All Products
Search
Document Center

VPN Gateway:Connect a VPC to a data center in dual-tunnel mode and enable BGP dynamic routing

Last Updated:Dec 16, 2024

This topic describes how to create an IPsec-VPN connection in dual-tunnel mode between a virtual private cloud (VPC) and a data center by using a public VPN gateway. The IPsec-VPN connection can enable encrypted communication between the VPC and the data center and ensure high availability of the connection. In addition, Border Gateway Protocol (BGP) is used to enable automatic route learning, which simplifies network O&M and reduces the risk of configuration errors.

Prerequisites

  • If the IPsec-VPN connection is associated with a VPN gateway, a public IP address must be assigned to the gateway device in the data center.

    For regions that support the dual-tunnel mode, we recommend that you configure two public IP addresses for the gateway device in the data center. Alternatively, you can deploy two gateway devices in the data center and configure a public IP address for each gateway device. This way, you can create high-availability IPsec-VPN connections. For more information about the regions that support the dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

  • The gateway device in the data center must support the IKEv1 or IKEv2 protocol to establish an IPsec-VPN connection with a transit router.

  • The CIDR block of the data center does not overlap with the CIDR block of the network to be accessed.

Regions that support BGP dynamic routing

Area

Region

Asia Pacific

China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta)

Europe and Americas

Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley)

Middle East

UAE (Dubai)

Example

In this example, the following scenario is used. An enterprise has created a VPC in the China (Hohhot) region. The primary CIDR block of the VPC is 192.168.0.0/16. The enterprise has a data center in Hohhot. Due to business development, the devices in the CIDR block 172.16.0.0/16 of the data center need to access the VPC. To meet this requirement, the enterprise can create an IPsec-VPN connection between the VPC and data center. The IPsec-VPN connection can enable encrypted communication between the VPC and data center and ensure high availability of the connection.

IDC和VPC互通(双隧道).png

BGP tunnel CIDR blocks

In this example, the data center and VPC use BGP to automatically learn and advertise routes. The following table describes the BGP tunnel CIDR blocks of the data center and IPsec-VPN connection.

Note

If an IPsec-VPN connection uses BGP dynamic routing, the Local ASN of the two tunnels must be the same. The peer ASNs of the two tunnels can be different, but we recommend that you use the same peer ASN.

Item

IPsec tunnel

BGP ASN

BGP tunnel CIDR block

BGP IP address

IPsec-VPN connection

Active tunnel

65530

169.254.10.0/30

169.254.10.1

Standby tunnel

65530

169.254.20.0/30

169.254.20.1

Data center

Active tunnel

65500

169.254.10.0/30

169.254.10.2

Standby tunnel

65500

169.254.20.0/30

169.254.20.2

Preparations

  • A VPC is created in the China (Hohhot) region, and workloads are deployed on the Elastic Compute Service (ECS) instances in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

  • The security group rules that are configured on the ECS instances in the VPC and the access control rules of the data center allow the data center and VPC to communicate with each other. For more information about security group rules for ECS instances, see View security group rules and Add a security group rule.

ProcedureIDC和VPC互通(双隧道+BGP)-配置流程.png

Step 1: Create a VPN gateway

  1. Log on to the VPN Gateway console.

  2. In the top navigation bar, select the region in which you want to create the VPN gateway.

    The VPN gateway and the VPC that the data center needs to access must be in the same region.

  3. On the VPN Gateway page, click Create VPN Gateway.

  4. On the buy page, configure the following parameters, click Buy Now, and then complete the payment.

    Parameter

    Description

    Example

    Name

    Enter a name for the VPN gateway.

    In this example, VPNGW is used.

    Resource Group

    Select the resource group to which the VPN gateway belongs.

    If you leave this parameter empty, the VPN gateway belongs to the default resource group.

    In this example, this parameter is left empty.

    Region

    Select the region in which you want to create the VPN gateway.

    In this example, China (Hohhot) is selected.

    Gateway Type

    Select a gateway type.

    In this example, Standard is selected.

    Network Type

    Select a network type for the VPN gateway.

