When you establish an IPsec-VPN connection between a data center and a virtual private cloud (VPC) in Alibaba Cloud, you must add VPN configurations to the gateway device in the data center after you configure the VPN gateway on Alibaba Cloud. This topic describes how to add VPN configurations to the gateway device in the data center by using strongSwan.
Sample scenario
In this example, a company has deployed a VPC on Alibaba Cloud. The CIDR block of the VPC is 10.0.0.0/16. Applications are deployed on an Elastic Compute Service (ECS) instance in the VPC. The company has a data center that needs to use the CIDR block 192.168.0.0/16 to communicate with the VPC. The company wants to establish an IPsec-VPN connection between the data center and the VPC on the cloud to implement mutual resource access.
In this sample scenario, the local gateway device on which strongSwan is to be deployed is referred to as the strongSwan device. The data center uses a public IP address of the strongSwan device to establish an IPsec-VPN connection with Alibaba Cloud in dual-tunnel mode. If you want to establish an IPsec-VPN connection in single-tunnel mode, see the Configure a strongSwan device to use a single tunnel section in this topic.
CIDR block plan and sample VPN configurations
CIDR block plan
Resource | CIDR block | IP address |
Data center | CIDR block that needs to communicate with the VPC: 192.168.0.0/16 | Server IP address: 192.168.10.198 |
strongSwan device | N/A |
|
VPC | Primary CIDR block: 10.0.0.0/16 vSwitch 1: 10.0.10.0/24 vSwitch 2: 10.0.20.0/24 | ECS IP address: 10.0.10.250 |
Public VPN gateway | N/A |
Note After you create a VPN gateway, the system automatically assigns IP addresses to the VPN gateway. |
Sample VPN configurations
In this example, Tunnel 1 is the active tunnel and Tunnel 2 is the standby tunnel. The two tunnels use the same sample values.
The VPN configurations on Alibaba Cloud and the strongSwan device must be the same for each tunnel.
Configuration item | Sample value on Alibaba Cloud | Sample value on the strongSwan device | |
Pre-shared key (PSK) | 123456**** | 123456**** | |
Internet Key Exchange (IKE) configurations | IKE version | ikev2 | ikev2 |
Negotiation mode | main | main | |
Encryption algorithm | aes | aes | |
Authentication algorithm | sha1 | sha1 | |
Diffie-Hellman (DH) group | group2 | group2 | |
Security association (SA) lifecycle (seconds) | 86400 | 86400 | |
IPsec configurations | Encryption algorithm | aes | aes |
Authentication algorithm | sha1 | sha1 | |
DH group | group2 | group2 | |
SA lifecycle (seconds) | 86400 | 86400 |
Prerequisites
This topic describes only how to add VPN configurations to a strongSwan device. The procedure for configuring a VPN gateway on Alibaba Cloud is omitted. Before you configure the strongSwan device, make sure that you have completed the following tasks: create a VPN gateway, create a customer gateway, create an IPsec-VPN connection, and configure routing for the VPN gateway. For more information, see Connect a VPC to a data center in dual-tunnel mode.
In this scenario, the strongSwan device in the data center establishes an IPsec-VPN connection in dual-tunnel mode to Alibaba Cloud by using a public IP address. Therefore, you need to create only one customer gateway. When you create an IPsec-VPN connection, you can associate the two tunnels with the same customer gateway.
Procedure
In the following example, Alibaba Cloud Linux 3.2104 LTS 64-bit is used to describe how to configure a strongSwan device. For information about the procedure that applies if you use another operating system, see strongSwan Installation Documentation.
Go to the CLI of the strongSwan device.
Run the following command to install strongSwan:
sudo yum install -y strongswan-5.9.10
Enable traffic forwarding for the strongSwan device.
echo 1 > /proc/sys/net/ipv4/ip_forward
ImportantThe preceding command requires root permissions and is a temporary command. After you restart the strongSwan device, you must run the command again. If you want to enable traffic forwarding for the strongSwan device permanently, perform the following steps.
Create two virtual network interfaces for establishing IPsec-VPN tunnels.
sudo ip link add ipsec0 type xfrm dev eth0 if_id 42 # Create an XFRM virtual network interface for Tunnel 1 with the interface ID 42 and the public interface eth0 as the underlying interface. sudo ip link add ipsec1 type xfrm dev eth0 if_id 43 # Create an XFRM virtual network interface for Tunnel 2 with the interface ID 43 and the public interface eth0 as the underlying interface. sudo ip link set ipsec0 up # Start the XFRM virtual network interface for Tunnel 1. sudo ip link set ipsec1 up # Start the XFRM virtual network interface for Tunnel 2.
