This topic describes how to create multiple private IPsec-VPN connections between a data center and a virtual private cloud (VPC). You can use the connections to encrypt data transmission between the data center and the VPC and implement load balancing based on equal-cost multi-path (ECMP) routing.
Background information
The preceding scenario is used as an example in this topic. An enterprise owns a data center in Shanghai and created a VPC in the China (Hangzhou) region. Applications are deployed on an Elastic Compute Service (ECS) instance in the VPC. The enterprise wants to create private connections between the data center and the VPC. The enterprise also wants to encrypt the private connections and use the connections to implement load balancing based on ECMP routing.
Network design
Network settings
The following network settings are used in this topic:
The data center is connected to Alibaba Cloud through two Express Connect circuits, and communicates with the VPC through a Cloud Enterprise Network (CEN) instance. The two Express Connect circuits ensure network redundancy and forward traffic.
After the data center and the VPC are connected through Express Connect circuits, you can create IPsec-VPN connections over the Express Connect circuits. You can create two IPsec-VPN connections over each Express Connect circuit. The connections encrypt data transmission between the data center and the VPC, and balance the load of traffic based on ECMP routing.
When you create the IPsec-VPN connections, set Gateway Type to Private.
Set the Associate Resource parameter of the IPsec-VPN connections to CEN. This way, the IPsec-VPN connections are aggregated for ECMP routing.
NoteYou can associate IPsec-VPN connections only with Enterprise Edition transit routers on CEN instances.
The data center, the virtual border routers (VBRs), and the IPsec-VPN connections use Border Gateway Protocol (BGP) to automatically learn and advertise routes. This facilitates routing configuration. When one of the IPsec-VPN connections fails, traffic is redirected to another IPsec-VPN connection. This ensures service reliability.
Network planning
When you plan CIDR blocks, make sure that the CIDR blocks of the data center and the VPC do not overlap.
Item | CIDR block and IP address |
VPC | Primary CIDR block: 172.16.0.0/16.
|
IPsec-VPN connections | BGP configurations:
|
VBR | VBR1 configurations:
VBR2 configurations:
|
On-premises gateway devices | VPN IP addresses of the on-premises gateway devices:
|
BGP configurations of premises gateway devices:
| |
Data center | CIDR blocks to be connected to the VPC:
|
Preparations
Make sure that the following prerequisites are met before you start:
A VPC is created in the China (Hangzhou) region. Applications are deployed on the ECS instance in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
A CEN instance is created. An Enterprise Edition transit router is created in the China (Hangzhou) and China (Shanghai) regions. For more information, see Create a CEN instance and Create a transit router.
ImportantWhen you create a transit router, you must configure a CIDR block for the transit router. Otherwise, IPsec connections cannot be associated with the transit router.
If you have created a transit router, you can configure a CIDR block for the transit router. For more information, see Transit router CIDR blocks.
Procedure
Step 1: Deploy Express Connect circuits
You must deploy an Express Connect circuit to connect the data center to Alibaba Cloud.
Create dedicated connections over Express Connect circuits.
In this example, two dedicated connections over Express Connect circuits are created in the China (Shanghai) region. The Express Connect circuits are named Express Connect Circuit 1 and Express Connect Circuit 2. For more information, see Create and manage a dedicated connection over an Express Connect circuit.
When you apply for Express Connect Circuit 2, you may need to specify a redundant Express Connect circuit based on the access point.
If you want to connect the two Express Connect circuits to the same access point, set Redundant Physical Connection ID to the ID of Express Connect Circuit 1. This way, the two Express Connect circuits are connected to different access devices.
If the two Express Connect circuits are connected to different access points, you do not need to specify a redundant Express Connect circuit. In this case, you do not need to specify Redundant Physical Connection ID.
In this example, the Express Connect circuits are connected to different access points.
Create VBRs.
Log on to the Express Connect console.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
In the top navigation bar, select the region where you want to create the VBR.
In this example, China (Shanghai) is selected.
On the Virtual Border Routers (VBRs) page, click Create VBR.
In the Create VBR panel, configure the following parameters and click OK.
Create two VBRs based on the following information. Associate the VBRs with different Express Connect circuits. The following table describes only the key parameters. The default values are used for other parameters. For more information, see Create and manage a VBR.
Parameter
Description
VBR1
VBR2
Account
Specify whether to create a VBR for the current or another Alibaba Cloud account.
In this example, Current account is selected.
Name
Specify a name for the VBR.
In this example, VBR1 is used.
In this example, VBR2 is used.
Express Connect Circuit
Select the Express Connect circuit that you want to associate with the VBR.
In this example, Dedicated Physical Connection is selected, and Express Connect Circuit 1 created in Step 1 is selected.
In this example, Dedicated Physical Connection is selected, and Express Connect Circuit 2 created in Step 1 is selected.
VLAN ID
Specify the VLAN ID of the VBR.
NoteMake sure that the VLAN ID of the VBR is the same as the VLAN ID of the interface that the on-premises gateway device uses to connect to the Express Connect circuit.
In this example, 201 is used.
In this example, 202 is used.
Set VBR Bandwidth Value
Specify a maximum bandwidth value for the VBR.
Select a maximum bandwidth value based on your business requirements.
Alibaba Cloud Side IPv4 Address
Specify an IPv4 address for the VBR to route network traffic from the VPC to the data center.
In this example, 10.0.0.2 is used.
In this example, 10.0.1.2 is used.
Data Center Side IPv4 Address
Specify an IPv4 address for the gateway device in the data center to route network traffic from the data center to the VPC.
In this example, 10.0.0.1 is used.
In this example, 10.0.1.1 is used.
IPv4 Subnet Mask
Specify the subnet mask of the specified IPv4 addresses.
In this example, 255.255.255.252 is used.