    • Public: The VPN gateway can be used to establish VPN connections over the Internet.

    • Private: The VPN gateway can be used to establish VPN connections over private networks.

    In this example, Public is selected.

    Tunnels

    Select a tunnel mode. Valid values:

    • Dual-tunnel

    • Single-tunnel

    For more information about the single-tunnel mode and dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

    In this example, the default value Dual-tunnel is used.

    VPC

    Select the VPC that you want to associate with the VPN gateway.

    In this example, the VPC deployed in the China (Hohhot) region is selected.

    VSwitch

    Select a vSwitch from the selected VPC.

    • If you select Single-tunnel, you need to specify only one vSwitch.

    • If you select Dual-tunnel, you need to specify two vSwitches.

      After the IPsec-VPN feature is enabled, the system creates an elastic network interface (ENI) for each of the two vSwitches as an interface to communicate with the VPC over an IPsec-VPN connection. Each ENI occupies one IP address in the vSwitch.

    Note
    • The system selects a vSwitch by default. You can change or use the default vSwitch.

    • After a VPN gateway is created, you cannot modify the vSwitch associated with the VPN gateway. You can view the vSwitch associated with the VPN gateway, the zone to which the vSwitch belongs, and the ENI in the vSwitch on the details page of the VPN gateway.

    In this example, a vSwitch in the VPC is selected.

    vSwitch 2

    Select another vSwitch from the selected VPC.

    • Specify two vSwitches in different zones in the associated VPC to implement disaster recovery across zones for IPsec-VPN connections.

    • For a region that supports only one zone, disaster recovery across zones is not supported. We recommend that you specify two vSwitches in the zone to implement high availability of IPsec-VPN connections. You can also select the same vSwitch as the first one.

    Note

    If only one vSwitch is deployed in the VPC, create a vSwitch. For more information, see Create and manage a vSwitch.

    In this example, another vSwitch in the VPC is selected.

    Peak Bandwidth

    Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.

    In this example, the default value is used.

    Traffic

    Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.

    For more information, see Billing.

    In this example, the default value is used.

    IPsec-VPN

    Specify whether to enable IPsec-VPN. Default value: Enable.

    In this example, Enable is selected.

    SSL-VPN

    Specify whether to enable SSL-VPN. Default value: Disable.

    In this example, Disable is selected.

    Duration

    Select a billing cycle for the VPN gateway. Default value: By Hour.

    In this example, the default value is used.

    Service-linked Role

    Click Create Service-linked Role. The system automatically creates the service-linked role AliyunServiceRoleForVpn.

    The VPN gateway assumes this role to access other cloud resources.

    If Created is displayed, the service-linked role is created and you do not need to create it again.

    Configure this parameter based on actual conditions.

  5. After you create the VPN gateway, view the VPN gateway on the VPN Gateway page.

    The newly created VPN gateway is in the Preparing state and changes to the Normal state after about 1 to 5 minutes. After the status changes to Normal, the VPN gateway is ready for use.

    Two public IP addresses are assigned to each public VPN gateway for establishing two encrypted tunnels. The following table describes the public IP addresses that are assigned to the VPN gateway.

    IPsec tunnel

    IP address

    Tunnel 1 (active tunnel)

    39.XX.XX.218

    Tunnel 2 (standby tunnel)

    182.XX.XX.19

Step 2: Create a customer gateway

  1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.

  2. In the top navigation bar, select the region in which you want to create the customer gateway.

    Make sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.

  3. On the Customer Gateways page, click Create Customer Gateway.

  4. In the Create Customer Gateway panel, configure the following parameters and click OK.

    You must create two customer gateways in order to create two encrypted tunnels. The following table describes only the parameters that are relevant to this topic. You can use the default values for other parameters or leave them empty. For more information, see Create and manage a customer gateway.

    Parameter

    Description

    Customer gateway 1

    Customer gateway 2

    Name

    The name of the customer gateway.

    CustomerGW1

    CustomerGW2

    IP Address

    The public IP address of the gateway device in the data center.

