If an on-premises gateway device in your data center has multiple public IP addresses, you can use two of them to create active/standby IPsec-VPN connections to a virtual private cloud (VPC). The two IPsec-VPN connections ensure network connectivity between the data center and the VPC.
Scenarios
The following figure shows the scenario that is used in this example. An enterprise owns a data center in Hangzhou and has a VPC deployed in the China (Hangzhou) region. Applications are deployed on Elastic Compute Service (ECS) instances in the VPC. The enterprise wants to enable the data center to access the VPC over multiple encrypted connections to ensure data security and network redundancy.
An on-premises gateway device in the data center has multiple public IP addresses. The enterprise can use two of them to create two IPsec-VPN connections between the data center and VPC. This ensures the security of data transmission between the data center and VPC and also implements network redundancy.
Networking
Network settings
Networking requirements in this scenario:
A public VPN gateway is created.
The two IPsec-VPN connections are attached to the same VPN gateway.
The VPN gateway uses static routing. You can set route priorities to specify active and standby connections.
Both IPsec-VPN connections have health checks enabled. Health checks are used to test the availability of the connections.
If the active IPsec-VPN connection fails health checks multiple times, the standby IPsec-VPN connection automatically takes over.
Networking
When you allocate CIDR blocks, make sure that the CIDR block of the data center and the CIDR block of the VPC do not overlap.
Item | CIDR block and IP address |
VPC | Primary CIDR block: 172.16.0.0/16
|
On-premises gateway device | Public IP address of the on-premises gateway device:
|
On-premises data center | CIDR block used to communicate with the VPC: 192.168.0.0/24 |
Preparations
Make sure that the following prerequisites are met before you start:
A VPC is deployed in the China (Hangzhou) region and applications are deployed on the ECS instances in VPC1. For more information, see Create a VPC with an IPv4 CIDR block.
The gateway device in the data center supports the IKEv1 and IKEv2 protocols. Gateway devices that support these protocols can connect to VPN gateways.
You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see View security group rules and Add a security group rule.
Procedure
Step 1: Create a VPN gateway
You must create a VPN gateway and enable IPsec-VPN for the VPN gateway before you can create IPsec-VPN connections.
Log on to the VPN Gateway console.
In the top navigation bar, select the region where you want to create the VPN gateway.
The VPN gateway and the VPC to be associated must belong to the same region. China (Hangzhou) is selected in this example.
On the VPN Gateways page, click Create VPN Gateway.
On the buy page, set the following parameters, click Buy Now, and then complete the payment.
Parameter
Description
Name
Enter a name for the VPN gateway.
In this example, VPN Gateway 1 is used.
Region
Select the region where you want to deploy the VPN gateway.
China (Hangzhou) is selected in this example.
Gateway Type
Select a gateway type for the VPN gateway.
In this example, Standard is selected.
Network Type
Select a network type for the VPN gateway.
Public is selected in this example.
Tunnels
The tunnel modes supported in the region are automatically displayed.
VPC
Select the VPC with which you want to associate the VPN gateway.
In this example, the VPC that you created is selected.
VSwitch
Select a vSwitch from the selected VPC.
- If you select Single-tunnel, you need to specify one vSwitch.
- If you select Dual-tunnel, you need to specify two vSwitches.
Note- The system selects a vSwitch by default. You can change or use the default vSwitch.
- After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.
vSwitch 2
Select another vSwitch from the selected VPC.
Ignore this parameter if you select Single-tunnel.
Maximum Bandwidth
Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
Traffic
Select a billing method for the VPN gateway. Default value: Pay-by-data-transfer.
For more information, see Billing.
IPsec-VPN
Specify whether to enable the IPsec-VPN feature.
In this example, the default value Enable is selected.
SSL-VPN
Specify whether to enable the SSL-VPN feature.
In this example, the default value Disable is selected.
Duration
Select a billing cycle. Default value: By Hour.
Service-linked Role
Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn.
The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.