In this example, 255.255.255.252 is used.
Configure a BGP group for the VBR.
On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
On the details page, click the BGP Groups tab.
On the BGP Groups tab, click Create BGP Group, set the following parameters, and then click OK.
Configure the BGP groups based on the following information. The following table describes only the key parameters. The default values are used for other parameters. For more information, see Create a BGP group.
Parameter
Description
VBR1
VBR2
Name
Specify a name for the BGP group.
In this example, VBR1-BGP is used.
In this example, VBR2-BGP is used.
Peer ASN
Specify the ASN of the on-premises gateway device.
In this example, 65530 is used. This is the ASN of On-premises Gateway Device 1.
In this example, 65530 is used. This is the ASN of On-premises Gateway Device 2.
Local ASN
Specify the ASN of the VBR.
In this example, 45104 is used. This is the ASN of VBR1.
In this example, 45104 is used. This is the ASN of VBR2.
Configure a BGP peer for each VBR.
On the VBR details page, click the BGP Peers tab.
On the BGP Peers tab, click Create BGP Peer.
In the Create BGP Peer panel, set the following parameters and click OK.
Configure the BGP peers based on the following information. The following table describes only the key parameters. The default values are used for other parameters. For more information, see Create a BGP peer.
Parameter
Description
VBR1
VBR2
BGP Group
The BGP group to which you want to add the BGP peer.
In this example, VBR1-BGP is selected.
In this example, VBR2-BGP is selected.
BGP Peer IP Address
The IP address of the BGP peer.
In this example, the IP address 10.0.0.1 is used. This is the IP address of the interface that On-premises Gateway Device 1 uses to connect to Express Connect Circuit 1.
In this example, the IP address 10.0.1.1 is used. This is the IP address of the interface that On-premises Gateway Device 2 uses to connect to Express Connect Circuit 2.
Configure BGP routing for the on-premises gateway devices.
After you configure BGP routing for the on-premises gateway devices, the on-premises gateway devices and the VBRs establish peering connections, and automatically learn and advertise routes.
NoteIn this example, the software Adaptive Security Appliance (ASA) 9.19.1 is used to describe how to configure a Cisco firewall. The commands may vary with software versions. Consult the documentation or your vendor based on your actual environment during operations. For more information, see Configure local gateways.
The following content contains third-party product information, which is only for reference. Alibaba Cloud does not make guarantees or other forms of commitments for the performance and reliability of third-party products, or the potential impacts of operations performed by using these products.
# Configure On-premises Gateway Device 1 interface GigabitEthernet0/3 nameif VBR1 # The name of the interface that is connected to VBR1. security-level 0 ip address 10.0.0.1 255.255.255.0 # The private IP address of the GigabitEthernet 0/3 interface. no shutdown # Enable the interface. ! router bgp 65530 # Enable BGP and configure the ASN of the data center. In this example, 65530 is used. bgp router-id 10.0.0.1 # Enter the ID of the BGP router. In this example, 10.0.0.1 is used. address-family ipv4 unicast neighbor 10.0.0.2 remote-as 45104 # Establish a peering connection to VBR1. neighbor 10.0.0.2 activate # Activate the BGP peer. network 192.168.0.0 mask 255.255.255.0 # Advertise the CIDR block of the data center. network 192.168.1.0 mask 255.255.255.0 network 192.168.2.0 mask 255.255.255.0 exit-address-family ! # Configure On-premises Gateway Device 2. interface GigabitEthernet0/3 nameif VBR2 # The name of the interface that is connected to VBR2. security-level 0 ip address 10.0.1.1 255.255.255.0 # The private IP address of the GigabitEthernet 0/3 interface. no shutdown # Enable the interface. ! router bgp 65530 // Enable BGP and configure the ASN of the data center. In this example, 65530 is used. bgp router-id 10.0.1.1 // Enter the ID of the BGP router. In this example, 10.0.1.1 is used. address-family ipv4 unicast neighbor 10.0.1.2 remote-as 45104 // Establish a peering connection to VBR2. neighbor 10.0.1.2 activate // Activate the BGP peer. network 192.168.0.0 mask 255.255.255.0 // Advertise the CIDR block of the data center. network 192.168.1.0 mask 255.255.255.0 network 192.168.2.0 mask 255.255.255.0 exit-address-family !
Step 2: Configure a CEN instance
After you deploy the Express Connect circuits, the data center is connected to Alibaba Cloud through the Express Connect circuits. However, the data center and the VPC cannot communicate with each other. To enable communication between the data center and the VPC, you must connect the virtual border routers (VBRs) and the VPC to a CEN instance.
Create a VPC connection.
Log on to the CEN console.
On the Instances page, find the CEN instance that you created and click its ID.
On the tab, find the transit router that you want to manage in the China (Hangzhou) region and click Create Connection in the Actions column.
On the Connection with Peer Network Instance page, configure the following parameters and click OK.
The following table describes only the key parameters. The default values are used for other parameters. For more information, see Create a VPC connection.
Parameter
Description
VPC connection
Instance Type
Select the type of network instance.
In this example, Virtual Private Cloud (VPC) is selected.
Region
Select the region of the network instance.
In this example, China (Hangzhou) is selected.
Transit Router
The system automatically displays the transit router in the current region.
Resource Owner ID
Specify whether the network instance belongs to the current Alibaba Cloud account.
In this example, Your Account is selected.
Billing Method
Select a billing method for the VPC connection. Default value: Pay-As-You-Go. For more information about the billing rules for transit routers, see Billing rules.
Attachment Name
Enter a name for the VPC connection.
In this example, VPC-Attachment is used.
Network Instance
Select a network instance.
In this example, the VPC created in the Preparations section is selected.
vSwitch
Select the vSwitches that are deployed in the zones of the transit router.
