All Products
Search
Document Center

VPN Gateway:Enable communication among a data center and VPCs in multiple regions through dual-tunnel IPsec-VPN connections

Last Updated:Nov 29, 2024

This topic describes how to use transit routers to enable communication among a data center and multiple virtual private clouds (VPCs) through IPsec-VPN connections. The VPCs can be deployed in different regions or in the same region.Virtual Private Cloud (VPC)

Prerequisites

  • If a public IPsec-VPN connection is associated with a transit router, you must configure a public IP address for the on-premises gateway device.

    For regions that support the dual-tunnel mode, we recommend that you configure two public IP addresses for the gateway device in the data center. Alternatively, you can deploy two gateway devices in the data center and configure a public IP address for each gateway device. This way, you can create high-availability IPsec-VPN connections.

  • The gateway device in the data center must support the IKEv1 or IKEv2 protocol to establish an IPsec-VPN connection with a transit router.

  • The CIDR block of the data center does not overlap with the CIDR block of the VPC.

Scenario

The following scenario is an example. You created VPC1 in the Thailand (Bangkok) region and VPC2 in the Philippines (Manila) region. Applications are deployed in Elastic Compute Service (ECS) instances in VPC1 and VPC2. The following example describes how to use transit routers to enable communication among a data center and VPC1 and VPC2 through public IPsec-VPN connections.

Important

In this example, dual-tunnel IPsec-VPN connections are used. A dual-tunnel IPsec-VPN connection has two tunnels. The two tunnels are deployed in different zones and form equal-cost multi-path (ECMP) routing, which supports cross-zone disaster recovery. The feature to use the dual-tunnel mode is in public preview. To use this feature, you need to apply for the permission from your account manager. For more information, see Introduction to IPsec-VPN connections that are associated with transit routers in dual-tunnel mode.

For more information about how to establish a high-availability IPsec-VPN connection in a region that supports only single-tunnel IPsec-VPN connections, see Create multiple IPsec-VPN connections over the Internet for load balancing.

image

CIDR block planning

Important
  • When you allocate CIDR blocks, make sure that the CIDR blocks of the data center, VPC1, and VPC2 do not overlap.

  • We recommend that you use BGP dynamic routing when you create an IPsec-VPN connection. If you want to use static routing, make sure that the on-premises gateway device supports static ECMP routing. In this example, BGP dynamic routing is used.

CIDR block planning for the data center and VPCs

Resource

CIDR block

IP address

Data center

CIDR block to be connected to the VPCs: 192.168.55.0/24

Server IP address: 192.168.55.65

On-premises gateway device

N/A

The physical interface used by the gateway device to connect to the Internet:

  • GigabitEthernet 0/0: This interface is configured with a public IP address. In this example, 120.XX.XX.104 is used.

  • GigabitEthernet 0/2: This interface is configured with a public IP address. In this example, 121.XX.XX.3 is used.

  • GigabitEthernet 0/1: This interface connects to the data center and is configured with the IP address 192.168.55.217.

VPC1

Primary CIDR block: 192.168.0.0/16

vSwitch1: 192.168.66.0/24

vSwitch2: 192.168.20.0/24

ECS1 IP address: 192.168.66.193

VPC2

Primary CIDR block: 10.0.0.0/16.

vSwitch1: 10.0.10.0/24

vSwitch2: 10.0.20.0/24

ECS2 IP address: 10.0.20.61

CIDR block plan for BGP dynamic routing

The CIDR block of the BGP tunnel must fall within 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30. The two tunnels of an IPsec-VPN connection must use different CIDR blocks.

Resource

Tunnel

BGP tunnel CIDR block

BGP IP address

BGP local ASN

IPsec-VPN connection

Tunnel 1

169.254.10.0/30

169.254.10.1

65535

Tunnel 2

169.254.20.0/30

169.254.20.1

On-premises Gateway Device

Tunnel 1

169.254.10.0/30

169.254.10.2

65530

Tunnel 2

169.254.20.0/30

169.254.20.2

Procedure

Step 1: Create a CEN instance and transit routers

Before you create an IPsec-VPN connection, you must create a CEN instance and create transit routers for the CEN instance.

