IPsec-VPN is a route-based network connection technology that provides flexible traffic routing methods and allows you to configure and maintain VPN policies. It also uses Internet Key Exchange (IKE) and Internet Protocol Security (IPsec) to encrypt data transmission. You can use IPsec-VPN to establish secure and reliable network connections between Alibaba Cloud and the data centers or office networks of your enterprise.
Alibaba Cloud VPN Gateway provides services in compliance with the policies and regulations of the Chinese mainland. You can use VPN Gateway to establish only intra-border connections. For more information, see the "Intra-border connections" section of the What is VPN Gateway? topic.
Network connection scenarios
You can associate an IPsec-VPN connection with the following types of resources: VPN gateways and transit routers. Network connection scenarios vary with the types of associated resources.
Associate an IPsec-VPN connection with a VPN gateway
You can use IPsec-VPN to establish connections between the data centers or office networks of your enterprise and virtual private clouds (VPCs). This way, you can access resources in VPCs from your data centers or office networks.
Associate an IPsec-VPN connection with a transit router
You can use IPsec-VPN to establish connections between the data centers or office networks of your enterprise and transit routers on Alibaba Cloud. This way, your data centers or office networks can communicate with other networks connected to transit routers and access resources in those networks. For more information about transit routers, see What is CEN?
IPsec-VPN components
Associate an IPsec-VPN connection with a VPN gateway
Component | Description |
VPN gateway | Before you use IPsec-VPN, you must purchase a VPN gateway and enable IPsec-VPN for the VPN gateway. After you purchase a VPN gateway, Alibaba Cloud deploys VPN resources for you. |
Customer gateway | A customer gateway is a resource created on Alibaba Cloud. It is used to register information about an on-premises gateway device, such as the IP address and BGP ASN, with Alibaba Cloud. |
IPsec-VPN connection | An IPsec-VPN connection is an encrypted communication channel between a data center and a VPC. You can use the IPsec-VPN connection to control which networks the data center accesses. An IPsec-VPN connection contains one or two tunnels, which are used to encrypt and transmit data. |
On-premises gateway device | An on-premises gateway device refers to a physical device (a gateway device in most cases) or an application in a data center. The on-premises gateway device must support the VPN feature so that it can negotiate with the peer to establish an IPsec-VPN connection. Note For ease of illustration, the term "data center" is used in the following sections to refer to any data center or office network that needs to establish an IPsec-VPN connection with Alibaba Cloud. |
Associate an IPsec-VPN connection with a transit router
Component | Description |
Transit router | A transit router is a component of Cloud Enterprise Network (CEN). It is used to connect networks in the same region and across regions on Alibaba Cloud. |
Customer gateway | A customer gateway is a resource created on Alibaba Cloud. It is used to register information about an on-premises gateway device, such as the IP address and BGP ASN, with Alibaba Cloud. |
IPsec-VPN connection | An IPsec-VPN connection is an encrypted communication channel between a data center and a transit router. You can use the IPsec-VPN connection to control which networks the data center accesses. An IPsec-VPN connection contains one tunnel, which is used to encrypt and transmit data. |
On-premises gateway device | An on-premises gateway device refers to a physical device (a gateway device in most cases) or an application in a data center. The on-premises gateway device must support the VPN feature so that it can negotiate with the peer to establish an IPsec-VPN connection. Note For ease of illustration, the term "data center" is used in the following sections to refer to any data center or office network that needs to establish an IPsec-VPN connection with Alibaba Cloud. |
Tunnel modes
IPsec-VPN supports the following tunnel modes. Select a tunnel mode based on your network connection scenario.
Dual-tunnel mode
In this mode, an IPsec-VPN connection has two encrypted tunnels that work in active/standby mode. By default, traffic is transferred only through the active tunnel. If the active tunnel fails, the standby tunnel takes over. The two tunnels are deployed in different zones to implement zone-disaster recovery.
If a region has only one zone that supports the dual-tunnel mode, such as China (Nanjing - Local Region), zone-disaster recovery is not supported.
When you create a dual-tunnel IPsec-VPN connection, you must configure two tunnels and ensure that they are available. If you configure or use only one of the tunnels, IPsec-VPN connection redundancy based on active/standby tunnels and zone-disaster recovery are not supported. In addition, the SLA of VPN Gateway is not guaranteed.
Single-tunnel mode
In this mode, an IPsec-VPN connection has only one encrypted tunnel, and the traffic on and off the cloud is transferred only through this tunnel.
Associate a dual-tunnel IPsec-VPN connection with a VPN gateway
IPsec-VPN connections now support the dual-tunnel mode. IPsec-VPN connections on some existing VPN gateways support only the single-tunnel mode. A single-tunnel IPsec-VPN connection may be interrupted when the tunnel fails. We recommend that you upgrade existing VPN gateways to use the dual-tunnel mode at the earliest opportunity. If the active tunnel of a dual-tunnel IPsec-VPN connection fails, the standby tunnel takes over. For more information about the dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
Associate a single-tunnel IPsec-VPN connection with a VPN gateway
In this scenario, IPsec-VPN connections support only the single-tunnel mode. You can create multiple IPsec-VPN connections to ensure high availability.
Feature comparison
The following table compares the features of IPsec-VPN connections in the preceding two scenarios.
Item | Associate an IPsec-VPN connection with a VPN gateway | Associate an IPsec-VPN connection with a transit router |
Network connectivity | Data centers can communicate only with the VPCs that are associated with VPN gateways. | Data centers can communicate with VPCs by using transit routers or with other networks that are connected to transit routers. |
Supported encryption algorithm | Commercial cryptographic algorithms that comply with international standards | Commercial cryptographic algorithms that comply with international standards |
Tunnel modes supported by IPsec-VPN connections | Dual-tunnel mode Note IPsec-VPN connections on some existing VPN gateways support only the single-tunnel mode. We recommend that you upgrade single-tunnel IPsec-VPN connections to dual-tunnel IPsec-VPN connections. For more information, see Upgrade a VPN gateway to enable the dual-tunnel mode. | Single-tunnel mode |
Maximum bandwidth supported by each IPsec-VPN connection | 1,000 Mbit/s. Note The maximum bandwidth supported by VPN gateways in some regions is 500 Mbit/s. For more information about the regions, see the Limits section of the "Create and manage a VPN gateway" topic. | Default value: 1,000 Mbit/s. You can increase the bandwidth of an IPsec-VPN connection by using other methods. For more information, see the How do I increase the maximum bandwidth of IPsec-VPN connections? section of the "FAQ about VPN gateways" topic. |
Maximum number of packets that can be transmitted through each IPsec-VPN connection per second | 120,000 (256 bytes per packet) | 120,000 (256 bytes per packet) |
Method used to implement high availability | Active/standby connections | Equal-cost multi-path (ECMP) routing |
Scenarios |
For more information, see Associate IPsec-VPN connections with VPN gateways. |
For more information, see Associate IPsec-VPN connections with transit routers. |