IPsec-VPN is a route-based network connection technology that provides flexible traffic routing methods and allows you to configure and maintain VPN policies. It also uses Internet Key Exchange (IKE) and Internet Protocol Security (IPsec) to encrypt data transmission. You can use IPsec-VPN to establish secure and reliable network connections between Alibaba Cloud and the data centers or office networks of your enterprise.
Alibaba Cloud VPN Gateway provides services in compliance with the policies and regulations of the Chinese mainland. You can use VPN Gateway to establish only intra-border connections. For more information, see the "Intra-border connections" section of the What is VPN Gateway? topic.
Network connection scenarios
You can associate an IPsec-VPN connection with the following types of resources: VPN gateways and transit routers. Network connection scenarios vary with the types of associated resources.
Associate an IPsec-VPN connection with a VPN gateway
You can use IPsec-VPN to establish connections between the data centers or office networks of your enterprise and virtual private clouds (VPCs). This way, you can access resources in VPCs from your data centers or office networks.
Associate an IPsec-VPN connection with a transit router
You can use IPsec-VPN to establish connections between the data centers or office networks of your enterprise and transit routers on Alibaba Cloud. This way, your data centers or office networks can communicate with other networks connected to transit routers and access resources in those networks, such as other data centers or VPCs in different regions. For more information about transit routers, see What is CEN?
IPsec-VPN components
Associate an IPsec-VPN connection with a VPN gateway
Component | Description |
VPN Gateway | Before you use IPsec-VPN, you must purchase a VPN gateway and enable IPsec-VPN for the VPN gateway. After you purchase a VPN gateway, Alibaba Cloud deploys VPN resources for you. |
Customer Gateway | A customer gateway is a resource created on Alibaba Cloud. It is used to register information about an on-premises gateway device, such as the IP address and BGP ASN, with Alibaba Cloud. |
IPsec-VPN Connection | An IPsec-VPN connection is an encrypted communication channel between a data center and a VPC. You can use the IPsec-VPN connection to control which networks the data center accesses. An IPsec-VPN connection contains one or two tunnels, which are used to encrypt and transmit data. |
On-premises Gateway Device | An on-premises gateway device refers to a physical device (a gateway device in most cases) or an application in a data center. The on-premises gateway device must support the VPN feature so that it can negotiate with the peer to establish an IPsec-VPN connection. Note For ease of illustration, the term "data center" is used in the following sections to refer to any data center or office network that needs to establish an IPsec-VPN connection with Alibaba Cloud. |
Associate an IPsec-VPN connection with a transit router
Component | Description |
Transit Router | A transit router is a component of Cloud Enterprise Network (CEN). It is used to connect networks in the same region and across regions on Alibaba Cloud. |
Customer Gateway | A customer gateway is a resource created on Alibaba Cloud. It is used to register information about an on-premises gateway device, such as the IP address and BGP ASN, with Alibaba Cloud. |
IPsec-VPN Connection | An IPsec-VPN connection is an encrypted communication channel between a data center and a transit router. You can use the IPsec-VPN connection to control which networks the data center accesses. An IPsec-VPN connection contains one tunnel, which is used to encrypt and transmit data. |
On-premises Gateway Device | An on-premises gateway device refers to a physical device (a gateway device in most cases) or an application in a data center. The on-premises gateway device must support the VPN feature so that it can negotiate with the peer to establish an IPsec-VPN connection. Note For ease of illustration, the term "data center" is used in the following sections to refer to any data center or office network that needs to establish an IPsec-VPN connection with Alibaba Cloud. |
Tunnel modes
IPsec-VPN supports the following tunnel modes. Select a tunnel mode based on your network connection scenario.
Dual-tunnel mode
In this mode, an IPsec-VPN connection has two encrypted tunnels. Both tunnels are used to transmit data. This improves the availability of the IPsec-VPN connection.
ImportantWhen you create a dual-tunnel IPsec-VPN connection, you must configure two tunnels and ensure that they are available. If you configure or use only one of the tunnels, IPsec-VPN connection redundancy based on active/standby tunnels and zone-disaster recovery are not supported. In addition, the SLA of VPN Gateway is not guaranteed.
