This topic describes how to establish an IPsec-VPN connection in single-tunnel mode between a virtual private cloud (VPC) and a data center by using a public VPN gateway, and how to configure Border Gateway Protocol (BGP) dynamic routing for the VPC and the data center to automatically learn routes. This way, the VPC and the data center can share resources with each other. This reduces network maintenance costs and network configuration errors.
Prerequisites
A public IP address is assigned to the gateway device in the data center before you associate an IPsec-VPN connection with a public VPN gateway.
The gateway device in the data center must support the IKEv1 or IKEv2 protocol to establish an IPsec-VPN connection with a transit router.
The CIDR block of the data center does not overlap with the CIDR block of the network to be accessed.
Regions that support BGP dynamic routing
Area | Region |
Asia Pacific | China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta) |
Europe and Americas | Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley) |
Middle East | UAE (Dubai) |
Scenarios
The following scenario is used as an example. An enterprise has created a VPC in the Germany (Frankfurt) region. The private CIDR block of the VPC is 10.0.0.0/8 and the autonomous system number (ASN) is 65530. The enterprise has a data center in Frankfurt. The public IP address of the data center is 2.XX.XX.2, the private CIDR block is 172.17.0.0/16, and the ASN is 65531. The enterprise wants to establish a connection between the VPC and the data center for business development.
You can use IPsec-VPN to establish a connection between the VPC and the data center, and configure BGP dynamic routing. After the configuration is complete, the VPC and the data center can automatically learn routes and communicate with each other by using BGP dynamic routing. This reduces network maintenance costs and network configuration errors.
An autonomous system (AS) is a small unit that independently determines the routing protocol to be used in the system. This unit is an independent and manageable network unit. It may consist of a simple network or a network group that is controlled by one or more network administrators. Each AS has a globally unique identifier called ASN.
Preparations
A VPC is created in the Germany (Frankfurt) region and cloud services are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
Before you use VPN Gateway, you must read and understand the security group rules that apply to the ECS instances in VPCs. Make sure that the security group rules allow gateway devices in the data center to access cloud resources. For more information, see View security group rules and Add a security group rule.
Procedure
Step 1: Create a VPN gateway
- Log on to the VPN gateway console.
On the VPN Gateways page, click Create VPN Gateway.
On the buy page, configure the parameters that are described in the following table, click Buy Now, and then complete the payment.
The following table describes only the parameters that are relevant to this topic. You can use the default values of other parameters or leave them empty. For more information, see Create and manage a VPN gateway.
Parameter
Description
Region
The region in which you want to create the VPN gateway.
Make sure that the VPN gateway and the VPC reside in the same region. In this example, Germany (Frankfurt) is selected.
Gateway Type
The gateway type.
Default value: Standard.
Network Type
The network type. In this example, Public is selected.
Tunnels
The system displays the tunnel modes that are supported in this region. Valid values:
Single-tunnel
Dual-tunnel
For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
VPC
The VPC in which you want to create the VPN gateway. In this example, the VPC that is created in the Germany (Frankfurt) region is selected.
VSwitch
Select a vSwitch from the selected VPC.
If you select Single-tunnel, you need to specify only one vSwitch.
If you select Dual-tunnel, you need to specify two vSwitches.
After the IPsec-VPN feature is enabled, the system creates an elastic network interface (ENI) for each of the two vSwitches as an interface to communicate with the VPC over an IPsec-VPN connection. Each ENI occupies one IP address in the vSwitch.
NoteThe system selects a vSwitch by default. You can change or use the default vSwitch.
After a VPN gateway is created, you cannot modify the vSwitch associated with the VPN gateway. You can view the vSwitch associated with the VPN gateway, the zone to which the vSwitch belongs, and the ENI in the vSwitch on the details page of the VPN gateway.
vSwitch 2
Ignore this parameter if you select Single-tunnel for the Tunnels parameter.
IPsec-VPN
Specifies whether to enable IPsec-VPN. In this example, Enable is selected.
SSL-VPN
Specifies whether to enable SSL-VPN. In this example, Disable is selected.
The newly created VPN gateway is in the Preparing state and changes to the Normal state after about 1 to 5 minutes. After the state of the VPN gateway changes to Normal, the VPN gateway is ready for use. After the VPN gateway is created, a public IP address is automatically assigned to the gateway for establishing VPN connections.
If you want to use an existing VPN gateway, make sure that it is updated to the latest version. By default, if the existing VPN gateway i not of the latest version, you cannot use the BGP dynamic routing feature.
You can check whether your VPN gateway is of the latest version by viewing the Upgrade button on the details page of the VPN gateway. If your VPN gateway is not of the latest version, you can click Upgrade to upgrade the VPN gateway. For more information, see Upgrade a VPN gateway.
Step 2: Enable BGP dynamic routing
BGP is used to exchange routing information between different ASs. To use the BGP dynamic routing feature, you must enable the BGP dynamic routing feature for the VPN gateway.
In the left-side navigation pane, choose .
In the top navigation bar, select the region in which the VPN gateway resides.
On the VPN Gateways page, find the created VPN Gateway and turn on the switch in the Enable Automatic Route Advertisement column.