If the transit router (TR) supports only one zone in the current region, you need to select a vSwitch in the zone.
If the TR supports multiple zones in the current region, you need to select at least two vSwitches that reside in different zones. When the VPC and TR communicate, the vSwitches are used to implement zone-disaster recovery.
We recommend that you select a vSwitch in each zone to reduce the network latency and improve network performance because data can be transmitted over a shorter distance.
Make sure that each selected vSwitch has at least one idle IP address. If the VPC does not have a vSwitch in the zone supported by the TR or the vSwitch does not have an idle IP address, create a new vSwitch in the zone. For more information, see Create and manage a vSwitch.
In this example, vSwitch 1 is selected in Zone H and vSwitch 2 is selected in Zone I.
Advanced configurations
Specify whether to enable the advanced features. By default, all advanced features are enabled.
In this example, the default settings are used.
Attach the VBR to the CEN instance.
On the tab, find the transit router in the China (Shanghai) region and click Create Connection in the Actions column.
On the Connection with Peer Network Instance page, configure the following parameters and click OK.
Create a VBR connection for VBR1 and VBR2 based on the following information. The following table describes only the key parameters. The default values are used for other parameters. For more information, see Connect a VBR to an Enterprise Edition transit router.
Parameter
Description
VBR1
VBR2
Instance Type
Select the type of network instance.
In this example, Virtual Border Router (VBR) is selected.
Region
Select the region of the network instance.
In this example, China (Shanghai) is selected.
Transit Router
The system automatically displays the transit router in the selected region.
Resource Owner ID
Specify whether the network instance belongs to the current Alibaba Cloud account.
In this example, Your Account is selected.
Attachment Name
Specify a name for the network connection.
In this example, VBR1-Attachment is used.
In this example, VBR2-Attachment is used.
Network Instance
Select a network instance.
In this example, VBR1 is selected.
In this example, VBR2 is selected.
Advanced Settings
Specify whether to enable the advanced features. By default, all advanced features are enabled.
In this example, the default settings are used.
Create an inter-region connection.
The transit router associated with the VBRs and the transit router associated with the VPC are deployed in different regions. By default, the VBRs cannot communicate with the VPC in this scenario. To allow the VBRs to communicate with the VPC across regions, you need to create an inter-region connection between the transit router in the China (Hangzhou) region and the transit router in the China (Shanghai) region.
On the Instances page, find the CEN instance that you want to manage and click its ID.
Navigate to the tab and click Set Region Connection.
On the Connection with Peer Network Instance page, set the following parameters and click OK.
Create an inter-region connection based on the following table. Use the default values for the other parameters. For more information, see Create an inter-region connection.
Parameter
Description
Instance Type
In this example, Inter-region Connection is selected.
Region
Select one of the regions to be connected.
In this example, China (Hangzhou) is selected.
Transit Router
The ID of the transit router in the selected region is automatically displayed.
Attachment Name
Enter a name for the inter-region connection.
In this example, Cross-Region-test is used.
Peer Region
Select the other region to be connected.
In this example, China (Shanghai) is selected.
Transit Router
The ID of the transit router in the selected region is automatically displayed.
Bandwidth Allocation Mode
The following modes are supported:
Allocate from Bandwidth Plan: Bandwidth is allocated from a bandwidth plan.
Pay-By-Data-Transfer: You are charged for data transfer over the inter-region connection.
In this example, Pay-By-Data-Transfer is selected.
Bandwidth
Specify a maximum bandwidth value for the inter-region connection. Unit: Mbit/s.
Default Line Type
Select a line type for the inter-region connection.
Advanced Settings
Use the default settings. All advanced features are enabled.
Step 3: Create IPsec-VPN connections
After you complete the preceding steps, the data center can communicate with the VPC over private connections. However, data transmission between the data center and the VPC is not encrypted. To encrypt data transmission, you must create IPsec-VPN connections between the data center and Alibaba Cloud.
Log on to the VPN Gateway console.
Create a customer gateway.
Before you create an IPsec-VPN connection, you need to create a customer gateway to provide information about the on-premises gateway device to Alibaba Cloud.
In the left-side navigation pane, choose .
In the top navigation bar, select the region of the customer gateway.
VPN gateways do not support cross-border IPsec-VPN connections. Therefore, you need to follow the nearby access principle and select a region that is closest to your data center when you choose the region in which your customer gateway is deployed. In this example, China (Shanghai) is selected.
For more information about cross-border connections, see What is VPN Gateway?.
On the Customer Gateway page, click Create Customer Gateway.
In the Create Customer Gateway panel, configure the following parameters and click OK.
Create four customer gateways in the China (Shanghai) region based on the following information. The following table describes only the key parameters. The default values are used for other parameters. For more information, see Create a customer gateway.
Parameter
Description
Customer Gateway 1
Customer Gateway 2
Customer Gateway 3
Customer Gateway 4
Name
Specify a name for the customer gateway.
In this example, Customer-Gateway1 is used.
In this example, Customer-Gateway2 is used.
In this example, Customer-Gateway3 is used.
In this example, Customer-Gateway4 is used.
IP Address
Specify the public IP address of the on-premises gateway device to be connected to Alibaba Cloud.
In this example, 192.168.0.1 is used. This is the first VPN IP address of On-premises Gateway Device 1.
In this example, 192.168.1.1 is used. This is the second VPN IP address of On-premises Gateway Device 1.
In this example, 192.168.1.2 is used. This is the first VPN IP address of On-premises Gateway Device 2.
In this example, 192.168.2.2 is used. This is the second VPN IP address of On-premises Gateway Device 2.
ASN
Specify the BGP ASN of the on-premises gateway device.
In this example, 65530 is used.