  1. Create a CEN instance. Use the default configurations when you create a CEN instance.

  2. Create a transit router in each of the Philippines (Manila) and Thailand (Bangkok) regions. For more information, see Create a transit router.

    • The transit router in the Philippines (Manila) region is used to connect VPC2 to the data center. You can use the default configurations for this transit router.

    • The transit router in the Thailand (Bangkok) region is used to connect VPC1 to the data center. When you create this transit router, you need to configure the transit router CIDR block. Use the default settings for the other parameters.

      Note

      We recommend that you create a transit router in a region that is nearest to the data center.

      In this example, the transit router CIDR block is 10.10.10.0/24. The transit router CDIR block must not overlap with the CIDR blocks of the data center, VPC1, and VPC2.

Step 2: Create an IPsec-VPN connection

After the transit routers are created, you can create an IPsec-VPN connection to connect the data center to Alibaba Cloud.

  1. Create a customer gateway

    You need to create a customer gateway to register the public IP address of the on-premises gateway device with Alibaba Cloud. The data center can use only registered public IP addresses to establish an IPsec-VPN connection to Alibaba Cloud.

    1. Log on to the VPN gateway console.
    2. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.

    3. In the top navigation bar, select the region in which you want to create customer gateways.

      Note

      The customer gateway and the transit router must belong to the same region.

    4. On the Customer Gateway page, click Create Customer Gateway.

    5. In the Create Customer Gateway panel, configure the following parameters and click OK.

      Create two customer gateways based on the following information and register two public IP addresses of the on-premises gateway device. The following table describes only some of the parameters. Other parameters use the default values. For more information, see Create and manage a customer gateway.

      Name

      IP Address

      ASN

      Customer Gateway 1

      Enter a public IP address 120.XX.XX.104 for the on-premises gateway device.

      In this example, the autonomous system number (ASN) of the on-premises gateway device is 65530.

      Note

      If BGP dynamic routing is used, you must configure this parameter.

      Customer Gateway 2

      Enter another public IP address for the customer gateway device: 121.XX.XX.3.

  2. Create an IPsec-VPN connection

    After the customer gateways are created, create an IPsec-VPN connection on the Alibaba Cloud side. When you create an IPsec-VPN connection, you must specify the encryption algorithm, authentication algorithm, and pre-shared key used by the VPN tunnel.

    1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

    2. In the top navigation bar, select the region in which you want to create an IPsec-VPN connection.

      The IPsec-VPN connection must be created in the same region as the transit router to be associated with the IPsec-VPN connection.

    3. On the IPsec Connections page, click Create IPsec-VPN Connection.

    4. On the Create IPsec-VPN Connection page, configure parameters and click OK. The following table describes the parameters.

      The following table describes only some of the parameters. Other parameters use the default values. For more information, see Create and manage IPsec-VPN connections in dual-tunnel mode.

      Parameter

      IPsec-VPN connection

      Name

      IPsec1 is used in this example.

      Associate Resource

      Select the resource with which you want to associate the IPsec-VPN connection.

      Select CEN.

      Gateway Type

      Select the network type of the IPsec-VPN connection.

      Select Public.

      CEN Instance ID

      Select the CEN instance created in Step 1.

      Transit Router

      The system automatically displays the transit router of the CEN instance in the current region.

      Routing Mode

      The routing mode of the IPsec-VPN connection. Valid values:

      If you want to use BGP dynamic routing for the IPsec-VPN connection, we recommend that you select Destination Routing Mode. In this example, Destination Routing Mode is used.

      Effective Immediately

      In this example, the default value Yes is selected. IPsec negotiations are immediately started after the IPsec-VPN connection is created.

      Tunnel 1

      Customer Gateway

      Select Customer Gateway 1.

      Pre-Shared Key

      fddsFF111**** is used in this example.

      Important

      The IPsec-VPN connection and peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.

      Encryption Configuration

      Use the default values of parameters except for the following parameters.

      • Set the DH Group parameter in the IKE Configurations section to group14.

      • Set the DH Group parameter in the IPsec Configurations section to group14.