    211.XX.XX.36

    211.XX.XX.71

    ASN

    The BGP autonomous system number (ASN) of the gateway device in the data center.

    65500

    65500

Step 3: Create an IPsec-VPN connection

  1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  2. In the top navigation bar, select the region in which you want to create the IPsec-VPN connection.

    Make sure that the IPsec-VPN connection and the VPN gateway are in the same region.

  3. On the IPsec Connections page, click Create IPsec-VPN Connection.

  4. On the Create IPsec-VPN Connection page, configure the following parameters and click OK.

    Parameter

    Description

    Example

    Name

    Enter a name for the IPsec-VPN connection.

    In this example, IPsec-Connection is used.

    Resource Group

    The resource group to which the VPN gateway belongs.

    Select the default resource group.

    Associate Resource

    Select the type of network resource to be associated with the IPsec-VPN connection.

    In this example, VPN Gateway is selected.

    VPN Gateway

    Select the VPN gateway that you want to associate with the IPsec-VPN connection.

    In this example, the VPN gateway VPNGW is selected.

    Routing Mode

    Select a routing mode.

    • Destination Routing Mode: Traffic is forwarded based on the destination IP address.

    • Protected Data Flows: Traffic is forwarded based on the source and destination IP addresses.

    In this example, Destination Routing Mode is selected.

    Note

    If BGP is used, we recommend that you set the Routing Mode parameter to Destination Routing Mode.

    Effective Immediately

    Specify whether to immediately start negotiations for the connection. Valid values:

    • Yes: starts negotiations after the configuration is complete.

    • No: starts negotiations when inbound traffic is detected.

    In this example, Yes is selected.

    Enable BGP

    Specify whether to enable Border Gateway Protocol (BGP). If you want to use BGP routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off.

    In this example, BGP is enabled.

    Local ASN

    The ASN on the VPC side. Default value: 45104. Valid values: 1 to 4294967295.

    In this example, 65530 is used.

    Tunnel 1

    Configure VPN parameters for the active tunnel.

    By default, Tunnel 1 serves as the active tunnel and Tunnel 2 serves as the standby tunnel. You cannot modify this configuration.

    Customer Gateway

    Select the customer gateway that you want to associate with the active tunnel.

    In this example, CustomerGW1 is selected.

    Pre-Shared Key

    Enter a pre-shared key for the active tunnel to verify identities.

    • The key must be 1 to 100 characters in length, and can contain digits, letters, and the following special characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : ' , . < > / ?. The key cannot contain spaces.

    • If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After the IPsec-VPN connection is created, you can click Edit in the Actions column of a tunnel to view the pre-shared key generated by the system. For more information, see the Modify the configurations of a tunnel section of this topic.

    Important

    The IPsec-VPN connection and the peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.

    In this example, fddsFF123**** is used.

    Encryption Configuration

    The parameters for the Internet Key Exchange (IKE), IPsec, dead peer detection (DPD), and NAT traversal features.

    In this example, the default values are used for all the parameters except for the following ones. For more information, see Create and manage an IPsec-VPN connection in dual-tunnel mode.

    • Set the DH Group parameter in the IKE Configurations section to group14.

    • Set the DH Group parameter in the IPsec Configurations section to group14.

    Note

    You need to select encryption parameters based on the on-premises gateway device to ensure that the encryption configurations for the IPsec connection are the same as those for the on-premises gateway device.

    BGP Configuration

    The BGP parameters.

    • Tunnel CIDR Block: the CIDR block of the active tunnel.

      The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length.

      The CIDR block must fall into 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30.

      Note

      In a VPN gateway, the CIDR block of each tunnel must be unique.

    • Local BGP IP address: the BGP IP address of the tunnel.

      The IP address must fall within the CIDR block of the tunnel.

    • Tunnel CIDR Block: 169.254.10.0/30.

    • Local BGP IP address:: 169.254.10.1.

    Tunnel 2

    Configure VPN parameters for the standby tunnel.

    Customer Gateway

    Select the customer gateway that you want to associate with the standby tunnel.