If Created is displayed, it indicates that the service-linked role is created and you do not need to create it again.
Return to the VPN Gateways page to view the VPN gateway.
After you create a VPN gateway, it is in the Preparing state. After 1 to 5 minutes, the VPN gateway changes to the Normal state. After the VPN gateway changes to the Normal state, the VPN gateway is ready for use.
Step 2: Create two customer gateways
You must create customer gateways and register the gateway information on Alibaba Cloud before you can create IPsec-VPN connections.
In the left-side navigation pane, choose .
In the top navigation bar, select the region where you want to create the customer gateways.
NoteMake sure that the customer gateways and the VPN gateway created in Step 1 are deployed in the same region.
On the Customer Gateways page, click Create Customer Gateway.
In the Create Customer Gateway panel, set the following parameters and click OK.
The following table lists the public IP addresses with which the two customer gateways are associated. Parameters not listed in the following table use the default values. For more information, see Create a customer gateway.
Parameter
Description
Customer Gateway 1
Customer Gateway 2
Name
Enter a name for the customer gateway.
Customer1 is used in this example.
Customer2 is used in this example.
IP Address
Enter a public IP address for the customer gateway.
In this example, the public IP address 118.XX.XX.20 of the on-premises gateway device is entered.
In this example, the public IP address 120.XX.XX.40 of the on-premises gateway device is entered.
Step 3: Create two IPsec-VPN connections
After you create customer gateways, you must create IPsec-VPN connections to connect the on-premises gateway device to the VPN gateway.
In the left-side navigation pane, choose .
In the top navigation bar, select the region where you want to create the IPsec-VPN connections.
NoteThe IPsec-VPN connections must be created in the same region as the VPN gateway created in Step 1.
On the IPsec Connections page, click Create IPsec Connection.
On the Create IPsec-VPN Connection page, set the parameters for the IPsec-VPN connection, and click OK.
The following table describes the parameters of the IPsec-VPN connections. Parameters not listed in the following table use the default values. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.
Parameter
Description
IPsec-VPN Connection 1
IPsec-VPN Connection 2
Parameter
Enter a name for the IPsec-VPN connection.
In this example, IPsec-VPN Connection 1 is used.
In this example, IPsec-VPN Connection 2 is used.
Associate Resource
Select the type of network resource that you want to associate with the IPsec-VPN connection.
In this example, VPN Gateway is selected.
VPN Gateway
Select the VPN gateway that you created.
In this example, VPN Gateway is selected.
In this example, VPN Gateway is selected.
Customer Gateway
Select the customer gateway that you created.
In this example, Customer1 is selected.
In this example, Customer2 is selected.
Routing Mode
Select a routing mode.
In this example, Destination Routing Mode is selected.
Effective Immediately
Specify whether to immediately start IPsec negotiations. Valid values:
Yes: immediately starts IPsec negotiations after the configuration takes effect.
No: starts IPsec negotiations only when inbound traffic is detected.
In this example, No is selected.
Pre-shared Key
Enter a pre-shared key that is used to authenticate the on-premises gateway devices.
The key must be 1 to 100 characters in length and can contain digits, letters, and the following characters:
~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : ' , . < > / ?.If you do not specify a pre-shared key, the system generates a random 16-bit string as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection.
ImportantThe pre-shared keys must be the same on both sides. Otherwise, the system cannot establish an IPsec-VPN connection.
fddsFF123****
Encryption Configuration
Configure IKE and IPsec settings based on your business requirements.
In this example, IKEv1 is used and the other parameters use the default values.
BGP Configuration
Specify whether to enable BGP.
In this example, the default value is used. BGP is disabled.
Health Check
Specify whether to enable the health check feature.
Destination IP Address: Enter the IP address on the data center side that the VPC can communicate with over the IPsec-VPN connection.
Source IP Address: Enter the IP address on the VPC side that the data center can communicate with over the IPsec-VPN connection.
Retry Interval: Enter the interval between two consecutive health checks. Unit: seconds. Default value: 3.