      Note

      You need to select encryption parameters based on the on-premises gateway device to ensure that the encryption configurations for the IPsec connection are the same as those for the on-premises gateway device.

      Tunnel 2

      Customer Gateway

      Select Customer Gateway 2.

      Pre-Shared Key

      fddsFF222**** is used in this example.

      Encryption Configuration

      Use the default values of parameters except for the following parameters.

      • Set the DH Group parameter in the IKE Configurations section to group14.

      • Set the DH Group parameter in the IPsec Configurations section to group14.

      Note

      You need to select encryption parameters based on the on-premises gateway device to ensure that the encryption configurations for the IPsec connection are the same as those for the on-premises gateway device.

      Advanced Configuration

      In this example, the default settings are used. All advanced features are enabled.

    5. In the Created message, click OK.

    6. On the IPsec Connections page, find the IPsec-VPN connection that you create and click Generate Peer Configuration in the Actions column.

      The configurations of the IPsec peer refer to the VPN configurations that you need to add when you create the IPsec-VPN connection. In this example, you need to add the VPN configurations to the gateway device of the data center.

    7. In the IPsec Connection Configuration dialog box, copy and save the configurations to an on-premises machine. The configurations are required when you configure the gateway device of the data center.

  3. Configure the on-premises gateway device

    After you create an IPsec-VPN connection, you need to add VPN configurations on the on-premises gateway device so that the IPsec-VPN connection can be established between Alibaba Cloud and the on-premises gateway device.

    Note

    In this example, the software Adaptive Security Appliance (ASA) 9.19.1 is used to describe how to configure a Cisco firewall. The commands may vary with software versions. Consult the documentation or your vendor based on your actual environment during operations. For more information, see Configure local gateways.

    The following content contains third-party product information, which is only for reference. Alibaba Cloud does not make guarantees or other forms of commitments for the performance and reliability of third-party products, or the potential impacts of operations performed by using these products.

    1. Log on to the CLI of the Cisco firewall and enter the configuration mode.

      ciscoasa> enable
      Password: ********             # Enter the password for entering the enable mode. 
      ciscoasa# configure terminal   # Enter the configuration mode. 
      ciscoasa(config)#     
    2. View the interface configurations and route configurations for Internet access.

      Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used:

      ciscoasa(config)# show running-config interface 
      !
      interface GigabitEthernet0/0
       nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
       security-level 0
       ip address 120.XX.XX.104 255.255.255.255    # The public IP address of the GigabitEthernet 0/0 interface. 
      !
      interface GigabitEthernet0/1                # The interface that connects to the data center. 
       nameif private                             # The name of the GigabitEthernet 0/1 interface. 
       security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
       ip address 192.168.55.217 255.255.255.0    # The IP address of the GigabitEthernet 0/1 interface. 
      !
      interface GigabitEthernet0/2                
       nameif outside2                            # The name of the GigabitEthernet 0/2 interface. 
       security-level 0
       ip address 121.XX.XX.3  255.255.255.255    # The public IP address of the GigabitEthernet 0/2 interface. 
      !
      
      route outside1 121.XX.XX.170 255.255.255.255 192.XX.XX.172 # The route for accessing the public IP address of Tunnel 1 on Alibaba Cloud. The next hop is a public IP address. 
      route outside2 121.XX.XX.232 255.255.255.255 192.XX.XX.158   # The route for accessing the public IP address of Tunnel 2 on Alibaba Cloud. The next hop is a public IP address. 
      route private 192.168.55.0 255.255.255.0 192.168.55.216          # The route that points to the data center.

    3. Enable the IKEv2 feature for the public interfaces.

      crypto ikev2 enable outside1
      crypto ikev2 enable outside2
    4. Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      crypto ikev2 policy 10     
       encryption aes             # Specify the encryption algorithm. 
       integrity sha              # Specify the authentication algorithm. 
       group 14                   # Specify the DH group. 
       prf sha                    # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on Alibaba Cloud. 
       lifetime seconds 86400     # Specify the SA lifetime.