    In this example, CustomerGW2 is selected.

    Pre-Shared Key

    Enter a pre-shared key for the standby tunnel to verify identities.

    In this example, fddsFF456**** is used.

    Encryption Configuration

    The parameters for the IKE, IPsec, DPD, and NAT traversal features.

    In this example, the default values are used for all the parameters except for the following ones. For more information, see Create and manage an IPsec-VPN connection in dual-tunnel mode.

    • Set the DH Group parameter in the IKE Configurations section to group14.

    • Set the DH Group parameter in the IPsec Configurations section to group14.

    Note

    You need to select encryption parameters based on the on-premises gateway device to ensure that the encryption configurations for the IPsec connection are the same as those for the on-premises gateway device.

    BGP Configuration

    The BGP parameters.

    • Tunnel CIDR Block: 169.254.20.0/30.

    • Local BGP IP address: 169.254.20.1.

    Tags

    Add a tag to the IPsec-VPN connection.

    In this example, this parameter is left empty.

  5. In the Created message, click OK.

  6. On the IPsec Connections page, find the IPsec-VPN connection that you create and click Generate Peer Configuration in the Actions column.

    The configurations of the IPsec peer refer to the VPN configurations that you need to add when you create the IPsec-VPN connection. In this example, you need to add the VPN configurations to the gateway device of the data center.

  7. In the IPsec-VPN Connection Configuration dialog box, copy and save the configurations to an on-premises machine. The configurations are required when you configure the gateway device of the data center.

Step 4: Enable BGP dynamic routing

After the BGP dynamic routing feature is enabled for the VPN gateways, the VPN gateways can learn routes from the data center and advertise them to the VPC.

  1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.

  2. In the top navigation bar, select the region in which the VPN gateway resides.

  3. On the VPN Gateways page, find the created VPN Gateway and turn on the switch in the Enable Automatic Route Advertisement column.

Step 5: Configure the gateway devices in the data center

After you create an IPsec-VPN connection on Alibaba Cloud, you need to add VPN and routing configurations to the gateway devices in the data center to allow the gateway devices to connect to the IPsec-VPN connection. Then, network traffic is transmitted from the active tunnel to the VPC by default. If the active tunnel breaks down, the system automatically switches traffic to the standby tunnel.

Note

In this example, the software Adaptive Security Appliance (ASA) 9.19.1 is used to describe how to configure a Cisco firewall. The commands may vary with software versions. Consult the documentation or your vendor based on your actual environment during operations. For more information, see Configure local gateways.

The following content contains third-party product information, which is only for reference. Alibaba Cloud does not make guarantees or other forms of commitments for the performance and reliability of third-party products, or the potential impacts of operations performed by using these products.

  1. Log on to the CLI of the Cisco firewall and enter the configuration mode.

    ciscoasa> enable
    Password: ********             # Enter the password for entering the enable mode. 
    ciscoasa# configure terminal   # Enter the configuration mode. 
    ciscoasa(config)#     
  2. View the interface configurations.

    Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used:

    # View the interface configurations of On-premises Gateway Device 1.
    ciscoasa(config)# show running-config interface
    !
    interface GigabitEthernet0/0
     nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
     security-level 0
     ip address 211.XX.XX.36 255.255.255.255    # The public IP address of the GigabitEthernet 0/0 interface. 
    !
    interface GigabitEthernet0/1                # The interface that connects to the data center. 
     nameif private                             # The name of the GigabitEthernet 0/1 interface. 
     security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
     ip address 172.16.50.217 255.255.255.0    # The IP address of the GigabitEthernet 0/1 interface. 
    !
    # View the interface configurations of On-premises Gateway Device 2.
    ciscoasa(config)# show running-config interface 
    !
    interface GigabitEthernet0/0
     nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
     security-level 0
     ip address 211.XX.XX.71 255.255.255.255    # The public IP address of the GigabitEthernet 0/0 interface. 
    !
    interface GigabitEthernet0/1                # The interface that connects to the data center. 
     nameif private                             # The name of the GigabitEthernet 0/1 interface. 
     security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
     ip address 172.16.40.218 255.255.255.0    # The IP address of the GigabitEthernet 0/1 interface. 
    !
  3. Enable the IKEv2 feature for the public interfaces.

