This topic describes how to create an IPsec-VPN connection in dual-tunnel mode between a virtual private cloud (VPC) and a data center by using a public VPN gateway. The IPsec-VPN connection enables encrypted communication between the VPC and the data center and ensures high availability in communication.
Prerequisites
If the IPsec-VPN connection is associated with a VPN gateway, a public IP address must be assigned to the gateway device in the data center.
For regions that support the dual-tunnel mode, we recommend that you configure two public IP addresses for the gateway device in the data center. Alternatively, you can deploy two gateway devices in the data center and configure a public IP address for each gateway device. This way, you can create high-availability IPsec-VPN connections. For more information about the regions that support the dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
The gateway device in the data center must support the IKEv1 or IKEv2 protocol to establish an IPsec-VPN connection with a transit router.
The CIDR block of the data center does not overlap with the CIDR block of the network to be accessed.
Example
In this example, the following scenario is used. An enterprise has created a VPC in the China (Hohhot) region. The primary CIDR block of the VPC is 192.168.0.0/16. The enterprise has a data center in Hohhot. Due to business development, the devices in the CIDR block 172.16.0.0/16 of the data center need to access the VPC. To meet this requirement, the enterprise can establish an IPsec-VPN connection between the VPC and the data center. The IPsec-VPN connection enables encrypted communication between the VPC and the data center and ensures high availability in communication.
Preparations
A VPC is created in the China (Hohhot) region, and workloads are deployed on the Elastic Compute Service (ECS) instances in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
The security group rules that are configured on the ECS instances in the VPC and the access control rules of the data center allow the data center and VPC to communicate with each other. For more information about security group rules for ECS instances, see View security group rules and Add a security group rule.
Procedure
Step 1: Create a VPN gateway
Log on to the VPN Gateway console.
In the top navigation bar, select the region in which you want to create the VPN gateway.
The VPN gateway and the VPC that the data center needs to access must be in the same region.
On the VPN Gateway page, click Create VPN Gateway.
On the buy page, configure the following parameters, click Buy Now, and then complete the payment.
Parameter
Description
Example
Name
Enter a name for the VPN gateway.
In this example, VPNGW is used.
Resource Group
Select the resource group to which the VPN gateway belongs.
If you leave this parameter empty, the VPN gateway belongs to the default resource group.
In this example, this parameter is left empty.
Region
Select the region in which you want to create the VPN gateway.
In this example, China (Hohhot) is selected.
Gateway Type
Select a gateway type.
In this example, Standard is selected.
Network Type
Select a network type for the VPN gateway.
Public: The VPN gateway can be used to establish VPN connections over the Internet.
Private: The VPN gateway can be used to establish VPN connections over private networks.
In this example, Public is selected.
Tunnels
Select a tunnel mode. Valid values:
Dual-tunnel
Single-tunnel
For more information about the single-tunnel mode and dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
In this example, the default value Dual-tunnel is used.
VPC
Select the VPC that you want to associate with the VPN gateway.
In this example, the VPC deployed in the China (Hohhot) region is selected.
VSwitch
Select a vSwitch from the selected VPC.
If you select Single-tunnel, you need to specify only one vSwitch.
If you select Dual-tunnel, you need to specify two vSwitches.
After the IPsec-VPN feature is enabled, the system creates an elastic network interface (ENI) for each of the two vSwitches as an interface to communicate with the VPC over an IPsec-VPN connection. Each ENI occupies one IP address in the vSwitch.
NoteThe system selects a vSwitch by default. You can change or use the default vSwitch.
After a VPN gateway is created, you cannot modify the vSwitch associated with the VPN gateway. You can view the vSwitch associated with the VPN gateway, the zone to which the vSwitch belongs, and the ENI in the vSwitch on the details page of the VPN gateway.
In this example, a vSwitch in the VPC is selected.
vSwitch 2
Select another vSwitch from the selected VPC.
Specify two vSwitches in different zones in the associated VPC to implement disaster recovery across zones for IPsec-VPN connections.
For a region that supports only one zone, disaster recovery across zones is not supported. We recommend that you specify two vSwitches in the zone to implement high availability of IPsec-VPN connections. You can also select the same vSwitch as the first one.