    5. Create an IPsec proposal and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL    # Create an IPsec proposal. 
       protocol esp encryption aes                         # Specify the encryption algorithm. The Encapsulating Security Payload (ESP) protocol is used on Alibaba Cloud. Therefore, use the ESP protocol. 
       protocol esp integrity sha-1                        # Specify the authentication algorithm. The ESP protocol is used on Alibaba Cloud. Therefore, use the ESP protocol. 
      crypto ipsec profile ALIYUN-PROFILE                  
       set ikev2 ipsec-proposal ALIYUN-PROPOSAL            # Create an IPsec profile and apply the proposal that is created.  
       set ikev2 local-identity address                    # Set the format of the local ID to IP address, which is the same as the format of the remote ID on Alibaba Cloud. 
       set pfs group14                                     # Specify the Perfect Forward Secrecy (PFS) and DH group. 
       set security-association lifetime seconds 86400     # Specify the time-based SA lifetime. 
       set security-association lifetime kilobytes unlimited # Disable the traffic-based SA lifetime.

    6. Create tunnel groups and specify the pre-shared keys for tunnels, which must be the same as those on the Alibaba Cloud side.

      tunnel-group 121.XX.XX.170 type ipsec-l2l                   # Specify the encapsulation mode l2l for Tunnel 1. 
      tunnel-group 121.XX.XX.170 ipsec-attributes             
       ikev2 remote-authentication pre-shared-key fddsFF111****  # Specify the peer pre-shared key for Tunnel 1, which is the pre-shared key on the Alibaba Cloud side. 
       ikev2 local-authentication pre-shared-key fddsFF111**** # Specify the local pre-shared key for Tunnel 1, which must be the same as that on Alibaba Cloud. 
      !
      tunnel-group 121.XX.XX.232 type ipsec-l2l                  # Specify the encapsulation mode l2l for Tunnel 2. 
      tunnel-group 121.XX.XX.232 ipsec-attributes
       ikev2 remote-authentication pre-shared-key fddsFF222****  # Specify the peer pre-shared key for Tunnel 2, which is the pre-shared key on the Alibaba Cloud side. 
       ikev2 local-authentication pre-shared-key fddsFF222****   # Specify the local pre-shared key for Tunnel 2, which must be the same as that on Alibaba Cloud. 
      !
    7. Create tunnel interfaces.

      interface Tunnel1                                  # Create an interface for Tunnel 1. 
       nameif ALIYUN1
       ip address 169.254.10.2 255.255.255.252           # Specify the IP address of the interface. 
       tunnel source interface outside1                  # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of Tunnel 1. 
       tunnel destination 121.XX.XX.170                   # Specify the public IP address of Tunnel 1 on Alibaba Cloud as the destination address of Tunnel 1. 
       tunnel mode ipsec ipv4
       tunnel protection ipsec profile ALIYUN-PROFILE    # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 1. 
       no shutdown                                       # Enable the interface for Tunnel 1. 
      !
      interface Tunnel2                                  # Create an interface for Tunnel 2. 
       nameif ALIYUN2                
       ip address 169.254.20.2 255.255.255.252           # Specify the IP address of the interface. 
       tunnel source interface outside2                  # Specify the IP address of the GigabitEthernet 0/2 interface as the source address of Tunnel 2. 
       tunnel destination 121.XX.XX.232                   # Specify the public IP address of Tunnel 2 on Alibaba Cloud as the destination address of Tunnel 2. 
       tunnel mode ipsec ipv4                            
       tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 2. 
       no shutdown                                       # Enable the interface for Tunnel 2. 
      !

      After you complete the preceding steps, an IPsec-VPN connection can be established between the data center and Alibaba Cloud. You can check the connection status on the details page of the IPsec-VPN connection. If the IPsec-VPN connection is not established, refer to the relevant topic to troubleshoot. For more information, see Self-service diagnostics for IPsec-VPN connections. IPsec

  4. Configure route

    After the IPsec-VPN connection is established, the data center cannot communicate with the cloud. You need to configure BGP routes for the data center and the IPsec-VPN connection.

    Note

    In this example, static routing is used. We recommend that you use BGP dynamic routing. When you use static routing, make sure that the on-premises gateway supports static ECMP routing. Otherwise, data from the data center to the cloud cannot be transferred through the ECMP path, but data from the cloud can be transferred to the data center through the ECMP path. As a result, the traffic paths may not meet your requirements.

