All Products
Search
Document Center

VPN Gateway:Encrypt private connections by using static routing and BGP routing

Last Updated:Nov 01, 2024

This topic describes how to encrypt the private connection between a data center and a virtual private cloud (VPC) by using a private VPN gateway (hereafter referred to as "VPN gateway"). To encrypt the private connection between a data center and a VPC, you can configure BGP routing for the VPN gateway and configure static routing for the virtual border router (VBR) that connects the data center to the VPC.

Background information

Before you encrypt private connections by using static routing and BGP routing, we recommend that you understand how private connections are encrypted and the configuration methods. For more information, see Overview of configuration methods.

Scenarios

私网VPN网关--静态+静态---场景图

The preceding scenario is used as an example in this topic. An enterprise owns a data center in Hangzhou and has a VPC (VPC1) deployed in the China (Hangzhou) region. Applications are deployed on Elastic Compute Service (ECS) instances in VPC1. Due to business growth, the enterprise wants to connect the data center to VPC1 through an Express Connect circuit and Cloud Enterprise Network (CEN). In addition, the enterprise wants to encrypt the connection between the data center and VPC1 due to security concerns.

After the data center is connected to VPC1 through CEN and an Express Connect circuit, the enterprise can create a VPN gateway in VPC1 and establish an IPsec-VPN connection between the VPN gateway and an on-premises gateway device. Then, the enterprise can configure BGP routing for the VPN gateway and configure static routing for the VBR to encrypt the private connection.

Preparations

  • Before you use private VPN gateways, you must apply for the required permissions from your account manager or submit a ticket to obtain the permissions.

  • You must plan networks for the data center and network instances. Make sure that the CIDR block of the data center does not overlap with those of the network instances. The following table describes the CIDR blocks in this example.

    Item

    CIDR block

    IP address

    VPC1

    • Primary CIDR block: 10.0.0.0/16

    • CIDR block of vSwitch1: 10.0.0.0/24

    • CIDR block of vSwitch2: 10.0.1.0/24

    • ECS1: 10.0.1.1

    • ECS2: 10.0.1.2

    VBR

    10.0.0.0/30

    • VLAN ID: 201

    • IPv4 address on the Alibaba Cloud side: 10.0.0.2/30

    • IPv4 address on the user side: 10.0.0.1/30

      In this example, the IPv4 address on the user side is the IPv4 address of the gateway device in the data center.

    Data center

    • Primary CIDR block: 192.168.0.0/16

    • Subnet1: 192.168.0.0/24

    • Subnet2: 192.168.1.0/24

    Client: 192.168.1.1

    On-premises gateway device

    • 10.0.0.0/30

    • 192.168.0.0/24

    • VPN IP address: 192.168.0.251

      The VPN IP address refers to the IP address of the interface of the on-premises gateway device to be connected to the VPN gateway.

    • IP address of the interface connected to the Express Connect circuit: 10.0.0.1/30

    • Autonomous system number (ASN): 65530

  • VPC1 is deployed in the China (Hangzhou) region and applications are deployed on the ECS instances in VPC1. For more information, see Create and manage a VPC.

    Make sure that VPC1 in the China (Hangzhou) region contains at least two vSwitches in different zones that support Enterprise Edition transit routers. In addition, each vSwitch must have at least one idle IP address. This way, VPC1 can be attached to a CEN instance. For more information, see Connect VPCs.

    In this example, VPC1 contains two vSwitches (vSwitch1 and vSwitch2). vSwitch1 is deployed in Zone H and vSwitch2 is deployed in Zone I. ECS instances are deployed on vSwitch2. vSwitch1 is used only to associate the VPN gateway.

    Note

    When you create a VPC, we recommend that you create a dedicated vSwitch in the VPC for the VPN gateway. This way, the vSwitch can allocate a private IP address to the VPN gateway.

  • Check the gateway device in the data center. Make sure that it supports standard IKEv1 and IKEv2 protocols. To check whether the gateway device supports the IKEv1 and IKEv2 protocols, contact the gateway vendor.

