After you associate an IPsec-VPN connection with a transit router, you must configure routes destined for a data center for the IPsec-VPN connection. After the traffic from the transit router is transferred to the IPsec-VPN connection, the IPsec-VPN connection forwards the traffic to the data center by querying the route information. This enables data transmission between the data center and the transit router.
Background Information
If you connect a data center to a transit router by using an IPsec-VPN connection, you must add routes on the transit router, IPsec-VPN connection side, and data center side to enable data transmission between the data center and the transit router.
When you configure routes, you can configure static routes or enable automatic route learning by using Border Gateway Protocol (BGP) dynamic routing. The following table lists the routing configurations in different scenarios.
Routing method | Traffic direction | Transit router | IPsec-VPN connection | Data center |
Static route | Destined for the data center | You must create a route learning correlation for the IPsec-VPN connection. After a route learning correlation is created between the route table of the transit router and the IPsec-VPN connection, the system automatically advertises the routes in the destination-based route table of the IPsec-VPN connection to the route table of the transit router. For more information, see Route learning. | You must add routes destined for the data center for the IPsec-VPN connection. For more information, see the Manage destination-based routes section of this topic. | N/A |
Destined for the transit router | You must create an associated forwarding correlation for the IPsec-VPN connection. After an associated forwarding correlation is created between the route table of the transit router and the IPsec-VPN connection, the system forwards the traffic from the IPsec-VPN connection by querying route information in the route table of the transit router. For more information, see Associated forwarding. | N/A By default, the IPsec-VPN connection forwards the traffic from the data center to the transit router. | You must add routes whose next hop points to the IPsec-VPN connection on the transit router in the data center. | |
BGP dynamic routing | Destined for the data center | You must create a route learning correlation for the IPsec-VPN connection. After a route learning correlation is created between the route table of the transit router and the IPsec-VPN connection, the system automatically advertises the routes in the BGP route table of the IPsec-VPN connection to the route table of the transit router. For more information, see Route learning. | You must configure BGP dynamic routing. After BGP dynamic routing is configured, the IPsec-VPN connection automatically learns the routes destined for the data center and advertises the routes from the transit router to the data center. For more information, see the Configure BGP dynamic routing section of this topic. | You must configure BGP dynamic routing. After BGP dynamic routing is configured, the data center can advertise the routes in the data center to the IPsec-VPN connection and automatically learn the routes destined for the transit router. |
Destined for the transit router |
|
How to select a routing method
Check whether the region in which the IPsec-VPN connection is established supports BGP dynamic routing. If not, you must select static routing.
NoteIf a region does not support BGP dynamic routing and the region supports dual-tunnel IPsec-VPN connections, dual-tunnel IPsec-VPN connections in this region support BGP dynamic routing. If you created single-tunnel IPsec-VPN connections in this region, single-tunnel IPsec-VPN connections in this region still does not support BGP dynamic routing.
Check whether the gateway devices in the data center support BGP dynamic routing. If so, you can select BGP dynamic routing. If not, you must select static routing.
If both static routing and BGP dynamic routing are supported in your scenario, you can select a routing method based on the information in the following table.
Routing method | Supported scenario | Configuration difficulty | Route maintenance cost |
Static route | The number of routes in the data center is small, and route changes are infrequent. | Low | Medium If routes in the data center are changed, you must manually change the routing configurations for the VPN gateway. |
BGP dynamic routing | The number of routes in the data center is great, and route changes are frequent. | Low | Low If routes in the data center are changed, no operation is required on the VPN gateway. Automatic route advertising and learning are enabled by using BGP dynamic routing based on the advertising principles of BGP dynamic routing. |
Recommendations on routing configurations
We recommend that you use one routing method for an IPsec-VPN connection. The use of destination-based routing and BGP dynamic routing at the same time is not recommended.
We recommend that you use BGP dynamic routing for dual-tunnel IPsec-VPN connections. If you need to use static routing, make sure that the on-premises gateway supports ECMP routing. Otherwise, data from the data center to the cloud cannot be transferred through the ECMP path, but data from the cloud can be transferred to the data center through the ECMP path. As a result, the traffic paths may not meet your requirements.
We recommend that you configure routes for dual-tunnel IPsec-VPN connections based on the following suggestions:
We recommend that you configure the same routing protocol (static or BGP) for the two tunnels of an IPsec-VPN connection.
If an IPsec-VPN connection uses Border Gateway Protocol (BGP) dynamic routing, the Local ASN of the two tunnels must be the same. The peer ASNs of the two tunnels can be different, but we recommend that you use the same peer ASN.
Route priorities
The following table describes the route priorities if route conflicts occur in the route table of the IPsec-VPN connection.
Route priorities in descending order: P0 > P1 > P2 > P3.
Route type | Route priority for the IPsec-VPN connection |
Specific route | P0 |
System route | P1 |
Dynamic routing (BGP routes) | P2 |
Static routing (destination-based routes) | P3 |
Configure route
Manage destination-based routes
When you configure a destination-based route, you must specify the destination CIDR block and the next hop. The IPsec-VPN connection finds a destination-based route that matches the destination IP address of traffic, and then forwards the traffic based on the next hop of the matching destination-based route.
Prerequisites
The IPsec-VPN connection is associated with a transit router. You can use one of the following methods for association:
You can associate an IPsec-VPN connection with a transit router when you create the IPsec-VPN connection. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.