NoteIf only one vSwitch is deployed in the VPC, create a vSwitch. For more information, see Create and manage a vSwitch.
In this example, another vSwitch in the VPC is selected.
Peak Bandwidth
Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
In this example, the default value is used.
Traffic
Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.
For more information, see Billing.
In this example, the default value is used.
IPsec-VPN
Specify whether to enable IPsec-VPN. Default value: Enable.
In this example, Enable is selected.
SSL-VPN
Specify whether to enable SSL-VPN. Default value: Disable.
In this example, Disable is selected.
Duration
Select a billing cycle for the VPN gateway. Default value: By Hour.
In this example, the default value is used.
Service-linked Role
Click Create Service-linked Role. The system automatically creates the service-linked role AliyunServiceRoleForVpn.
The VPN gateway assumes this role to access other cloud resources.
If Created is displayed, the service-linked role is created and you do not need to create it again.
Configure this parameter based on actual conditions.
After you create the VPN gateway, view the VPN gateway on the VPN Gateway page.
The newly created VPN gateway is in the Preparing state and changes to the Normal state after about 1 to 5 minutes. After the status changes to Normal, the VPN gateway is ready for use.
Two public IP addresses are assigned to each public VPN gateway for establishing two encrypted tunnels. The following table describes the public IP addresses that are assigned to the VPN gateway.
IPsec tunnel
IP address
Tunnel 1 (active tunnel)
39.XX.XX.218
Tunnel 2 (standby tunnel)
182.XX.XX.19
Step 2: Create a customer gateway
In the left-side navigation pane, choose
.In the top navigation bar, select the region in which you want to create the customer gateway.
Make sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.
On the Customer Gateways page, click Create Customer Gateway.
In the Create Customer Gateway panel, configure the following parameters and click OK.
You must create two customer gateways in order to create two encrypted tunnels. The following table describes only the parameters that are relevant to this topic. You can use the default values for other parameters or leave them empty. For more information, see Create and manage a customer gateway.
Parameter
Description
Customer Gateway 1
Customer Gateway 2
Name
Enter a name for the customer gateway.
For Customer Gateway 1, CustomerGW1 is used.
For Customer Gateway 2, CustomerGW2 is used.
IP Address
Enter the public IP address of the gateway device in the data center.
For Customer Gateway 1, 211.XX.XX.36 is used.
For Customer Gateway 2, 211.XX.XX.71 is used.
Step 3: Create an IPsec-VPN connection
In the left-side navigation pane, choose
.In the top navigation bar, select the region in which you want to create the IPsec-VPN connection.
Make sure that the IPsec-VPN connection and the VPN gateway are in the same region.
On the IPsec Connections page, click Create IPsec-VPN Connection.
On the Create IPsec-VPN Connection page, configure the following parameters and click OK.
Parameter
Description
Example
Name
Enter a name for the IPsec-VPN connection.
In this example, IPsec-Connection is used.
Resource Group
Select the resource group to which the VPN gateway belongs.
Select the default resource group.
Associate Resource
Select the type of network resource to be associated with the IPsec-VPN connection.
In this example, VPN Gateway is selected.
VPN Gateway
Select the VPN gateway that you want to associate with the IPsec-VPN connection.
In this example, the VPN gateway VPNGW is selected.
Routing Mode
Select a routing mode.
Destination Routing Mode: Traffic is forwarded based on the destination IP address.
Protected Data Flows: Traffic is forwarded based on the source and destination IP addresses.
In this example, Destination Routing Mode is selected.
Effective Immediately
Specify whether to immediately start negotiations for the connection. Valid values:
Yes: starts negotiations after the configuration is complete.
No: starts negotiations when inbound traffic is detected.
In this example, Yes is selected.
Enable BGP
Specify whether to enable Border Gateway Protocol (BGP). If you want to use BGP routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off.
In this example, Enable BGP is turned off.
Tunnel 1
Configure VPN parameters for the active tunnel.
By default, Tunnel 1 serves as the active tunnel and Tunnel 2 serves as the standby tunnel. You cannot modify this configuration.