  • Take note of the security group rules that apply to the ECS instances in VPC1 and the access control list (ACL) rules that apply to the client in the data center. Make sure that the rules allow the ECS instances in VPC1 to communicate with the client in the data center. For more information, see View security group rules and Add a security group rule.

Procedure

私网VPN-静态+静态-配置流程

Step 1: Deploy Express Connect circuits

You must deploy an Express Connect circuit to connect the data center to Alibaba Cloud.

  1. Create an Express Connect circuit.

    You must apply for an Express Connect circuit in the China (Hangzhou) region. For more information, see Create and manage a dedicated connection over an Express Connect circuit or Overview of hosted connections.

    In this example, a dedicated connection over an Express Connect circuit is created.

  2. Create a VBR.

    1. Log on to the Express Connect console.

    2. In the left-side navigation pane, click Virtual Border Routers (VBRs).

    3. In the top navigation bar, select the region where you want to create a VBR.

      In this example, the China (Hangzhou) region is selected.

    4. On the Virtual Border Routers (VBRs) page, click Create VBR.

    5. In the Create VBR panel, configure the parameters that are described in the following table and click OK.

      The following table describes only the key parameters. For more information, see Create and manage a VBR.

      Parameter

      Description

      Account

      Specify the Alibaba Cloud account for which a VBR is created. In this example, Current Account is selected.

      Name

      The name of the VBR. In this example, VBR is entered.

      Express Connect Circuit

      Select the type of Express Connect circuit that you want to associate with the VBR. In this example, Dedicated Physical Connection is selected, and the Express Connect circuit created in Step 1 is selected.Create an Express Connect circuit. You must apply for an Express Connect circuit in the China (Hangzhou) region. For more information, see Create and manage a dedicated connection over an Express Connect circuit or Overview of hosted connections. In this example, a dedicated connection over an Express Connect circuit is created.

      VLAN ID

      The VLAN ID of the VBR. In this example, 201 is entered.

      Note

      Make sure that the VLAN ID of the VBR is the same as the VLAN ID of the interface that the on-premises gateway device uses to connect to the Express Connect circuit.

      Set VBR Bandwidth Value

      The maximum bandwidth of the VBR.

      IPv4 Address (Alibaba Cloud Gateway)

      Specify an IPv4 address for the VBR to route traffic between the VPC and your data center. In this example, 10.0.0.2 is entered.

      IPv4 Address (Data Center Gateway)

      Specify an IPv4 address for the gateway device in the data center. In this example, 10.0.0.1 is entered.

      Subnet Mask (IPv4)

      The subnet mask of the IPv4 addresses that you specify for the VBR and the gateway device in the data center. In this example, 255.255.255.252 is entered.

  3. Add a custom route for the VBR.

    Add a custom route to advertise the on-premises CIDR block to Alibaba Cloud.

    1. On the Virtual Border Routers (VBRs) page, click the ID of the VBR.

    2. Click the Routes tab and click Add Route.

    3. In the Add Route Entry panel, set the following parameters and click OK.

      Parameter

      Description

      Next Hop Type

      The next hop type. Select Physical Connection Interface.

      Destination CIDR block

      The CIDR block of the data center.

      In this example, 192.168.0.0/16 is entered.

      Next Hop

      The next hop. Select the Express Connect circuit created in Step 1.Create an Express Connect circuit. You must apply for an Express Connect circuit in the China (Hangzhou) region. For more information, see Create and manage a dedicated connection over an Express Connect circuit or Overview of hosted connections. In this example, a dedicated connection over an Express Connect circuit is created.

  4. Configure the on-premises gateway device.

    You must add the following route to the on-premises gateway to route traffic destined for VPC1 from the data center to the Express Connect circuit.

    The following configurations are for reference only. The commands may vary based on the network device vendor. Contact the vendor to obtain the information about specific commands.

    ip route 10.0.0.0 255.255.0.0 10.0.0.2

Step 2: Configure a CEN instance

You must attach VPC1 and the VBR to a CEN instance. Then, the data center and VPC1 can communicate with each other through CEN.

  1. Create a CEN instance.

    1. Log on to the CEN console.

    2. On the Instances page, click Create CEN Instance.

    3. In the Create CEN Instance dialog box, configure the following parameters and click OK.

      • Name: Enter a name for the CEN instance.