Number of Retries: Select the number of attempts to retry health checks. Default value: 3.
In this example, the health check feature is enabled and uses the following settings:
Destination IP Address: 192.168.0.1.
Source IP Address: 172.16.10.1.
Retry Interval: 3.
Number of Retries: 3.
In this example, the health check feature is enabled and uses the following settings:
Destination IP Address: 192.168.0.2.
Source IP Address: 172.16.20.1.
Retry Interval: 3.
Number of Retries: 3.
In the Created dialog box, click OK.
Return to the IPsec Connections page, find the IPsec-VPN connection and click Download Peer Configuration in the Actions column.
Save the peer configurations of IPsec-VPN Connection 1 and IPsec-VPN Connection 2 to your on-premises machine. The peer configurations will be used in subsequent steps when you configure the on-premises gateway device.
Step 4: Add routes to the VPN gateway
You need to configure routes to route VPC traffic destined for the data center to the IPsec-VPN connections.
In the left-side navigation pane, choose .
In the top navigation bar, select the region of the VPN gateway.
On the VPN Gateway page, find the VPN gateway that you want to manage and click its ID.
On the Destination-based Route Table tab, click Add Route Entry.
In the Add Route Entry panel, set the following parameters and click OK.
The following table describes the parameters of the routes added to the VPN gateway. You can set route priorities to specify active and standby IPsec-VPN connections.
Parameter
Description
Route 1
Route 2
Destination CIDR Block
Enter the destination CIDR block.
In this example, the CIDR block 192.168.0.0/24 that the data center uses to communicate with the VPC is entered.
In this example, the CIDR block 192.168.0.0/24 that the data center uses to communicate with the VPC is entered.
Next Hop Type
Select the next hop type.
Select IPsec Connection.
In this example, IPsec Connection is selected.
Next Hop
Select a next hop.
In this example, IPsec-VPN Connection 1 is selected.
In this example, IPsec-VPN Connection 2 is selected.
Publish to VPC
Specify whether to advertise the route to the VPC that is associated with the VPN gateway.
In this example, Yes is selected.
In this example, Yes is selected.
Weight
Select a weight for the route.
100: specifies a high priority for the route.
0: specifies a low priority for the route.
In this example, 100(Active) is selected.
ImportantYou must specify different weights for the routes to specify the active and standby routes. You cannot set the weights of both routes to 100 or 0.
In this example, 0(Standby) is selected.
Step 5: Configure the on-premises gateway device
After you complete the preceding steps in the console, you must add the VPN settings, route settings, and health check settings to the on-premises gateway device. Otherwise, the IPsec-VPN connections cannot be established between the on-premises gateway device and VPN gateway. After you add these settings to the on-premises gateway device, traffic destined for the VPC is transmitted over the active IPsec-VPN connection. The standby IPsec-VPN connection automatically takes over if the active IPsec-VPN connection fails.
The following configurations are used for reference only. The commands may vary based on the network device vendor. Contact the vendor to obtain the information about specific commands.
Add VPN configurations to the on-premises gateway device.
Add VPN configurations to the on-premises gateway device based on the IPsec peer configurations downloaded in Step 6.
Open the command-line interface (CLI) of the gateway device.
Create an ISAKMP policy.
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 2 lifetime 86400Set the pre-shared key.
crypto isakmp key fddsFF123**** address 46.XX.XX.21Configure the IPsec protocol.
crypto ipsec transform-set ipsecpro64 esp-aes esp-sha-hmac mode tunnelCreate network access control lists (ACLs) to specify the inbound and outbound traffic flows to be encrypted.