    BGP dynamic routing

    1. Configure BGP routes on the on-premises gateway device.

      router bgp 65530
       address-family ipv4 unicast
        neighbor 169.254.10.1 remote-as 65535       # Specify the BGP peer, which is the IP address of Tunnel 1 on the Alibaba Cloud side. 
        neighbor 169.254.10.1 ebgp-multihop 255
        neighbor 169.254.10.1 activate              # Activate the BGP peer. 
        neighbor 169.254.20.1 remote-as 65535       # Specify the BGP peer, which is the IP address of Tunnel 2 on the Alibaba Cloud side. 
        neighbor 169.254.20.1 ebgp-multihop 255
        neighbor 169.254.20.1 activate              # Activate the BGP peer. 
        network 192.168.55.0 mask 255.255.255.0        # Advertise the CIDR block of the data center. 
        maximum-paths 5                        # Increase the number of ECMP route entries. 
       exit-address-family

      Configure routes on the data center so that the clients in the data center can access the cloud.

    2. Configure BGP routes for the IPsec-VPN connection.

      1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

      2. On the IPsec Connections page, find the IPsec-VPN connection and click its ID.

      3. In the IPsec Connections section, click Edit next to Enable BGP. In the BGP Configuration dialog box, configure the following parameters and click OK.

        For more information about the parameters, see BGP configuration.

        Parameter

        IPsec1 configurations

        Local ASN

        65535 is used in this example.

        Tunnel 1

        Tunnel CIDR Block

        In this example, 169.254.10.0/30 is used.

        Local BGP IP address

        In this example, 169.254.10.1 is used.

        Tunnel 2

        Tunnel CIDR Block

        In this example, 169.254.20.0/30 is used.

        Local BGP IP address

        In this example, 169.254.20.1 is used.

        After BGP is configured, you can check the negotiation status on the details page of the IPsec-VPN connection. After the BGP status becomes normal, routes are automatically advertised between the data center and the IPsec-VPN connection. The IPsec-VPN connection automatically advertises routes from the cloud to the data center and advertises routes from the data center to the transit router.BGP状态

    Static routing

    Note

    This topic only describes how to configure static routes. For more information about the specific commands, see the manual provided by the gateway manufacturer.

    1. Add a static route that points to the VPC to the on-premises gateway device.

      • Add two routes that point to VPC2. The destination CIDR block of both routes is 10.0.0.0/16 and the next hops are Tunnel 1 and Tunnel 2. The two routes form an ECMP path.

      • Add two routes that point to VPC1. The destination CIDR block of both routes is 192.168.66.0/24 and the next hops are Tunnel 1 and Tunnel 2. The two routes form an ECMP path.

      • Configure routes on the data center so that clients in the data center can access the cloud.

    2. Add a destination-based route that points to the data center to the IPsec-VPN connection. The destination CIDR block of the IPsec-VPN connection is 192.168.55.0/24 and the next hop is IPsec1. For more information, see Configure destination-based routes.

Step 3: Connect the data center to the VPCs

After the data center is connected to Alibaba Cloud, you need to associate VPC1 and VPC2 with transit routers so that communication can be enabled among the data center, VPC1, and VPC2.

  1. Create a VPC connection.

    Associate VPC1 with a transit router in Thailand (Bangkok) and associate VPC2 with a transit router in Philippines (Manila).

    1. Log on to the CEN console.

    2. On the CEN details page, click the Basic Information > Transit Router tab. Find the transit router in the Philippines (Manila) region and click Create Connection in the Actions column.

    3. On the Connection with Peer Network Instance page, set the following parameters and click OK.

      The following table describes only the key parameters. Use the default values for other parameters. For more information, see Use an Enterprise Edition transit router to create a VPC connection.

      Parameter

      VPC1

      VPC2

      Instance Type

      Select Virtual Private Cloud (VPC).

      Region

      Select Thailand (Bangkok).

      In this example, Philippines (Manila) is selected.

      Resource Owner ID

      Select Current Account.