        In this example, CEN is used.

      • Description: Enter a description for the CEN instance.

        In this example, CEN-for-test-private-VPN-Gateway is used.

  2. Attach VPC1 to the CEN instance.

    1. On the Instances page, click the ID of the CEN instance created in Step 1.Create a CEN instance. Log on to the CEN console. On the Instances page, click Create CEN Instance. In the Create CEN Instance dialog box, configure the following parameters and click OK. Name: Enter a name for the CEN instance. In this example, CEN is used. Description: Enter a description for the CEN instance. In this example, CEN-for-test-private-VPN-Gateway is used.

    2. In the VPC section of the Basic Settings tab, click the 添加 icon.

      添加第一个连接

    3. On the Connection with Peer Network Instance page, configure the following parameters and click OK:

      Parameter

      Description

      Network Type

      Select the type of network instance that you want to attach.

      In this example, VPC is selected.

      Region

      Select the region where the network instance is deployed.

      In this example, the China (Hangzhou) region is selected.

      Transit Router

      The system automatically creates a transit router in the selected region.

      Resource Owner ID

      Select the Alibaba Cloud account to which the network instance belongs.

      In this example, Current Account is selected.

      Billing Method

      In this example, the default value Pay-As-You-Go is selected.

      For more information, see Billing.

      Attachment Name

      Enter a name for the network connection.

      In this example, VPC1-test is used.

      Network Instance

      Select the ID of the network instance that you want to attach.

      In this example, VPC1 is selected.

      VSwitch

      Select vSwitches that are deployed in zones supported by the transit router.

      • If the Enterprise Edition transit router is deployed in a region that supports only one zone, select a vSwitch in the zone.

      • If the Enterprise Edition transit router is deployed in a region that supports multiple zones, select at least two vSwitches. The two vSwitches must be in different zones. The two vSwitches support zone-disaster recovery to ensure uninterrupted data transmission between the VPC and the transit router.

        We recommend that you select a vSwitch in each zone to reduce network latency and improve network performance because data can be transmitted over a shorter distance.

      For more information, see Create a VPC connection.

      Advanced Settings

      By default, the system automatically enables the following advanced features.

      • Associate with Default Route Table of Transit Router

        After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table.

      • Propagate System Routes to Default Route Table of Transit Router

        After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router.

      • Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC

        After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops of the routes point to the VPC. The routes are used to forward IPv4 traffic from the VPC to the transit router. By default, transit routers do not advertise routes to VPCs.

        Important
        • If such a route is already in the route table of the VPC, the system cannot advertise this route. You must manually add a route that points to the VPC connection to the route table of the VPC. Otherwise, network communication cannot be established between the VPC and the transit router. To check whether such routes exist, click Check Route below Advanced Settings.

        • In order for the VPC to have IPv6 traffic enter and be forwarded, it is necessary to enable route synchronization for the VPC connection or manually add IPv6 route entries pointing to the VPC connection in the route table after creating the connection.

      The default settings are used in this example.

  3. Attach the VBR to the CEN instance.

    1. On the Connection with Peer Network Instance page, configure the following parameters and click OK:

      Parameter

      Description

      Network Type

      Select the type of network instance that you want to attach.

      In this example, Virtual Border Router (VBR) is selected.

      Region

      Select the region where the network instance is deployed.

      In this example, the China (Hangzhou) region is selected.

      Transit Router

      The transit router in the selected region is displayed.

      Resource Owner ID

      Select the Alibaba Cloud account to which the network instance belongs.

      In this example, Current Account is selected.

      Attachment Name

      Enter a name for the network connection.

      In this example, VBR-test is used.

      Network Instance

      Select the ID of the network instance that you want to attach.

      In this example, the VBR created in Step 1 is selected.

      Advanced Settings

      By default, the system automatically enables the following advanced features.

      • Associate with Default Route Table of Transit Router

        After this feature is enabled, the VBR connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VBR based on the default route table.

      • Propagate System Routes to Default Route Table of Transit Router

        After this feature is enabled, the system routes of the VBR are advertised to the default route table of the transit router. This way, the VBR can communicate with other network instances that are connected to the transit router.