Customer Gateway
Select the customer gateway that you want to associate with the active tunnel.
In this example, CustomerGW1 is selected.
Pre-Shared Key
Enter a pre-shared key for the active tunnel to verify identities.
The key must be 1 to 100 characters in length, and can contain digits, letters, and the following special characters:
~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : ' , . < > / ?
. The key cannot contain spaces.If you do not specify a pre-shared key, the system generates a random 16-character string as the pre-shared key. After the IPsec-VPN connection is created, you can click Edit in the Actions column of a tunnel to view the pre-shared key generated by the system. For more information, see the Modify the configurations of a tunnel section of this topic.
ImportantThe IPsec-VPN connection and the peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.
In this example, fddsFF123**** is used.
Encryption Configuration
Configure the parameters for IKE, IPsec, dead peer detection (DPD), and NAT traversal features.
In this example, the default values are used for all the parameters except for the following ones. For more information, see Create and manage IPsec-VPN connections in dual-tunnel mode.
For DH Group of IKE Configurations, group14 is used.
For DH Group of IPsec Configurations, group14 is used.
NoteYou need to select encryption parameters based on the on-premises gateway device to ensure that the encryption configurations for the IPsec connection are the same as those for the on-premises gateway device.
Tunnel 2
Configure VPN parameters for the standby tunnel.
Customer Gateway
Select the customer gateway that you want to associate with the standby tunnel.
In this example, CustomerGW2 is selected.
Pre-Shared Key
Enter a pre-shared key for the standby tunnel to verify identities.
In this example, fddsFF456**** is used.
Encryption Configuration
Configure the parameters for the IKE, IPsec, DPD, and NAT traversal features.
In this example, the default values are used for all the parameters except for the following ones. For more information, see Create and manage IPsec-VPN connections in dual-tunnel mode.
For DH Group of IKE Configurations, group14 is used.
For DH Group of IPsec Configurations, group14 is used.
NoteYou need to select encryption parameters based on the on-premises gateway device to ensure that the encryption configurations for the IPsec connection are the same as those for the on-premises gateway device.
Tags
Add a tag to the IPsec-VPN connection.
In this example. this parameter is left empty.
In the Created message, click OK.
On the IPsec Connections page, find the IPsec-VPN connection that you create and click Generate Peer Configuration in the Actions column.
The configurations of the IPsec peer refer to the VPN configurations that you need to add when you create the IPsec-VPN connection. In this example, you need to add the VPN configurations to the gateway device of the data center.
In the IPsec-VPN Connection Configuration dialog box, copy and save the configurations to an on-premises machine. The configurations are required when you configure the gateway device of the data center.
Step 4: Configure the gateway devices in the data center
After you create an IPsec-VPN connection on Alibaba Cloud, you need to add VPN and routing configurations to the gateway devices in the data center to allow the gateway devices to connect to the IPsec-VPN connection. Then, network traffic is transmitted from the active tunnel to the VPC by default. If the active tunnel is down, the standby tunnel automatically takes over.
In this example, the software Adaptive Security Appliance (ASA) 9.19.1 is used to describe how to configure a Cisco firewall. The commands may vary with software versions. Consult the documentation or your vendor based on your actual environment during operations. For more information, see Configure local gateways.
The following content contains third-party product information, which is only for reference. Alibaba Cloud does not make guarantees or other forms of commitments for the performance and reliability of third-party products, or the potential impacts of operations performed by using these products.
Log on to the CLI of the Cisco firewall and enter the configuration mode.
ciscoasa> enable Password: ******** # Enter the password for entering the enable mode. ciscoasa# configure terminal # Enter the configuration mode. ciscoasa(config)#
View the interface configurations.
Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used:
# View the interface configurations of On-premises Gateway Device 1. ciscoasa(config)# show running-config interface ! interface GigabitEthernet0/0 nameif outside1 # The name of the GigabitEthernet 0/0 interface. security-level 0 ip address 211.XX.XX.36 255.255.255.255 # The public IP address of the GigabitEthernet 0/0 interface. ! interface GigabitEthernet0/1 # The interface that connects to the data center. nameif private # The name of the GigabitEthernet 0/1 interface. security-level 100 # The security level of the private interface that connects to the data center, which is lower than that of a public interface. ip address 172.16.50.217 255.255.255.0 # The IP address of the GigabitEthernet 0/1 interface. ! # View the interface configurations of On-premises Gateway Device 2. ciscoasa(config)# show running-config interface ! interface GigabitEthernet0/0 nameif outside1 # The name of the GigabitEthernet 0/0 interface. security-level 0 ip address 211.XX.XX.71 255.255.255.255 # The public IP address of the GigabitEthernet 0/0 interface. ! interface GigabitEthernet0/1 # The interface that connects to the data center. nameif private # The name of the GigabitEthernet 0/1 interface. security-level 100 # The security level of the private interface that connects to the data center, which is lower than that of a public interface. ip address 172.16.40.218 255.255.255.0 # The IP address of the GigabitEthernet 0/1 interface. !
Enable the IKEv2 feature for the public interfaces.
# Add the following configurations to On-premises Gateway Devices 1 and 2: crypto ikev2 enable outside1 # Enable the IKEv2 feature for the interface outside1, which is a public interface.
Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, Diffie-Hellman (DH) group, and security association (SA) lifetime in the IKE phase. The values must be the same as those on Alibaba Cloud.
# Add the following configurations to On-premises Gateway Devices 1 and 2: crypto ikev2 policy 10 encryption aes # Specify the encryption algorithm. integrity sha # Specify the authentication algorithm. group 14 # Specify the DH group. prf sha # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on Alibaba Cloud. lifetime seconds 86400 # Specify the SA lifetime.
Create an IPsec proposal and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.
# Add the following configurations to On-premises Gateway Devices 1 and 2: crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL # Create an IPsec proposal. protocol esp encryption aes # Specify the encryption algorithm. The Encapsulating Security Payload (ESP) protocol is used on Alibaba Cloud. Therefore, use the ESP protocol. protocol esp integrity sha-1 # Specify the authentication algorithm. The Encapsulating Security Payload (ESP) protocol is used on Alibaba Cloud. Therefore, use the ESP protocol. crypto ipsec profile ALIYUN-PROFILE set ikev2 ipsec-proposal ALIYUN-PROPOSAL # Create an IPsec profile and apply the proposal that is created. set ikev2 local-identity address # Set the format of the local ID to IP address, which is the same as the format of the remote ID on Alibaba Cloud. set pfs group14 # Specify the Perfect Forward Secrecy (PFS) and DH group. set security-association lifetime seconds 86400 # Specify the time-based SA lifetime. set security-association lifetime kilobytes unlimited # Disable the traffic-based SA lifetime.
Create tunnel groups and specify the pre-shared keys for tunnels, which must be the same as those on Alibaba Cloud.
# Add the following configurations to On-premises Gateway Device 1: tunnel-group 39.XX.XX.218 type ipsec-l2l # Specify the encapsulation mode l2l for Tunnel 1. tunnel-group 39.XX.XX.218 ipsec-attributes ikev2 remote-authentication pre-shared-key fddsFF123**** # Specify the peer pre-shared key for Tunnel 1, which is the pre-shared key on Alibaba Cloud. ikev2 local-authentication pre-shared-key fddsFF123**** # Specify the local pre-shared key for Tunnel 1, which must be the same as that on Alibaba Cloud. ! # Add the following configurations to On-premises Gateway Device 2: tunnel-group 182.XX.XX.19 type ipsec-l2l # Specify the encapsulation mode l2l for Tunnel 2. tunnel-group 182.XX.XX.19 ipsec-attributes ikev2 remote-authentication pre-shared-key fddsFF456**** # Specify the peer pre-shared key for Tunnel 2, which is the pre-shared key on Alibaba Cloud. ikev2 local-authentication pre-shared-key fddsFF456**** # Specify the local pre-shared key for Tunnel 2, which must be the same as that on Alibaba Cloud. !
Create tunnel interfaces.