Create an IPsec-VPN connection.
After you create customer gateways, you need to create IPsec-VPN connections between Alibaba Cloud and the data center.
In the left-side navigation pane, choose .
In the top navigation bar, select the region where you want to create the IPsec-VPN connection.
The IPsec-VPN connections and the customer gateways must be created in the same region. In this example, China (Shanghai) is selected.
On the IPsec-VPN connection page, click Create IPsec-VPN Connection.
On the Create IPsec-VPN Connection page, set the parameters for the IPsec-VPN connection and click OK.
Create four IPsec-VPN connections in the China (Shanghai) region based on the following information. You are charged for using IPsec-VPN connections. For more information, see Billing.
Parameter
Description
IPsec-VPN Connection 1
IPsec-VPN Connection 2
IPsec-VPN Connection 3
IPsec-VPN Connection 4
Name
Specify a name for the IPsec-VPN connection.
In this example, IPsec-VPN Connection 1 is used.
In this example, IPsec-VPN Connection 2 is used.
In this example, IPsec-VPN Connection 3 is used.
In this example, IPsec-VPN Connection 4 is used.
Associate Resource
Select the type of network resource to be associated with the IPsec-VPN connection.
In this example, CEN is selected.
Gateway Type
Select the network type of the IPsec-VPN connection.
In this example, Private is selected.
CEN Instance ID
Select a CEN instance.
In this example, the CEN instance created in the Preparations section is selected.
Transit Router
The transit router to be associated with the IPsec-VPN connection.
The system automatically selects the transit router in the region in which the IPsec-VPN connection is created.
Zone
Select the zone in which the IPsec-VPN connection is created. Make sure that the IPsec-VPN connection is created in a zone that supports transit routers.
In this example, Shanghai Zone F is selected.
NoteIn this scenario, we recommend that you deploy IPsec-VPN connections in different zones to implement disaster recovery.
In this example, Shanghai Zone G is selected.
Routing Mode
The routing mode.
In this example, Destination Routing Mode is selected.
Effective Immediately
Select whether to immediately apply the settings of the IPsec-VPN connection. Valid values:
If you set the Effective Immediately parameter to Yes when you create an IPsec-VPN connection, the negotiations immediately start after the configuration is complete.
If you set the Effective Immediately parameter to No when you create an IPsec-VPN connection, the negotiations start when inbound traffic is detected.
In this example, Yes is selected.
Customer Gateway
Select the customer gateway that you want to associate with the IPsec-VPN connection.
In this example, Customer-Gateway1 is selected.
In this example, Customer-Gateway2 is selected.
In this example, Customer-Gateway3 is selected.
In this example, Customer-Gateway4 is selected.
Pre-Shared Key
Specify a pre-shared key that is used to authenticate the on-premises gateway device.
The key must be 1 to 100 characters in length, and can contain digits, letters, and the following special characters:
~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : ' , . < > / ?. The key cannot contain spaces.If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After an IPsec-VPN connection is created, you can click Edit in the Actions column of the IPsec-VPN connection to view the pre-shared key that is generated for the IPsec-VPN connection. For more information, see the Modify an IPsec-VPN connection section of this topic.
ImportantThe IPsec-VPN connection and peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.
In this example, fddsFF123**** is used.
In this example, fddsFF456**** is used.
In this example, fddsFF789**** is used.
In this example, fddsFF901**** is used.
Enable BGP
Specify whether to enable BGP. By default, BGP is disabled.
In this example, BGP is enabled.
Local ASN
Specify the ASN of the IPsec-VPN connection.
In this example, 45104 is used.
In this example, 45104 is used.
In this example, 45104 is used.
In this example, 45104 is used.
Encryption Configuration
Set encryption configurations, including IKE configurations and IPsec configurations.
Use the default settings except for the following parameters. For more information, see Create and manage IPsec-VPN connections associated with transit routers.
Set the DH Group parameter in the IKE Configurations section to group14.
Set the DH Group parameter in the IPsec Configurations section to group14.
NoteYou need to select encryption parameters based on the on-premises gateway device to ensure that the encryption configurations for the IPsec connection are the same as those for the on-premises gateway device.
BGP Configuration
Tunnel CIDR Block
Specify the CIDR block that is used for IPsec tunneling.
The CIDR block must fall into 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, or 169.254.169.252/30.
In this example, 169.254.10.0/30 is used.
In this example, 169.254.11.0/30 is used.
In this example, 169.254.12.0/30 is used.
In this example, 169.254.13.0/30 is used.
Local BGP IP address
Specify a BGP IP address for the IPsec-VPN connection.
The IP address must fall within the CIDR block of the IPsec tunnel.
In this example, 169.254.10.1 is used.
In this example, 169.254.11.1 is used.
In this example, 169.254.12.1 is used.
In this example, 169.254.13.1 is used.
Advanced Configuration
Specify whether to enable the advanced features to enable the IPsec-VPN connection to automatically advertise and learn routes. By default, the advanced features are enabled.
In this example, the advanced features are enabled.
After the IPsec-VPN connections are created, the system assigns a private gateway IP address to each IPsec-VPN connection. The gateway IP address is an endpoint on the Alibaba Cloud side of the IPsec-VPN connection. You can view the gateway IP address of the IPsec-VPN connection on the details page, as shown in the following figure.
The following table describes the gateway IP addresses that are assigned to IPsec-VPN Connection 1, IPsec-VPN Connection 2, IPsec-VPN Connection 3, and IPsec-VPN Connection 4.