      • Propagate Routes to VBR

        After this feature is enabled, the system automatically advertises the routes in the transit router route table that is associated with the VBR connection to the VBR.

      The default settings are used in this example.

Step 3: Deploy a VPN gateway

After you complete the preceding steps, the data center is connected to VPC1 over a private connection. However, the private connection is not encrypted. To encrypt the private connection, you must deploy a VPN gateway in VPC1.

  1. Create a VPN gateway.

    1. Log on to the VPN Gateway console.

    2. In the top navigation bar, select the region where you want to create the VPN gateway.

      The VPN gateway and the VPC to be associated must belong to the same region. In this example, the China (Hangzhou) region is selected.

    3. On the VPN Gateways page, click Create VPN Gateway.

    4. On the buy page, configure the following parameters, click Buy Now, and then complete the payment.

      Parameter

      Description

      Name

      Enter a name for the VPN gateway.

      In this example, VPNGateway1 is entered.

      Region

      Select the region where you want to deploy the VPN gateway.

      In this example, the China (Hangzhou) region is selected.

      Gateway Type

      Select the type of the VPN gateway.

      In this example, Standard is selected.

      Network Type

      Select the network type of the VPN gateway.

      Private is selected in this example.

      Tunnels

      The tunnel mode supported by IPsec-VPN connections in the region is displayed.

      VPC

      Select the VPC with which you want to associate the VPN gateway.

      In this example, VPC1 is selected.

      VSwitch

      Select a vSwitch from VPC1.

      • If you select Single-tunnel, you need to specify only one vSwitch.

      • If you select Dual-tunnel, you need to specify two vSwitches.

        After the IPsec-VPN feature is enabled, the system creates an elastic network interface (ENI) for each of the two vSwitches as an interface to communicate with the VPC over an IPsec-VPN connection. Each ENI occupies one IP address in the vSwitch.

      Note
      • The system selects a vSwitch by default. You can change or use the default vSwitch.

      • After a VPN gateway is created, you cannot modify the vSwitch associated with the VPN gateway. You can view the vSwitch associated with the VPN gateway, the zone to which the vSwitch belongs, and the ENI in the vSwitch on the details page of the VPN gateway.

      vSwitch 2

      Select another vSwitch from VPC1.

      Ignore this parameter if you select Single-tunnel.

      Maximum Bandwidth

      Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.

      Traffic

      Select a billing method for the VPN gateway. Default value: Pay-by-data-transfer.

      For more information, see Billing.

      IPsec-VPN

      Private VPN gateways support only the IPsec-VPN feature.

      In this example, the default value Enable is selected for the IPsec-VPN feature.

      Duration

      Select a billing cycle. Default value: By Hour.

      Service-linked Role

      Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn.

      The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.

      If Created is displayed, the service-linked role is created and you do not need to create it again.

    5. Return to the VPN Gateways page, check and record the private IP address of the VPN gateway that you created. This IP address is used when you configure IPsec-VPN connections.

      A newly created VPN gateway is in the Preparing state. After about 1 to 5 minutes, it enters the Normal state. The Normal state indicates that the VPN gateway is initialized and ready for use.创建私网VPN网关

  2. Create a customer gateway.

    1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.

    2. On the Customer Gateway page, click Create Customer Gateway.

    3. In the Create Customer Gateway panel, set the following parameters and click OK.

      The following content describes only the key parameters. For more information, see Create a customer gateway.

      • Name: Enter a name for the customer gateway.

        In this example, Customer-Gateway is entered.

      • IP Address: Enter the VPN IP address of the on-premises device to be connected to the VPN gateway.

        In this example, 192.168.0.251 is entered.

      • ASN: Enter the ASN of the on-premises gateway device.

        In this example, 65530 is emtered.

  3. Create an IPsec-VPN connection.

    1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

    2. On the IPsec-VPN connection page, click Create IPsec-VPN Connection.

    3. On the Create IPsec Connection page, set the parameters for the IPsec-VPN connection, and click OK.

      The following table describes only the key parameters. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.

      Parameter

      Description

      Name

      The name of the IPsec-VPN connection.

      In this example, IPsecConnection1 is entered.

