After an IPsec connection is associated with a transit router, an IPsec-VPN connection can be established between a data center and the transit router. This way, the data center can access other networks by using the transit router.
Prerequisites
Before you establish an IPsec-VPN connection between a data center and a transit router, make sure that the following prerequisites are met:
If you associate a public IPsec connection with a transit router, a public IP address must be assigned to the gateway device in the data center.
For regions that support the dual-tunnel mode, we recommend that you configure two public IP addresses for the gateway device in the data center. Alternatively, you can deploy two gateway devices in the data center and configure a public IP address for each gateway device. This way, you can create high-availability IPsec-VPN connections. For more information about the regions that support the dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
The gateway device in the data center must support the IKEv1 or IKEv2 protocol to establish an IPsec-VPN connection with a transit router.
The CIDR block of the data center does not overlap with the CIDR block of the network to be accessed.
If security policies such as an access control list (ACL) are configured for the network to be accessed, the security policies must allow access from the data center.
Limits
You can associate an IPsec connection with a transit router only in specific regions. For more information about the supported regions, see Regions that support IPsec-VPN features.
In scenarios in which an IPsec connection is associated with a transit router, the IPsec connection can be associated only with an Enterprise Edition transit router.
Procedure
Step | References | Description |
1 | Transit routers are deployed on Cloud Enterprise Network (CEN) instances. Before you create a transit router, you must create a CEN instance. | |
2 | A transit router is a key network element in a region that is used to forward network traffic. Before you can use a transit router, you must create a transit router in the region in which the data center is deployed or in a region that is close to the data center. Important When you create a transit router, you must configure a CIDR block for the transit router. Otherwise, IPsec connections cannot be associated with the transit router. If you have created a transit router, you can configure a CIDR block for the transit router. For more information, see Transit router CIDR blocks. | |
3 | You must create a customer gateway and add the information about the gateway device in the data center such as the IP address and the Border Gateway Protocol (BGP) autonomous system number (ASN) to the customer gateway on Alibaba Cloud. | |
4 | An IPsec-VPN connection is an encrypted data transmission tunnel between a data center and a transit router. When you create an IPsec-VPN connection, set the Associate Resource parameter to CEN or Do Not Associate. | |
5 | You must add VPN configurations to the gateway device in the data center so that it can negotiate with the IPsec connection to establish an IPsec-VPN connection. | |
6 | You must configure a route that points to the data center for the IPsec-VPN connection and advertise the route to the route table of the transit router. This way, the data center can be connected to the transit router. | |
7 | Test network connectivity | Log on to a server in the data center and run the ping command to ping the private IP address of a server in the network to be accessed. |