IPsec-VPN connection
Gateway IP address
IPsec-VPN Connection 1
192.168.168.1
IPsec-VPN Connection 2
192.168.168.2
IPsec-VPN Connection 3
192.168.168.3
IPsec-VPN Connection 4
192.168.168.4
NoteThe system assigns gateway IP addresses to IPsec-VPN connections only after you associate the IPsec-VPN connections with transit routers. When you create an IPsec-VPN connection, if you set Associate Resource to Do Not Associate or VPN Gateway, the system does not assign a gateway IP address to the IPsec-VPN connection.
After a private IPsec-VPN connection is associated with a transit router, the system automatically advertises the gateway IP address of the IPsec-VPN connection to the route table of the transit router.
Download the configuration of the IPsec-VPN connection peer.
Return to the IPsec-VPN connection page, find the IPsec-VPN connection that you created, and then click Generate Peer Configuration in the Actions column.
Download the peer configurations of the four IPsec-VPN connections to your on-premises machine so that you can use the configurations when you add VPN configurations to the on-premises gateway devices.
Add VPN configurations and BGP configurations to the on-premises gateway device.
After the IPsec-VPN connections are created, perform the following steps to add the VPN and BGP configurations in the peer configurations that you downloaded to the On-premises Gateway Device 1 and On-premises Gateway Device 2. This way, the data center can communicate with Alibaba Cloud over the IPsec-VPN connections.
NoteIn this example, the software Adaptive Security Appliance (ASA) 9.19.1 is used to describe how to configure a Cisco firewall. The commands may vary with software versions. Consult the documentation or your vendor based on your actual environment during operations. For more information, see Configure local gateways.
The following content contains third-party product information, which is only for reference. Alibaba Cloud does not make guarantees or other forms of commitments for the performance and reliability of third-party products, or the potential impacts of operations performed by using these products.
Configure On-premises Gateway Device 1
Log on to the CLI of the Cisco firewall and enter the configuration mode.
ciscoasa> enable Password: ******** # Enter the password for entering the enable mode. ciscoasa# configure terminal # Enter the configuration mode. ciscoasa(config)#View the interface configurations and routing configurations for Internet access.
Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used:
ciscoasa(config)# show running-config interface ! interface GigabitEthernet0/0 nameif outside1 # The name of the GigabitEthernet 0/0 interface. security-level 0 ip address 192.168.0.1 255.255.255.0 # The private IP address of the GigabitEthernet 0/0 interface. ! interface GigabitEthernet0/1 nameif outside2 # The name of the GigabitEthernet 0/1 interface. security-level 0 ip address 192.168.1.1 255.255.255.0 # The private IP address of the GigabitEthernet 0/1 interface. ! interface GigabitEthernet0/2 # The interface that connects to the data center. nameif private # The name of the GigabitEthernet 0/2 interface. security-level 100 # The security level of the private interface that connects to the data center, which is lower than that of a public interface. ip address 192.168.2.215 255.255.255.0 # The private IP address of the GigabitEthernet 0/2 interface. ! route private 192.168.0.0 255.255.0.0 192.168.2.216 # The route that points to the data center.Enable IKEv2 for the public interfaces.
crypto ikev2 enable outside1 crypto ikev2 enable outside2Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.
ImportantWhen you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.
crypto ikev2 policy 10 encryption aes # Specify the encryption algorithm. integrity sha # Specify the authentication algorithm. group 14 # Specify the DH group. prf sha # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on the Alibaba Cloud side. lifetime seconds 86400 # Specify the SA lifetime.Create an IPsec proposal and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.
ImportantWhen you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.
crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL # Create an IPsec proposal. protocol esp encryption aes # Specify the encryption algorithm. The Encapsulating Security Payload (ESP) protocol is used on the Alibaba Cloud side. Therefore, use the ESP protocol. protocol esp integrity sha-1 # Specify the authentication algorithm. The ESP protocol is used on the Alibaba Cloud side. Therefore, use the ESP protocol. crypto ipsec profile ALIYUN-PROFILE set ikev2 ipsec-proposal ALIYUN-PROPOSAL # Create an IPsec profile and apply the proposal that is created. set ikev2 local-identity address # Set the format of the local ID to IP address, which is the same as the format of the remote ID on the Alibaba Cloud side. set pfs group14 # Specify the Perfect Forward Secrecy (PFS) and DH group. set security-association lifetime seconds 86400 # Specify the time-based SA lifetime. set security-association lifetime kilobytes unlimited # Disable the traffic-based SA lifetime.Create tunnel groups and specify the pre-shared keys for tunnels, which must be the same as those on the Alibaba Cloud side.
tunnel-group 192.168.168.1 type ipsec-l2l # Specify the encapsulation mode l2l for Tunnel 1. tunnel-group 192.168.168.1 ipsec-attributes ikev2 remote-authentication pre-shared-key fddsFF123**** # Specify the peer pre-shared key for Tunnel 1, which is the pre-shared key on the Alibaba Cloud side. ikev2 local-authentication pre-shared-key fddsFF123**** # Specify the local pre-shared key for Tunnel 1, which must be the same as that on the Alibaba Cloud side. ! tunnel-group 192.168.168.2 type ipsec-l2l # Specify the encapsulation mode l2l for Tunnel 2. tunnel-group 192.168.168.2 ipsec-attributes ikev2 remote-authentication pre-shared-key fddsFF456**** # Specify the peer pre-shared key for Tunnel 2, which is the pre-shared key on the Alibaba Cloud side. ikev2 local-authentication pre-shared-key fddsFF456**** # Specify the local pre-shared key for Tunnel 2, which must be the same as that on the Alibaba Cloud side. !Create tunnel interfaces.