    # Add the following configurations to On-premises Gateway Devices 1 and 2:
    crypto ikev2 enable outside1 # Enable the IKEv2 feature for the interface outside1, which is a public interface.
  4. Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, Diffie-Hellman (DH) group, and security association (SA) lifetime in the IKE phase. The values must be the same as those on Alibaba Cloud.

    # Add the following configurations to On-premises Gateway Devices 1 and 2:
    crypto ikev2 policy 10     
     encryption aes             # Specify the encryption algorithm. 
     integrity sha              # Specify the authentication algorithm. 
     group 14                   # Specify the DH group. 
     prf sha                    # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on Alibaba Cloud. 
     lifetime seconds 86400     # Specify the SA lifetime.
  5. Create an IPsec proposal and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

    # Add the following configurations to On-premises Gateway Devices 1 and 2:
    crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL    # Create an IPsec proposal. 
     protocol esp encryption aes                         # Specify the encryption algorithm. The Encapsulating Security Payload (ESP) protocol is used on Alibaba Cloud. Therefore, use the ESP protocol. 
     protocol esp integrity sha-1                        # Specify the authentication algorithm. The Encapsulating Security Payload (ESP) protocol is used on Alibaba Cloud. Therefore, use the ESP protocol. 
    crypto ipsec profile ALIYUN-PROFILE                  
     set ikev2 ipsec-proposal ALIYUN-PROPOSAL            # Create an IPsec profile and apply the proposal that is created.  
     set ikev2 local-identity address                    # Set the format of the local ID to IP address, which is the same as the format of the remote ID on Alibaba Cloud. 
     set pfs group14                                     # Specify the Perfect Forward Secrecy (PFS) and DH group. 
     set security-association lifetime seconds 86400     # Specify the time-based SA lifetime. 
     set security-association lifetime kilobytes unlimited # Disable the traffic-based SA lifetime.
  6. Create tunnel groups and specify the pre-shared keys for tunnels, which must be the same as those on Alibaba Cloud.

    # Add the following configurations to On-premises Gateway Device 1:
    tunnel-group 39.XX.XX.218 type ipsec-l2l                # Specify the encapsulation mode l2l for Tunnel 1. 
    tunnel-group 39.XX.XX.218 ipsec-attributes             
     ikev2 remote-authentication pre-shared-key fddsFF123****  # Specify the peer pre-shared key for Tunnel 1, which is the pre-shared key on Alibaba Cloud. 
     ikev2 local-authentication pre-shared-key fddsFF123**** # Specify the local pre-shared key for Tunnel 1, which must be the same as that on Alibaba Cloud. 
    !
    # Add the following configurations to On-premises Gateway Device 2:
    tunnel-group 182.XX.XX.19 type ipsec-l2l                # Specify the encapsulation mode l2l for Tunnel 2. 
    tunnel-group 182.XX.XX.19 ipsec-attributes
     ikev2 remote-authentication pre-shared-key fddsFF456****  # Specify the peer pre-shared key for Tunnel 2, which is the pre-shared key on Alibaba Cloud. 
     ikev2 local-authentication pre-shared-key fddsFF456****   # Specify the local pre-shared key for Tunnel 2, which must be the same as that on Alibaba Cloud. 
    !
  7. Create tunnel interfaces.