# Add the following configurations to On-premises Gateway Device 1: interface Tunnel1 # Create an interface for Tunnel 1. nameif ALIYUN1 ip address 169.254.10.2 255.255.255.252 # Specify the IP address of the interface. tunnel source interface outside1 # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of Tunnel 1. tunnel destination 39.XX.XX.218 # Specify the public IP address of Tunnel 1 on Alibaba Cloud as the destination address of Tunnel 1. tunnel mode ipsec ipv4 tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 1. no shutdown # Enable the interface for Tunnel 1. ! # Add the following configurations to On-premises Gateway Device 2: interface Tunnel1 # Create an interface for Tunnel 2. nameif ALIYUN1 ip address 169.254.20.2 255.255.255.252 # Specify the IP address of the interface. tunnel source interface outside1 # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of Tunnel 2. tunnel destination 182.XX.XX.19 # Specify the public IP address of Tunnel 2 on Alibaba Cloud as the destination address of Tunnel 2. tunnel mode ipsec ipv4 tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 2. no shutdown # Enable the interface for Tunnel 2. !
Configure static routes.
// Add the following configurations to On-premises Gateway Device 1: route ALIYUN1 192.168.0.0 255.255.0.0 39.XX.XX.218 # Configure a static route that points to the Alibaba Cloud VPC (CIDR block: 192.168.0.0/16). route outside1 39.XX.XX.218 255.255.255.255 192.XX.XX.172 # Configure a route for accessing the public IP address of Tunnel 1 on Alibaba Cloud. The next hop is a public IP address. route private 172.16.0.0 255.255.0.0 172.16.50.216 # Configure a route that points to the data center. // Add the following configurations to On-premises Gateway Device 2: route ALIYUN1 192.168.0.0 255.255.0.0 182.XX.XX.19 # Configure a static route that points to the Alibaba Cloud VPC (CIDR block: 192.168.0.0/16). route outside1 182.XX.XX.19 255.255.255.255 192.XX.XX.123 # Configure a route for accessing the public IP address of Tunnel 2 on Alibaba Cloud. The next hop is a public IP address. route private 172.16.0.0 255.255.0.0 172.16.40.219 # Configure a route that points to the data center.
Add routes to the data center based on your network environment. The routes must allow network traffic to be transmitted from the data center to the VPC preferentially over On-premises Gateway Device 1. If On-premises Gateway Device 1 is down, On-premises Gateway Device 2 automatically takes over. Contact your vendor to obtain the information about specific commands.
Step 5: Add routes to the VPN gateway
In the left-side navigation pane, choose
.In the top navigation bar, select the region of the VPN gateway.
On the VPN Gateway page, click the ID of the VPN gateway that you want to manage.
Click the Destination-based Route Table tab and click Add Route Entry.
In the Add Route Entry panel, configure the following parameters and click OK.
Parameter
Description
Example
Destination CIDR Block
Enter the private CIDR block of the data center.
In this example, 172.16.0.0/16 is entered.
Next Hop Type
Select a next hop type.
In this example, IPsec-VPN connection is selected.
Next Hop
Select a next hop.
In this example, IPsec-Connection is selected.
Advertise to VPC
Specify whether to advertise the route to the VPC that is associated with the VPN gateway.
In this example, Yes is selected.
Step 6: Test the network connectivity
Test the network connectivity between the VPC and data center.
Log on to an ECS instance in the VPC. For more information about how to log on to an ECS instance, see Connection method overview.
Run the
ping
command on the ECS instance to ping a server in the data center to test the accessibility of the data center.If an echo reply packet is returned to the ECS instance, it indicates that the VPC can communicate with the data center.
ping <Private IP address of a server in the data center>
Test high availability of the IPsec-VPN connection.
Log on to an ECS instance in the VPC. For more information about how to log on to an ECS instance, see Connection method overview.
Run the following command to consecutively send packets from the ECS instance to the data center:
ping <Private IP address of a server in the data center> -c 10000
Close the active tunnel of the IPsec-VPN connection.
You can close the active tunnel by modifying the pre-shared key of the active tunnel. The active tunnel is closed when the two sides of the tunnel use different pre-shared keys.
After the active tunnel is closed, you can check the traffic status on the ECS instance. If the traffic is interrupted and then resumed, it indicates that the standby tunnel automatically takes over after the active tunnel is down.