NoteIf multiple CIDR blocks are configured on the on-premises gateway device, you must create a network ACL for each CIDR block.
access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255Create an IPsec policy.
crypto map ipsecpro64 10 ipsec-isakmp set peer 46.XX.XX.21 set transform-set ipsecpro64 set pfs group2 match address 100Apply the IPsec policy.
interface GigabitEthernet1 #Apply the IPsec policy to the interface that uses Public IP Address 1. crypto map ipsecpro64 interface GigabitEthernet2 #Apply the IPsec policy to the interface that uses Public IP Address 2. crypto map ipsecpro64
Configure routes and health checks on the on-premises gateway device.
You must add the route and health check settings to enable traffic destined for the VPC to be transmitted over the active IPsec-VPN connection, and enable health checks to automatically check the status of the active IPsec-VPN connection. If the active IPsec-VPN connection fails, the standby IPsec-VPN connection automatically takes over.
type icmp-echo destination ip 46.XX.XX.21 #Set the destination IP address to the public IP address of the VPN gateway. frequency 5000 reaction 1 checked-element probe-fail threshold-type consecutive 2 action-type trigger-only nqa schedule admin test start-time now lifetime forever track 1 nqa entry admin test reaction 1 ip route-static 172.16.0.0 16 118.XX.XX.20 track 1 preference 40 #172.16.0.0/16 is the CIDR block of the VPC to be connected to the data center. 118.XX.XX.20 is the public IP address that the on-premises gateway device uses to establish an active IPsec-VPN connection to the VPN gateway. ip route-static 172.16.0.0 16 120.XX.XX.40 #172.16.0.0/16 is the CIDR block of the VPC to be connected to the data center. 120.XX.XX.40 is the public IP address that the on-premises gateway device uses to establish a standby IPsec-VPN connection to the VPN gateway.Add a reverse route to the on-premises gateway device for health checks.
Add the following route to the on-premises gateway device: The destination CIDR block is Source IP Address, the subnet mask is 32 bits in length, and the next hop is an IPsec-VPN connection. This ensures that health checks can work as expected.
ip route-static 172.16.10.1 32 118.XX.XX.20 #Configure a reverse route for IPsec-VPN Connection 1. ip route-static 172.16.20.1 32 120.XX.XX.40 #Configure a reverse route for IPsec-VPN Connection 2.
Step 6: Test the network connectivity
After you complete the preceding steps, the data center can communicate with the VPC over two IPsec-VPN connections. This section describes how to test the network connectivity and check whether the IPsec-VPN connections can work as active and standby connections.
Test the network connectivity.
Log on to an ECS instance in the VPC. In this example, ECS1 is used. For more information, see Connect to an ECS instance.
Run the ping command on ECS1 to ping a client in the data center.
ping <The IP address of a client in the data center>If you receive an echo reply packet, it indicates that the data center can communicate with the VPC.
Check whether the IPsec-VPN connections can work as active and standby connections.
Continuously send requests from clients in the data center to ECS1 or use Iperf3 on the clients to send requests to ECS1. For more information about how to install and use Iperf3, see Test the performance of an Express Connect circuit.
Log on to the Alibaba Cloud Management Console, and check the monitoring data of the IPsec-VPN connections.
In error-free scenarios, only the traffic monitoring data of IPsec-VPN Connection 1 (the active connection) is displayed.
The following steps show how to open the details page of IPsec-VPN Connection 1:
Log on to the VPN Gateway console.
In the top navigation bar, select the region in which IPsec-VPN Connections 1 is created.
In the left-side navigation pane, choose .
On the IPsec Connections page, find the IPsec-VPN connection and click its ID.
On the details page, click the Monitor tab.
Temporarily close the active IPsec-VPN connection.
You can close the active IPsec-VPN connection by disabling the interface that the on-premises gateway device uses to connect to the VPN gateway. For more information about how to disable an interface, see the user guide of the on-premises gateway device.
Log on to the Alibaba Cloud Management Console, and check the traffic monitoring data of IPsec-VPN Connection 2 (the standby connection).
After the active IPsec-VPN connection is closed, network traffic is automatically switched to the standby IPsec-VPN connection. Traffic monitoring data of IPsec-VPN Connection 2 is generated and displayed on the Monitor tab.