After the BGP dynamic routing feature is enabled, the VPN Gateway automatically advertises BGP routes to the VPC.
Step 3: Create a customer gateway
You can create a customer gateway to register the public IP address and BGP AS of the data center to Alibaba Cloud.
In the left-side navigation pane, choose .
In the top navigation bar, select the region in which you want to create the customer gateway.
NoteThe customer gateway and the VPN gateway to be connected must be deployed in the same region.
On the Customer Gateway page, click Create Customer Gateway.
In the Create Customer Gateway panel, configure the parameters that are described in the following table and click OK.
The following table describes only the parameters that are relevant to this topic. You can use the default values of other parameters or leave them empty. For more information, see Create and manage a customer gateway.
Parameter
Description
IP Address
The public IP address of the gateway device in the data center. In this example, 2.XX.XX.2 is used.
ASN
The ASN of the gateway device in the data center. In this example, 65531 is used.
Step 4: Create an IPsec-VPN connection
In the left-side navigation pane, choose .
In the top navigation bar, select the region in which you want to create the IPsec-VPN connection.
NoteThe IPsec-VPN connections must be created in the same region as the VPN gateway created in Step 1.
On the IPsec Connections page, click Create IPsec-VPN Connection.
On the Create IPsec-VPN Connection page, configure the parameters that are described in the following table and click OK.
The following table describes only the parameters that are relevant to this topic. You can use the default values of other parameters or leave them empty. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.
Parameter
Description
Associate Resource
Select the type of network resource to be associated with the IPsec-VPN connection.
In this example, VPN Gateway is selected.
VPN Gateway
The VPN gateway to be associated with the IPsec-VPN connection.
In this example, the VPN gateway that is created in Step 1 is selected.
Routing Mode
Select a routing mode.
Valid values: Destination Routing Mode or Protected Data Flows. If the IPsec-VPN connection uses BGP dynamic routing, we recommend that you select Destination Routing Mode. In this example, Destination Routing Mode is selected.
Effective Immediately
Specify whether to immediately start negotiations for the connection.
Yes: immediately starts negotiations after the configuration is complete.
No: starts negotiations when inbound traffic is detected.
In this example, Yes is selected.
Customer Gateway
The customer gateway to be associated with the IPsec-VPN connection.
In this example, the customer gateway that is created in Step 3 is selected.
Pre-shared Key
The pre-shared key that is used for authentication.
The pre-shared keys must be the same on both the VPN gateway associated with the IPsec-VPN connection and the gateway device in the data center. In this example, 123456**** is used.
Enable BGP
Specify whether to enable Border Gateway Protocol (BGP). If you want to use BGP routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off.
In this example, Enable BGP is turned on.
Local ASN
The local ASN of the tunnel. Default value: 45104.
In this example, 65530 is used.
Encryption Configuration
Use the default values of parameters except for the following parameters.
Set the DH Group parameter in the IKE Configurations section to group14.
Set the DH Group parameter in the IPsec Configurations section to group14.
NoteYou must configure parameters in the Encryption Configuration section based on the gateway device in the data center to ensure that the encryption configurations of the IPsec-VPN connection are consistent with those of the gateway device in the data center.
BGP Configuration
Tunnel CIDR Block
The CIDR block of the IPsec tunnel. In this example, 169.254.10.0/30 is used.
Local BGP IP address
The BGP IP address on the VPC side. The IP address must fall within the CIDR block of the IPsec tunnel. In this example, 169.254.10.1 is used.
In the Created message, click OK.
Step 5: Add VPN configurations to the gateway device in the data center
After you create an IPsec-VPN connection, you need to add the VPN configurations to the gateway device in the data center to establish a VPN connection between the VPC and the data center.
Download the VPN configurations to be added to the gateway device in the data center. For more information, see the "Download the configurations of an IPsec-VPN connection" section of the Create and manage IPsec-VPN connections in single tunnel mode topic.
Add the VPN configurations to the gateway device in the data center. For more information, see the Configure an IPsec-VPN configuration in single-tunnel mode section
of the Load the IPsec-VPN configuration to a Cisco firewall device topic.
After the IPsec-VPN connection is created, routes are automatically advertised based on BGP dynamic routing.
After you advertise the CIDR block of the data center by using BGP dynamic routing on the gateway device in the data center, the VPN gateway on Alibaba Cloud automatically advertises the routes that are learned from the data center to the system route table of the VPC. You can view route information about the system route table on the Dynamic Route tab.
The VPN Gateway on Alibaba Cloud automatically learns the system routes from the system route table of the VPC and automatically advertises the routes to the gateway device in the data center.
Step 6: Test the connectivity
Log on to an Elastic Compute Service (ECS) instance in the VPC. For more information about how to log on to an ECS instance, see Connection method overview.
Run the
ping
command to access a client in the data center and check the connectivity.The result shows that the ECS instance in the VPC can access the client in the data center.
Log on to the client in the data center.
Run the
ping
command to access the ECS instance in the VPC and check the connectivity.The result shows that the client in the data center can access the ECS instance in the VPC.