      Attachment Name

      In this example, VPC1_Connection is used.

      In this example, VPC2_Connection is used.

      Network Instance

      Select VPC1.

      Select VPC2.

      vSwitch

      Make sure that each selected vSwitch has at least one idle IP address. If the VPC does not have a vSwitch in the zone supported by the TR or the vSwitch does not have an idle IP address, create a new vSwitch in the zone. For more information, see Create and manage a vSwitch.

      Advanced Settings

      In this example, the default settings are used. All advanced features are enabled.

      The data center and VPC1 belong to the same region and can communicate with each other. However, VPC2 is deployed in another region and cannot communicate with VPC1 or the data center. To enable communication, you need to create an inter-region connection.

  2. Create an inter-region connection

    Create an inter-region connection between Thailand (Bangkok) and Philippines (Manila) to enable resource communication.

    1. On the details page of the CEN instance, choose Basic Information > Bandwidth Plans and click Allocate Bandwidth for Inter-region Communication.

    2. On the Connection with Peer Network Instance page, set the following parameters and click OK.

      Parameter

      Parameter

      Instance Type

      In this example, Inter-region Connection is selected.

      Region

      Select Thailand (Bangkok).

      Peer Region

      Select Philippines (Manila).

      Bandwidth Allocation Mode

      Select Pay-By-Data-Transfer. You are charged based on the data transfer and bills are issued by Cloud Data Transfer (CDT).

      Bandwidth

      Specify a maximum bandwidth value for the inter-region connection. Unit: Mbit/s.

      Default Line Type

      Default value: Gold. Use the default encryption settings.

      Advanced Configuration

      In this example, the default settings are used. All advanced features are enabled.

  3. View routes.

    After you complete the preceding steps, the transit routers automatically learn and advertise routes based on the Advanced Configuration. You can view the learned routes on the transit router, IPsec-VPN connection, or data center.

    Route table of the transit router in Thailand (Bangkok)

    TR路由表

    BGP route table of the IPsec-VPN connection

    IPsec连接

    Data center routes

    cisco

Step 4: Test the network connectivity

After you complete the preceding steps, communication is enabled among the data center, VPC1, and VPC2. This section describes how to test the network connectivity and high availability of the IPsec-VPN connection.

Note

Before the test, make sure that you understand the security group rules applied to the ECS instance in the VPC and the access control list (ACL) rules applied to the data center. Make sure that the rules allow mutual access between the VPC and the data center. For more information about ECS security group rules, see View security group rules and Add a security group rule.

  1. Test the network connectivity among the data center, VPC1, and VPC2.

    Test the network connectivity between the data center and VPC1, and between the data center and VPC2.

    1. Open the CLI on a client in the data center.

    2. Run the ping command on the client to access ECS1 in VPC1 and ECS2 in VPC2.

      ping <ECS IP address>

      IDC1

      IDC2

      As shown in the preceding figure, if ECS1 can receive echo reply packets, it indicates that the data center can communicate with VPC1 and VPC2.

    Test the network connectivity between VPC1 and VPC2.

    1. Log on to ECS1 in VPC1. For more information, see Connection method overview.

    2. Run the ping command in ECS1 to access ECS2 in VPC 2.

      ping <IP address of ECS 2>

      ECS1toECS2

      As shown in the preceding figure, if ECS1 can receive echo reply packets, it indicates that VPC1 can communicate with VPC2.

  2. Test the high availability of the IPsec-VPN connection.

    1. Log on to ECS1 in VPC1.

    2. Run the following command to consecutively send packets from ECS1 to the data center:

      ping <IP address of a server in the data center> -c 10000
    3. Close one tunnel of the IPsec-VPN connection.

      You can close one tunnel by modifying the pre-shared key of the tunnel. The tunnel is closed when the two ends of the tunnel use different pre-shared keys.

    4. If the connection from ECS1 is temporarily interrupted and resumed after the tunnel is closed, it indicates that the other tunnel takes over.

      You can view the traffic monitoring data of each tunnel on the Monitoring tab. For more information, see Monitor an IPsec-VPN connection.

      Tunnel 1

      隧道1

      Tunnel 2

      隧道2