      VPN Gateway

      The VPN gateway that you created.

      In this example, VPNGateway1 is selected.

      Customer Gateway

      The customer gateway that you created.

      In this example, Customer-Gateway is selected.

      Routing Mode

      The routing mode.

      In this example, Destination Routing Mode is selected.

      Effective Immediately

      Specifies whether to immediately start negotiations for the connection. Valid values:

      • Yes: immediately starts negotiations after the configuration is complete.

      • No: starts negotiations when inbound traffic is detected.

      In this example, Yes is selected.

      Pre-Shared Key

      The pre-shared key.

      If you do not enter a value, the system generates a random 16-bit string as the pre-shared key.

      Important

      Make sure that the on-premises gateway device and the IPsec-VPN connection use the same pre-shared key.

      In this example, fddsFF123**** is entered.

      Encryption Configuration

      In this example, ikev2 is selected for the Version parameter in the IKE Configurations section. The default values are used for the other parameters.

      BGP Configuration

      Specifies whether to enable BGP. In this example, BGP is enabled. Configure the following parameters:

      • Tunnel CIDR Block: the CIDR block of the IPsec tunnel.

        The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length.

        In this example, 169.254.10.0/30 is entered.

      • Local BGP IP address: the BGP IP address on the VPN gateway side.

        This IP address must fall within the CIDR block of the tunnel.

        In this example, 169.254.10.1 is entered. The BGP IP address on the data center side is 169.254.10.2.

      • Local ASN: the ASN on the VPN gateway side.

        In this example, 65531 is entered.

        Note

        We recommend that you use a private ASN to establish a connection to the data center over BGP. Refer to the relevant documentation for the valid range of a private ASN.

      Health Check

      In this example, the default settings are used.

    4. After you create an IPsec-VPN connection, click OK in the Established dialog box.

  4. Enable automatic BGP advertising for the VPN gateway.

    After automatic BGP advertising is enabled and a peering connection is established between the VPN gateway and the on-premises gateway device, the VPN gateway learns and advertises the CIDR block of the data center to VPC1. The VPN gateway also advertises the routes in the system route table of VPC1 to the on-premises gateway device.

    1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.

    2. On the VPN Gateways page, find the VPN gateway that you want to manage and enable the automatic route advertisement feature in the Enable Automatic Route Advertisement column.

  5. Download the IPsec configurations of the on-premises gateway device.

    1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

    2. On the IPsec Connections page, find IPsecConnection1 and click Generate Peer Configuration in the Actions column.

      Save the downloaded IPsec configurations on your client.

  6. Add VPN configurations, BGP configurations, and static routes to the on-premises gateway device.

    Add VPN configurations, BGP configurations, and static routes to the on-premises gateway device based on the IPsec configurations that you downloaded.

    The following configurations are for reference only. The commands may vary based on the network device vendor. Contact the vendor to obtain the information about specific commands.

    1. Open the command-line interface (CLI) of the gateway device.

    2. Run the following commands to configure an IKEv2 proposal and policy:

      crypto ikev2 proposal alicloud  
      encryption aes-cbc-128          //Configure the encryption algorithm. In this example, aes-cbc-128 is used. 
      integrity sha1                  //Configure the authentication algorithm. In this example, sha1 is used. 
      group 2                         //Configure the DH group. In this example, group 2 is used. 
      exit
      !
      crypto ikev2 policy Pureport_Pol_ikev2
      proposal alicloud
      exit
      !
    3. Run the following command to configure an IKEv2 keyring:

      crypto ikev2 keyring alicloud
      peer alicloud
      address 10.0.0.167               //Configure the private IP address of the VPN gateway. In this example, 10.0.0.167 is used. 
      pre-shared-key fddsFF123****     //Configure the pre-shared key. In this example, fddsFF123**** is used. 
      exit
      !
    4. Run the following command to configure an IKEv2 profile:

      crypto ikev2 profile alicloud
      match identity remote address 10.0.0.167 255.255.255.255    //Configure the private IP address of the VPN gateway. In this example, 10.0.0.167 is used. 
      identity local address 192.168.0.251    //Configure the VPN IP address of the data center. In this example, 192.168.0.251 is used. 
      authentication remote pre-share   //Set the authentication mode for the VPC to PSK (pre-shared key). 
      authentication local pre-share    //Set the authentication mode of the data center to PSK. 
      keyring local alicloud            //Invoke the IKEv2 keyring. 
      exit
      !
    5. Run the following command to configure a transform set:

      crypto ipsec transform-set TSET esp-aes esp-sha-hmac
      mode tunnel
      exit
      !
    6. Run the following command to configure an IPsec profile, and invoke the transform set, Perfect Forward Secrecy (PSF), and the IKEv2 profile:

      crypto ipsec profile alicloud
      set transform-set TSET
      set pfs group2
      set ikev2-profile alicloud
      exit
      !
    7. Run the following commands to configure the IPsec tunnel:

      interface Tunnel100
      ip address 169.254.10.2 255.255.255.252    //Configure the tunnel address for the data center. In this example, 169.254.10.2 is used. 
      tunnel source GigabitEthernet1
      tunnel mode ipsec ipv4
      tunnel destination 10.0.0.167              //Configure the private IP address of the VPN gateway. In this example, 10.0.0.167 is used. 
      tunnel protection ipsec profile alicloud
      no shutdown
      exit
      !
      interface GigabitEthernet1                 //Configure the IP address of the interface that is used to connect to the VPN gateway. 
      ip address 192.168.0.251 255.255.255.0
      negotiation auto
      !
    8. Run the following command to configure BGP:

      Important

      To ensure that traffic from the VPC to the data center is routed to the encrypted tunnel of the VPN gateway, you must advertise a CIDR block that is smaller than the CIDR block of the data center in the BGP configurations of the on-premises gateway device.

      In this example, the CIDR block of the data center is 192.168.0.0/16. Therefore, you must advertise a CIDR block that is smaller than 192.168.0.0/16 in the BGP configurations of the on-premises gateway device. In this example, 192.168.1.0/24 is advertised.

      router bgp 65530                         //Enable BGP and configure the BGP ASN of the data center. In this example, 65530 is used. 
      bgp router-id 169.254.10.2               //Specify the ID of the BGP router. In this example, 169.254.10.2 is used. 
      bgp log-neighbor-changes
      neighbor 169.254.10.1 remote-as 65531    //Configure the ASN of the BGP peer. In this example, the BGP ASN of the VPN gateway 65531 is used. 
      neighbor 169.254.10.1 ebgp-multihop 10   //Set the EBGP hop-count to 10.   
      !
      address-family ipv4
      network 192.168.1.0 mask 255.255.255.0   //Advertise the CIDR block of the data center. In this example, 192.168.1.0/24 is advertised. 
      neighbor 169.254.10.1 activate           //Activate the BGP peer. 
      exit-address-family
      !
    9. Run the following command to configure a static route:

      ip route 10.0.0.167 255.255.255.255 10.0.0.2  //Route traffic from the data center to the VPN gateway to the Express Connect circuit.

Step 4: Configure routes for the VPC and the VBR

After you complete the preceding steps, an encrypted tunnel can be established between the on-premises gateway device and the VPN gateway. You must configure routes for the VPC and the VBR to route traffic to the encrypted tunnel when the data center communicates with Alibaba Cloud.

  1. Add a custom route to VPC1.

    1. Log on to the VPC console.

    2. In the left-side navigation pane, click Route Tables.

    3. In the top navigation bar, select the region to which the route table belongs.

      In this example, the China (Hangzhou) region is selected.

    4. On the Route Tables page, find the route table that you want to manage and click its ID.

      In this example, the ID of the system route table of VPC1 is clicked.

    5. On the Route Entry List tab, click the Custom Route tab, and then click Add Route Entry.

    6. In the Add Route Entry panel, configure the following parameters and click OK.

      Parameter

      Description

      Name

      Enter a name for the custom route.

      Destination CIDR Block

      Enter the destination CIDR block of the custom route.

      In this example, IPv4 CIDR Block is selected and the VPN IP address of the on-premises gateway device is used, which is 192.168.0.251/32.

      Next Hop Type

      Select the type of the next hop.