Single-tunnel mode
In this mode, an IPsec-VPN connection has only one encrypted tunnel, and the traffic on and off the cloud is transferred only through this tunnel.
Associate a dual-tunnel IPsec-VPN connection with a VPN gateway
IPsec-VPN connections now support the dual-tunnel mode. In this mode, an IPsec-VPN connection has two encrypted tunnels that work in active/standby mode. By default, traffic is transferred only through the active tunnel. If the active tunnel fails, the standby tunnel takes over. The two tunnels are deployed in different zones to implement zone-disaster recovery. If a region has only one zone that supports the dual-tunnel mode, such as China (Nanjing - Local Region), zone-disaster recovery is not supported. For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
Some IPsec-VPN connections associated with existing VPN gateways support only the single-tunnel mode. A single-tunnel IPsec-VPN connection may be interrupted when the tunnel fails. We recommend that you upgrade existing VPN gateways to use the dual-tunnel mode at the earliest opportunity. If the active tunnel of a dual-tunnel IPsec-VPN connection fails, the standby tunnel takes over. For more information about how to upgrade to use the dual-tunnel mode, see Upgrade a VPN gateway to enable the dual-tunnel mode.
Associate a single-tunnel or dual-tunnel IPsec-VPN connection with a VPN gateway
IPsec-VPN connections associated with transit routers will support the dual-tunnel mode after they are upgraded. Some regions already support dual-tunnel IPsec-VPN connections. In this mode, an IPsec-VPN connection has two tunnels for Equal-Cost Multipath (ECMP) routing. Both tunnels are used to transmit data. When one tunnel is down, traffic is switched to the other tunnel. For more information, see Introduction to IPsec-VPN connections that are associated with transit routers in dual-tunnel mode.
In a region that contains multiple zones, the two tunnels of an IPsec-VPN connection are automatically spread in different zones to implement zone-disaster recovery.
If a region has only one zone, such as China (Nanjing - Local Region), the two tunnels are deployed in the same zone. In this case, cross-zone disaster recovery is not supported. However, the other tunnel can still take over if one tunnel is down.
For regions that do not support the dual-tunnel mode, you can create only single-tunnel IPsec-VPN connections. When the tunnel is down, the entire network is interrupted. You can create multiple IPsec-VPN connections to improve the availability of your network.
Feature comparison
The following table compares the features of IPsec-VPN connections in the preceding two scenarios.
Item | Associate an IPsec-VPN connection with a VPN gateway | Associate an IPsec-VPN connection with a transit router |
Network connectivity | Data centers can communicate only with the VPCs that are associated with VPN gateways. | Data centers can communicate with VPCs by using transit routers or with other networks that are connected to transit routers. |
Supported encryption algorithm | Commercial cryptographic algorithms that comply with international standards | Commercial cryptographic algorithms that comply with international standards |
Tunnel modes supported by IPsec-VPN connections | Dual-tunnel mode Note IPsec-VPN connections on some existing VPN gateways support only the single-tunnel mode. We recommend that you upgrade single-tunnel IPsec-VPN connections to dual-tunnel IPsec-VPN connections. For more information, see Upgrade a VPN gateway to enable the dual-tunnel mode. |
|
Maximum bandwidth supported by each IPsec-VPN connection | 1,000 Mbit/s. Note The maximum bandwidth supported by VPN gateways in some regions is 500 Mbit/s. For more information about the regions, see the Limits section of the "Create and manage a VPN gateway" topic. |
You can increase the bandwidth of an IPsec-VPN connection by using other methods. For more information, see the How do I increase the maximum bandwidth of IPsec-VPN connections? section of the "FAQ about VPN gateways" topic. |
Number of packets transmitted per second | The total number of inbound and outbound packets that can be transmitted per second through a VPN gateway is 120,000. Each packet is 256 bytes in size. Note If a VPN gateway has multiple IPsec-VPN connections, the sum of inbound and outbound packets transmitted through these connections per second must not exceed 120,000. Each packet is 256 bytes in size. |
|
Method used to implement high availability | Active/standby connections. | ECMP routing. |
Scenarios |
For more information, see Associate IPsec-VPN connections with VPN gateways. |
For more information, see Associate IPsec-VPN connections with transit routers. |