interface Tunnel1 # Create an interface for Tunnel 1. nameif ALIYUN1 ip address 169.254.10.2 255.255.255.252 # Specify the IP address of the interface. tunnel source interface outside1 # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of Tunnel 1. tunnel destination 192.168.168.1 # Specify the private IP address of IPsec-VPN Connection 1 on the Alibaba Cloud side as the destination address of Tunnel 1. tunnel mode ipsec ipv4 tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 1. no shutdown # Enable the interface for Tunnel 1. ! interface Tunnel2 # Create an interface for Tunnel 2. nameif ALIYUN2 ip address 169.254.11.2 255.255.255.252 # Specify the IP address of the interface. tunnel source interface outside2 # Specify the IP address of the GigabitEthernet 0/2 interface as the source address of Tunnel 2. tunnel destination 192.168.168.2 # Specify the private IP address of IPsec-VPN Connection 2 on the Alibaba Cloud side as the destination address of Tunnel 2. tunnel mode ipsec ipv4 tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 2. no shutdown # Enable the interface for Tunnel 2. !Add BGP configurations to configure IPsec-VPN Connection 1 and IPsec-VPN Connection 2 as BGP peers for On-premises Gateway Device 1.
router bgp 65530 address-family ipv4 unicast neighbor 169.254.10.1 remote-as 45104 # Specify the BGP peer, which is the IP address of Tunnel 1 on the Alibaba Cloud side. neighbor 169.254.10.1 ebgp-multihop 255 neighbor 169.254.10.1 activate # Activate the BGP peer. neighbor 169.254.11.1 remote-as 45104 # Specify the BGP peer, which is the IP address of Tunnel 2 on the Alibaba Cloud side. neighbor 169.254.11.1 ebgp-multihop 255 neighbor 169.254.11.1 activate # Activate the BGP peer. maximum-paths ebgp 5 # Increase the number of ECMP route entries. exit-address-family
Configure On-premises Gateway Device 2
Log on to the CLI of the Cisco firewall and enter the configuration mode.
ciscoasa> enable Password: ******** # Enter the password for entering the enable mode. ciscoasa# configure terminal # Enter the configuration mode. ciscoasa(config)#View the interface configurations and routing configurations for Internet access.
Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used:
ciscoasa(config)# show running-config interface ! interface GigabitEthernet0/0 nameif outside1 # The name of the GigabitEthernet 0/0 interface. security-level 0 ip address 192.168.1.2 255.255.255.0 # The private IP address of the GigabitEthernet 0/0 interface. ! interface GigabitEthernet0/1 nameif outside2 # The name of the GigabitEthernet 0/1 interface. security-level 0 ip address 192.168.2.2 255.255.255.0 # The private IP address of the GigabitEthernet 0/1 interface. ! interface GigabitEthernet0/2 # The interface that connects to the data center. nameif private # The name of the GigabitEthernet 0/2 interface. security-level 100 # The security level of the private interface that connects to the data center, which is lower than that of a public interface. ip address 192.168.0.217 255.255.255.0 # The private IP address of the GigabitEthernet 0/2 interface. ! route private 192.168.0.0 255.255.0.0 192.168.0.218 # The route that points to the data center.Enable IKEv2 for the public interfaces.
crypto ikev2 enable outside1 crypto ikev2 enable outside2Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.
ImportantWhen you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.
crypto ikev2 policy 10 encryption aes # Specify the encryption algorithm. integrity sha # Specify the authentication algorithm. group 14 # Specify the DH group. prf sha # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on the Alibaba Cloud side. lifetime seconds 86400 # Specify the SA lifetime.Create an IPsec proposal and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.
ImportantWhen you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.
crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL # Create an IPsec proposal. protocol esp encryption aes # Specify the encryption algorithm. The ESP protocol is used on the Alibaba Cloud side. Therefore, use the ESP protocol. protocol esp integrity sha-1 # Specify the authentication algorithm. The ESP protocol is used on the Alibaba Cloud side. Therefore, use the ESP protocol. crypto ipsec profile ALIYUN-PROFILE set ikev2 ipsec-proposal ALIYUN-PROPOSAL # Create an IPsec profile and apply the proposal that is created. set ikev2 local-identity address # Set the format of the local ID to IP address, which is the same as the format of the remote ID on the Alibaba Cloud side. set pfs group14 # Specify the PFS and DH group. set security-association lifetime seconds 86400 # Specify the time-based SA lifetime. set security-association lifetime kilobytes unlimited # Disable the traffic-based SA lifetime.Create tunnel groups and specify the pre-shared keys for tunnels, which must be the same as those on the Alibaba Cloud side.
tunnel-group 192.168.168.3 type ipsec-l2l # Specify the encapsulation mode l2l for Tunnel 3. tunnel-group 192.168.168.3 ipsec-attributes ikev2 remote-authentication pre-shared-key fddsFF789**** # Specify the peer pre-shared key for Tunnel 3, which is the pre-shared key on the Alibaba Cloud side. ikev2 local-authentication pre-shared-key fddsFF789**** # Specify the local pre-shared key for Tunnel 3, which must be the same as that on the Alibaba Cloud side. ! tunnel-group 192.168.168.4 type ipsec-l2l # Specify the encapsulation mode l2l for Tunnel 4. tunnel-group 192.168.168.4 ipsec-attributes ikev2 remote-authentication pre-shared-key fddsFF901**** # Specify the peer pre-shared key for Tunnel 4, which is the pre-shared key on the Alibaba Cloud side. ikev2 local-authentication pre-shared-key fddsFF901**** # Specify the local pre-shared key for Tunnel 4, which must be the same as that on the Alibaba Cloud side. !Create tunnel interfaces.