      In this example, Transit Router is selected.

      Transit Router

      Select the next hop of the custom route.

      In this example, VPC1-test is selected.

  2. Add a custom route for the VBR.

    1. Log on to the Express Connect console.

    2. In the left-side navigation pane, click Virtual Border Routers (VBRs).

    3. In the top navigation bar, select the region where the VBR is deployed.

      In this example, the China (Hangzhou) region is selected.

    4. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.

    5. Click the Routes tab and click Add Route.

    6. In the Add Route Entry panel, set the following parameters and click OK.

      Parameter

      Description

      Next Hop Type

      The next hop type. Select Physical Connection Interface.

      Destination CIDR block

      The VPN IP address of the on-premises gateway device.

      In this example, 192.168.0.251/32 is entered.

      Next Hop

      The next hop. Select the Express Connect circuit created in Step 1.Create an Express Connect circuit. You must apply for an Express Connect circuit in the China (Hangzhou) region. For more information, see Create and manage a dedicated connection over an Express Connect circuit or Overview of hosted connections. In this example, a dedicated connection over an Express Connect circuit is created.

Step 5: Check the network connectivity

After you complete the preceding steps, the data center can communicate with VPC1 over private and encrypted connections. The following content describes how to check the connectivity between the data center and VPC1, and check whether the private connection is encrypted by the VPN gateway.

  1. Check the network connectivity.

    1. Log on to ECS 1. For more information, see Connect to an ECS instance.

    2. Run the ping command to ping a client in the data center to check the network connectivity between the data center and VPC1.

      ping <the IP address of a client in the data center>

      If an echo reply packet is returned, the data center is connected to VPC1.

  2. Check whether the private connection is encrypted.

    If you can view the monitoring data of data transfer on the details page of the IPsec-VPN connection, it indicates that the private connection is encrypted.

    1. Log on to the VPN Gateway console.

    2. In the top navigation bar, select the region where the VPN gateway is deployed.

      In this example, the China (Hangzhou) region is selected.

    3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

    4. On the IPsec Connections page, find the IPsec-VPN connection that you created in Step 3 and click its ID.Create an IPsec-VPN connection. In the left-side navigation pane, choose InterconnectionsVPNIPsec Connections. On the IPsec-VPN connection page, click Create IPsec-VPN Connection. On the Create IPsec Connection page, set the parameters for the IPsec-VPN connection, and click OK. The following table describes only the key parameters. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode. Parameter Description Name The name of the IPsec-VPN connection. In this example, IPsecConnection1 is entered. VPN Gateway The VPN gateway that you created. In this example, VPNGateway1 is selected. Customer Gateway The customer gateway that you created. In this example, Customer-Gateway is selected. Routing Mode The routing mode. In this example, Destination Routing Mode is selected. Effective Immediately Specifies whether to immediately start negotiations for the connection. Valid values: Yes: immediately starts negotiations after the configuration is complete. No: starts negotiations when inbound traffic is detected. In this example, Yes is selected. Pre-Shared Key The pre-shared key. If you do not enter a value, the system generates a random 16-bit string as the pre-shared key. Make sure that the on-premises gateway device and the IPsec-VPN connection use the same pre-shared key. In this example, fddsFF123**** is entered. Encryption Configuration In this example, ikev2 is selected for the Version parameter in the IKE Configurations section. The default values are used for the other parameters. BGP Configuration Specifies whether to enable BGP. In this example, BGP is enabled. Configure the following parameters: Tunnel CIDR Block: the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. In this example, 169.254.10.0/30 is entered. Local BGP IP address: the BGP IP address on the VPN gateway side. This IP address must fall within the CIDR block of the tunnel. In this example, 169.254.10.1 is entered. The BGP IP address on the data center side is 169.254.10.2. Local ASN: the ASN on the VPN gateway side. In this example, 65531 is entered. We recommend that you use a private ASN to establish a connection to the data center over BGP. Refer to the relevant documentation for the valid range of a private ASN. Health Check In this example, the default settings are used. After you create an IPsec-VPN connection, click OK in the Established dialog box.

      Go to the details page of the IPsec-VPN connection to view the monitoring data of data transfer.