All Products
Search
Document Center

VPN Gateway:Overview

Last Updated:May 14, 2024

After an IPsec connection is associated with a transit router, an IPsec-VPN connection can be established between a data center and the transit router. This way, the data center can access other networks by using the transit router.

Prerequisites

Before you establish an IPsec-VPN connection between a data center and a transit router, make sure that the following prerequisites are met:

  • If you associate a public IPsec connection with a transit router, a public IP address must be assigned to the gateway device in the data center.

  • The gateway device in the data center must support the IKEv1 or IKEv2 protocol to establish an IPsec-VPN connection with a transit router.

  • The CIDR block of the data center does not overlap with the CIDR block of the network to be accessed.

  • If security policies such as an access control list (ACL) are configured for the network to be accessed, the security policies must allow access from the data center.

Limits

  • You can associate an IPsec connection with a transit router only in specific regions. For more information about the supported regions, see Regions that support IPsec-VPN features.

  • In scenarios in which an IPsec connection is associated with a transit router, the IPsec connection can be associated only with an Enterprise Edition transit router.

Procedure

image

Step

References

Description

1

Create a CEN instance

Transit routers are deployed on Cloud Enterprise Network (CEN) instances. Before you create a transit router, you must create a CEN instance.

2

Create a transit router

A transit router is a key network element in a region that is used to forward network traffic. Before you can use a transit router, you must create a transit router in the region in which the data center is deployed or in a region that is close to the data center.

Important

When you create a transit router, you must configure a CIDR block for the transit router. Otherwise, IPsec connections cannot be associated with the transit router.

If you have created a transit router, you can configure a CIDR block for the transit router. For more information, see Transit router CIDR blocks.

3

Create and manage a customer gateway

You must create a customer gateway and add the information about the gateway device in the data center such as the IP address and the Border Gateway Protocol (BGP) autonomous system number (ASN) to the customer gateway on Alibaba Cloud.

4

Create and manage IPsec-VPN connections associated with transit routers

An IPsec-VPN connection is an encrypted data transmission tunnel between a data center and a transit router.

When you create an IPsec-VPN connection, set the Associate Resource parameter to CEN or Do Not Associate.

5

Configure the gateway device in the data center

You must add VPN configurations to the gateway device in the data center so that it can negotiate with the IPsec connection to establish an IPsec-VPN connection.

6

Configure a route for the IPsec-VPN connection

You must configure a route that points to the data center for the IPsec-VPN connection and advertise the route to the route table of the transit router. This way, the data center can be connected to the transit router.

7

Test network connectivity

Log on to a server in the data center and run the ping command to ping the private IP address of a server in the network to be accessed.

References