If you have created an IPsec-VPN connection that is associated with no resources, you can associate the IPsec-VPN connection with the transit router in the Cloud Enterprise Network (CEN) console. For more information, see Attach an IPsec-VPN connection to a transit router.
NoteIf the IPsec-VPN connection is associated with a VPN gateway, you cannot associate the IPsec-VPN connection with a transit router.
Limits
Do not set the destination CIDR block of a destination-based route to 0.0.0.0/0.
Do not set the destination CIDR block of a destination-based route to a subnet of 100.64.0.0/10 or 100.64.0.0/10, or a CIDR block that contains 100.64.0.0/10. If such a route is added, the status of the IPsec-VPN connection cannot be displayed in the console, or IPsec negotiations fail.
After you create a dual-tunnel IPsec-VPN connection and add a destination-based route, the system advertises the route to the route table of the transit router only when Phase 2 negotiations succeed.
Matching rules for destination-based routes
By default, the IPsec-VPN connection finds the matching destination-based route based on the longest prefix match rule.
Procedure
Add a destination-based route
Log on to the VPN Gateway console.
- In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click its ID.
On the Destination-based Route Table tab, click Add Route Entry.
In the Add Route Entry panel, configure the following parameters and click OK.
Parameter
Description
Destination CIDR Block
Enter the CIDR block of the data center.
Next Hop Type
Select IPsec-VPN Connection.
Next Hop
Select an IPsec-VPN connection.
Delete a destination-based route
Log on to the VPN Gateway console.
- In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click its ID.
On the Destination-based Route Table tab, find the destination-based route that you want to delete and click Delete in the Actions column.
In the Delete Route Entry message, click OK.
Configure BGP dynamic routing
BGP is a dynamic routing protocol based on Transmission Control Protocol (TCP). BGP is used to exchange routing and network accessibility information across autonomous systems (AS). You need to add BGP configurations to the IPsec-VPN connection and data center to specify the IPsec-VPN connection and data center as BGP peers. This way, they can learn the routes from each other, which reduces network maintenance costs and network configuration errors.
Advertising principles of BGP dynamic routing
After BGP dynamic routing is configured for the IPsec-VPN connection and data center, BGP routes are advertised in the following ways:
To Alibaba Cloud
After the data center advertises its routes in BGP routing configurations, these routes are automatically advertised to the IPsec-VPN connection on Alibaba Cloud by using BGP dynamic routing. After a route learning correlation is created between the route table of the transit router and the IPsec-VPN connection, the system automatically advertises the routes in the BGP route table of the IPsec-VPN connection to the route table of the transit router.
To the data center
After you enable route synchronization for the IPsec-VPN connection on the transit router, the system advertises the routes in the route table of the transit router to the BGP route table of the IPsec-VPN connection. The IPsec-VPN connection automatically advertises the routes in the BGP route table to the data center.
Limits on BGP dynamic routing
By default, the BGP route table of an IPsec-VPN connection contains up to 50 routes. To request a quota increase, submit a ticket.
Do not advertise a route whose destination CIDR block is 100.64.0.0/10, a subset of 100.64.0.0/10, or a CIDR block that contains 100.64.0.0/10 to the IPsec-VPN connection by using BGP dynamic routing. If such a route is advertised, the status of the IPsec-VPN connection cannot be displayed in the VPN Gateway console or IPsec-VPN negotiations fail.
After an IPsec-VPN connection is associated with a transit router, the routes whose destination CIDR block is 0.0.0.0/0 can be advertised by using BGP dynamic routing between your on-premises gateway device and the transit router.
Make sure that the same autonomous system number (ASN) of the data center is specified for the virtual border router (VBR) and the IPsec-VPN connection. This condition must be met when you connect the data center to the transit router by using an Express Connect circuit and an IPsec-VPN connection for connection resilience. This prevents route flapping in the data center.
Procedure
Specify the ASN of the data center in a customer gateway. For more information, see Create and manage a customer gateway.
If you do not specify the ASN of the data center when you create a customer gateway, you must delete the current customer gateway and create another one.
After the customer gateway is created, you cannot edit it. If you want to change the ASN, delete the current customer gateway and create another one.
Enable BGP for the IPsec-VPN connection and add BGP dynamic routing configurations. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.
The following table lists only the content that is strongly correlated to BGP dynamic routing.
ImportantWe recommend that you set the Routing Mode parameter to Destination Routing Mode for IPsec-VPN connections.
Parameter
Description
Customer Gateway
Select the customer gateway that uses the ASN of the data center.
Enable BGP
Turn on the switch to enable BGP.
Local ASN
Enter the ASN of the tunnel. Default value: 45104. Valid values: 1 to 4294967295.
You can enter the ASN in two segments and separate the first 16 bits from the following 16 bits with a period (.). Enter the number in each segment in decimal format.
For example, if you enter 123.456, the ASN is 123 × 65536 + 456 = 8061384.
Tunnel CIDR Block
Enter the CIDR block of the tunnel.
The CIDR block must fall into 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30.
NoteThe two tunnels of an IPsec-VPN connection must use different CIDR blocks.
Local BGP IP address
Enter the BGP IP address of the tunnel.
This IP address must fall within the CIDR block of the tunnel.