interface Tunnel1 # Create an interface for Tunnel 3. nameif ALIYUN1 ip address 169.254.12.2 255.255.255.252 # Specify the IP address of the interface. tunnel source interface outside1 # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of Tunnel 3. tunnel destination 192.168.168.3 # Specify the private IP address of IPsec-VPN Connection 3 on the Alibaba Cloud side as the destination address of Tunnel 3. tunnel mode ipsec ipv4 tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 3. no shutdown # Enable the interface for Tunnel 3. ! interface Tunnel2 # Create an interface for Tunnel 4. nameif ALIYUN2 ip address 169.254.13.2 255.255.255.252 # Specify the IP address of the interface. tunnel source interface outside2 # Specify the IP address of the GigabitEthernet 0/2 interface as the source address of Tunnel 4. tunnel destination 192.168.168.4 # Specify the private IP address of IPsec-VPN Connection 4 on the Alibaba Cloud side as the destination address of Tunnel 4. tunnel mode ipsec ipv4 tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 4. no shutdown # Enable the interface for Tunnel 4. !Add BGP configurations to configure IPsec-VPN Connection 3 and IPsec-VPN Connection 4 as BGP peers for On-premises Gateway Device 2.
router bgp 65530 address-family ipv4 unicast neighbor 169.254.12.1 remote-as 45104 # Specify the BGP peer, which is the IP address of IPsec-VPN Connection 3 on the Alibaba Cloud side. neighbor 169.254.12.1 ebgp-multihop 255 neighbor 169.254.12.1 activate # Activate the BGP peer. neighbor 169.254.13.1 remote-as 45104 # Specify the BGP peer, which is the IP address of IPsec-VPN Connection 4 on the Alibaba Cloud side. neighbor 169.254.13.1 ebgp-multihop 255 neighbor 169.254.13.1 activate # Activate the BGP peer. maximum-paths ebgp 5 # Increase the number of ECMP route entries. exit-address-family
Add routes to the data center based on your network environment. The routes must allow network traffic to be transmitted from the data center to the VPC over On-premises Gateway Device 1 and On-premises Gateway Device 2 at the same time. If On-premises Gateway Device 1 is down, On-premises Gateway Device 2 automatically takes over. This ensures that ECMP is used to route traffic from the data center to the VPC. Contact your vendor to obtain the information about specific commands.
Step 4: Configure routes and routing policies
After you complete the preceding configurations, you must add routes and routing policies on Alibaba Cloud so that the IPsec-VPN connections can work as expected. You must also route traffic between the data center and Alibaba Cloud to encrypted tunnels.
Add custom routes to the VBRs.
Log on to the Express Connect console.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
In the top navigation bar, select the region where the VBR is deployed.
In this example, China (Shanghai) is selected.
On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
Click the Routes tab and click Add Route.
In the Add Route panel, configure the following parameters and click OK.
Add Route 1 and Route 2 to VBR1. Add Route 3 and Route 4 to VBR2.
Parameter
Description
Route 1
Route 2
Route 3
Route 4
Next Hop Type
The next hop type. Select Physical Connection Interface.
Destination CIDR block
Specify the VPN IP address of the on-premises gateway device.
In this example, the first VPN IP address of On-premises Gateway Device 1 is used: 192.168.0.1/32.
In this example, the second VPN IP address of On-premises Gateway Device 1 is used: 192.168.1.1/32.
In this example, the first VPN IP address of On-premises Gateway Device 2 is used: 192.168.1.2/32.
In this example, the first VPN IP address of On-premises Gateway Device 2 is used: 192.168.2.2/32.
Next Hop
Select an Express Connect circuit.
Select Express Connect Circuit 1.
Select Express Connect Circuit 1.
Select Express Connect Circuit 2.
Select Express Connect Circuit 2.
Add routing policies to the CEN instance.
Log on to the CEN console.
On the Instances page of the CEN console, click the ID of the CEN instance that you created.
On the tab, find the transit router in the China (Shanghai) region and click its ID.
On the details page of the transit router, click the Route Table tab and click Routing Policies.
On the Route Maps tab, click Add Route Map. In the Add Route Map panel, set the following parameters and click OK.
Add four routing policies to CEN based on the information in the following table. The following section describes the four routing policies:
Routing Policy 1: The data center learns CIDR blocks from the VPC through the VBRs and the IPsec-VPN connections. To ensure that traffic destined for the VPC is routed to the IPsec-VPN connections, you must create Routing Policy 1 so that the priority of the CIDR blocks advertised by the VBRs is lower than the priority of the CIDR blocks advertised by the IPsec-VPN connections.
Routing Policy 2: When the CEN instance learns the same CIDR block through the VBRs and the IPsec-VPN connections, the CIDR block advertised by the VBRs has a higher priority. You must create Routing Policy 2 to reject data center routes advertised by the VBRs. This ensures that traffic destined for the data center is routed to the IPsec-VPN connections.
The following table describes only the key parameters. For more information, see Routing policy overview.
Parameter
Description
Routing Policy 1
Routing Policy 2
Policy Priority
Specify a priority value for the routing policy.
In this example, 5 is used.
In this example, 10 is used.
Region
Select the region in which the routing policy applies.
In this example, China (Shanghai) is selected.
Associated Route Table
Select a route table to associate with the routing policy.
In this example, the default route table of the current transit router is selected.
Policy Direction
Select the direction in which the routing policy applies.
In this example, Egress Regional Gateway is selected.
In this example, Ingress Regional Gateway is selected.
Match Conditions
Configure match conditions for the routing policy.
Configure the following match conditions:
Source Instance IDs: Specify the ID of the VPC.
Destination Instance IDs: Specify the IDs of VBR1 and VBR2.
Route Prefix: Enter 172.16.10.0/24 and 172.16.20.0/24, and select Exact Match.
Configure the following match conditions:
Source Instance IDs: Specify the IDs of VBR1 and VBR2.
Route Prefix: Enter 192.168.0.0/24, 192.168.10.0/24, and 192.168.20.0/24, and select Exact Match.
Action Policy
Select an action for the routing policy.
In this example, Allow is selected.
In this example, Deny is selected.
