IPsec-VPN connection to a transit router.

• UpdateTransitRouterVpnAttachmentAttribute: Modify the configuration between a transit router and an IPsec-VPN connection.

• ReplaceTransitRouterRouteTableAssociation: Associate a network instance connection with another router table.