    # Add the following configurations to On-premises Gateway Device 1:
    interface Tunnel1                                  # Create an interface for Tunnel 1. 
     nameif ALIYUN1
     ip address 169.254.10.2 255.255.255.252           # Specify the IP address of the interface. 
     tunnel source interface outside1                  # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of Tunnel 1. 
     tunnel destination 39.XX.XX.218                   # Specify the public IP address of Tunnel 1 on Alibaba Cloud as the destination address of Tunnel 1. 
     tunnel mode ipsec ipv4
     tunnel protection ipsec profile ALIYUN-PROFILE    # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 1. 
     no shutdown                                       # Enable the interface for Tunnel 1. 
    !
    # Add the following configurations to On-premises Gateway Device 2:
    interface Tunnel1                                  # Create an interface for Tunnel 2. 
     nameif ALIYUN1    
     ip address 169.254.20.2 255.255.255.252           # Specify the IP address of the interface.            
     tunnel source interface outside1                  # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of Tunnel 2. 
     tunnel destination 182.XX.XX.19                   # Specify the public IP address of Tunnel 2 on Alibaba Cloud as the destination address of Tunnel 2. 
     tunnel mode ipsec ipv4                            
     tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 2. 
     no shutdown                                       # Enable the interface for Tunnel 2. 
    !
  8. Configure routes.

    # Add the following configurations to Gateway Device 1 in the data center.
    route outside1 39.XX.XX.218 255.255.255.255 192.XX.XX.172   # Configure a route that points to the public IP address of Tunnel 1 on the Alibaba Cloud side. The next hop is an external IP address. 
    route private 172.16.0.0 255.255.0.0 172.16.50.216          # Configure a route that points to the data center. 
    
    router bgp 65500
     address-family ipv4 unicast
      neighbor 169.254.10.1 remote-as 65530       # Specify the BGP peer, which is the IP address of Tunnel 1 on the Alibaba Cloud side. 
      neighbor 169.254.10.1 ebgp-multihop 255
      neighbor 169.254.10.1 activate              # Activate the BGP peer. 
      network 172.16.0.0 mask 255.255.0.0        # Advertise the CIDR block of the data center. 
     exit-address-family
    
    # Add the following configurations to Gateway Device 2 in the data center.
    route outside1 182.XX.XX.19 255.255.255.255 192.XX.XX.123   # Configure a route that points to the public IP address of Tunnel 2 on the Alibaba Cloud side. The next hop is an external public IP address. 
    route private 172.16.0.0 255.255.0.0 172.16.40.219          # Configure a route that points to the data center. 
    
    router bgp 65500
     address-family ipv4 unicast
      neighbor 169.254.20.1 remote-as 65530       # Specify the BGP peer, which is the IP address of Tunnel 2 on the Alibaba Cloud side. 
      neighbor 169.254.20.1 ebgp-multihop 255
      neighbor 169.254.20.1 activate              # Activate the BGP peer. 
      network 172.16.0.0 mask 255.255.0.0        # Advertise the CIDR block of the data center. 
     exit-address-family

    After you complete the preceding configurations, an IPsec-VPN connection is established between the data center and VPN gateway. The data center and VPN gateway can learn routes from each other over BGP.

  9. Add routes to the data center based on your network environment. The routes must allow network traffic to be transmitted from the data center to the VPC preferentially over On-premises Gateway Device 1. If On-premises Gateway Device 1 is down, On-premises Gateway Device 2 automatically takes over. Contact your vendor to obtain the information about specific commands.

Step 6: Test network connectivity

  1. Test the network connectivity between the VPC and data center.

    1. Log on to an ECS instance in the VPC. For more information about how to log on to an ECS instance, see Connection method overview.

    2. Run the ping command on the ECS instance to ping a server in the data center to test the accessibility of the data center.

      If an echo reply packet is returned to the ECS instance, it indicates that the VPC can communicate with the data center.

      ping <Private IP address of a server in the data center>
  2. Test high availability of the IPsec-VPN connection.

    1. Log on to an ECS instance in the VPC. For more information about how to log on to an ECS instance, see Connection method overview.

    2. Run the following command to consecutively send packets from the ECS instance to the data center:

      ping <Private IP address of a server in the data center> -c 10000
    3. Close the active tunnel of the IPsec-VPN connection.

      You can close the active tunnel by modifying the pre-shared key of the active tunnel. The active tunnel is closed when the two sides of the tunnel use different pre-shared keys.

    4. After the active tunnel is closed, you can check the traffic status on the ECS instance. If the traffic is interrupted and then resumed, it indicates that the standby tunnel automatically takes over after the active tunnel is down.