Add Policy Entry
Specify a priority for the routes that are permitted.
In this example, Prepend AS Path is selected and 65525, 65526, and 65527 are specified. This reduces the priority of the VPC CIDR block that the VBRs advertise to the data center.
N/A.
Step 5: Test the network connectivity
After you configure the routes, the data center can communicate with the VPC through private and encrypted connections. The traffic between the data center and VPC is load-balanced based on ECMP routing by using the four IPsec-VPN connections. This section describes how to test the network connectivity and how to check whether the four IPsec-VPN connections are used to load-balance the traffic.
Before the test, make sure that you understand the security group rules applied to the ECS instance in the VPC and the access control list (ACL) rules applied to the data center. Make sure that the rules allow mutual access between the VPC and the data center. For more information about ECS security group rules, see View security group rules and Add a security group rule.
Test the network connectivity.
Log on to an ECS instance in the connected VPC. For more information, see Connect to an ECS instance.
Run the ping command on the ECS instance to access a client in the data center.
ping <IP address of the client in the data center>If the ECS instance receives echo reply messages, the data center can communicate with the VPC.
Check whether loads are balanced.
Send requests to the ECS instance from multiple clients in the data center or use iPerf3 to send requests to the ECS instance. If you can view traffic monitoring data on the details pages of IPsec-VPN Connection 1, IPsec-VPN Connection 2, IPsec-VPN Connection 3, and IPsec-VPN Connection 4, traffic between the data center and the VPC is load-balanced through the four IPsec-VPN connections. For more information about how to install and use Iperf3, see Test the performance of an Express Connect circuit.
Log on to the VPN Gateway console.
In the top navigation bar, select the region in which the IPsec-VPN connection is created.
In the left-side navigation pane, choose .
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click its ID.
Go to the details page of the IPsec-VPN connection and view the traffic monitoring data on the Monitor tab.
Routing configuration
In this topic, the default routing configuration is used to create the IPsec-VPN connections, VPC connection, VBR connections, and inter-region connection. When the default routing configuration is used, CEN automatically learns and distributes routes to enable the data center to communicate with the VPC. The following sections describe the default routing configuration.
IPsec-VPN connection
If you associate an IPsec-VPN connection with a transit router when you create the IPsec-VPN connection, the system automatically applies the following routing configuration to the IPsec-VPN connection:
The IPsec-VPN connection is associated with the default route table of the transit router. The transit router forwards traffic from the IPsec-VPN connection based on the default route table.
The destination-based routes that you configure for the IPsec-VPN connection and the routes learned from the data center through the IPsec-VPN connection by using BGP dynamic routing are automatically propagated to the default route table of the transit router.
The transit router automatically propagates the routes in the default route table to the BGP route table associated with the IPsec-VPN connection.
The routes learned from the VPC through the IPsec-VPN connection by using BGP dynamic routing are automatically propagated to the data center.
VPC connection
If you use the default routing configuration (with all advanced features enabled) when you create a VPC, the system automatically applies the following routing configuration to the VPC:
Associate with Default Route Table of Transit Router
After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table.
Propagate System Routes to Default Route Table of Transit Router
After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router.
Automatically Create Route That Points to Transit Router and Adds to All Route Tables of Current VPC
After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The routes point to the VPC connection.
ImportantIf such a route is already in the route table of the VPC, the system cannot advertise this route. You must manually add a route that points to the VPC connection to the route table of the VPC. Otherwise, network communication cannot be established between the VPC and the transit router.
To check whether such routes exist, click Check Route below Advanced Settings.
VBR connection
If you use the default routing configuration (with all advanced features enabled) when you create a VBR connection, the system automatically applies the following routing configuration to the VBR:
Associate with Default Route Table of Transit Router
After this feature is enabled, the VBR connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VBR based on the default route table.
Propagate System Routes to Default Route Table of Transit Router
After this feature is enabled, the system routes of the VBR are advertised to the default route table of the transit router. This way, the VBR can communicate with other network instances that are connected to the transit router.
Propagate Routes to VBR
After this feature is enabled, the system automatically advertises the routes in the transit router route table that is associated with the VBR connection to the VBR.
Inter-region connection
If you use the default routing configuration (with all advanced features enabled) when you create an inter-region connection, the system automatically applies the following routing configuration to the inter-region connection:
Associate with Default Route Table of Transit Router
After this feature is enabled, the inter-region connection is automatically associated with the default route table of the transit router. The transit router uses the default route table to forward network traffic across regions.
Propagate System Routes to Default Route Table of Transit Router
After this feature is enabled, the inter-region connection is associated with the default route tables of the transit routers in the connected regions.
Automatically Advertise Routes to Peer Region
After this feature is enabled, the routes in the route table of the transit router in the current region are automatically advertised to the route table of the peer transit router for cross-region communication. The route tables of the transit routers refer to the route tables that are associated with the inter-region connection.
View routes
You can check the routes in the Alibaba Cloud Management Console.
For more information about routes of transit routers, see View routes of an Enterprise Edition transit router.
For more information about routes of VPCs, see Create and manage a route table.
For more information about routes of VBRs, perform the following steps:
Log on to the Express Connect console.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
In the top navigation bar, select the region where the VBR is deployed.
On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
On the details page of the VBR, view the custom routes, BGP routes, and CEN routes of the VBR on the Routes tab.
To view the routes of an IPsec-VPN connection, go to the details page of the IPsec-VPN connection:
Log on to the VPN Gateway console.
In the top navigation bar, select the region in which the IPsec-VPN connection is created.
In the left-side navigation pane, choose .
On the IPsec Connections page, find the IPsec-VPN connection and click its ID.
Go to the details page of the IPsec-VPN connection and view the route entries on the BGP Route Table tab.