ImportantThe preceding configuration for creating virtual network interfaces is a temporary configuration. After you restart the strongSwan device, you must add the configuration again and run the
sudo systemctl restart strongswan;swanctl --load-all
command. The command requires root permissions. If you want to configure a script that runs on system startup to automatically create virtual network interfaces after the strongSwan device is restarted, perform the following steps.Modify the strongSwan configuration file.
Run the following command to open the strongSwan configuration file:
sudo vi /etc/strongswan/swanctl/swanctl.conf
Press the
I
key to enter the edit mode.Delete all the original configurations in the file and refer to the following sample code to add VPN configurations to the file.
ImportantReplace the IP addresses in the sample code with the IP addresses that you actually use, and make sure that the VPN configurations on Alibaba Cloud and those on the strongSwan device are the same.
connections { vco1 { # The VPN configurations of IPsec-VPN Tunnel 1. version = 2 # The IKE version, which must be the same as that configured for Tunnel 1 on Alibaba Cloud. A value of 2 indicates IKEv2. local_addrs = 8.XX.XX.99 # The public IP address for which you want to create an IPsec-VPN connection. remote_addrs = 8.XX.XX.149 # Set the remote address of Tunnel 1 to the VPN gateway address of Tunnel 1 on Alibaba Cloud, which is IPsec address 1. dpd_delay = 10 rekey_time = 84600 # The SA lifecycle of Tunnel 1, which must be the same as that specified in the IKE configurations of Tunnel 1 on Alibaba Cloud. over_time = 1800 proposals = aes-sha1-modp1024 # The encryption algorithm, authentication algorithm, and DH group of Tunnel 1, which must be the same as those specified in the IKE configurations of Tunnel 1 on Alibaba Cloud. A value of group2 indicates modp1024. encap = yes local { auth = psk # Set the authentication algorithm of the data center to PSK. id = 8.XX.XX.99 # The ID of the data center, which must be the same as the RemoteId value of Tunnel 1 on Alibaba Cloud. } remote { auth = psk # Set the authentication algorithm of the VPC to PSK. id = 8.XX.XX.149 # The ID of the VPC, which must be the same as the LocalId value of Tunnel 1 on Alibaba Cloud. } children { vco_child1 { local_ts = 0.0.0.0/0 # Specify that the CIDR block of the protected data flows for the destination-based route mode on Alibaba Cloud is 0.0.0.0/0. remote_ts = 0.0.0.0/0 # Specify that the CIDR block of the protected data flows for the destination-based route mode on Alibaba Cloud is 0.0.0.0/0. mode = tunnel rekey_time = 85500 life_time = 86400 # The SA lifecycle of Tunnel 1, which must be the same as that specified in the IPsec configurations of Tunnel 1 on Alibaba Cloud. dpd_action = restart start_action = start close_action = start esp_proposals = aes-sha1-modp1024 # The encryption algorithm, authentication algorithm, and DH group of Tunnel 1, which must be the same as those specified in the IPsec configurations of Tunnel 1 on Alibaba Cloud. A value of group2 indicates modp1024. if_id_out = 42 # Specify that the XFRM virtual network interface of Tunnel 1 is used as the egress port and ingress port of Tunnel 1. if_id_in = 42 updown = /root/connect_1.sh # Execute the /root/connect_1.sh script to configure routing based on the UP/DOWN status of Tunnel 1. } } } vco2 { # The VPN configurations of IPsec-VPN Tunnel 2. version = 2 # The IKE version, which must be the same as that configured for Tunnel 2 on Alibaba Cloud. A value of 2 indicates IKEv2. local_addrs = 8.XX.XX.99 # The public IP address for which you want to create an IPsec-VPN connection. remote_addrs = 8.XX.XX.137 # Set the remote address of Tunnel 2 to the VPN gateway address of Tunnel 2 on Alibaba Cloud, which is IPsec address 2. dpd_delay = 10 rekey_time = 84600 # The SA lifecycle of Tunnel 2, which must be the same as that specified in the IKE configurations of Tunnel 2 on Alibaba Cloud. over_time = 1800 # proposals = aes-sha1-modp1024 # The encryption algorithm, authentication algorithm, and DH group of Tunnel 2, which must be the same as those specified in the IKE configurations of Tunnel 2 on Alibaba Cloud. A value of group2 indicates modp1024. encap = yes local { auth = psk # Set the authentication algorithm of the data center to PSK. id = 8.XX.XX.99 # The ID of the data center, which must be the same as the RemoteId value of Tunnel 2 on Alibaba Cloud. } remote { auth = psk # Set the authentication algorithm of the VPC to PSK. id = 8.XX.XX.137 # The ID of the VPC, which must be the same as the LocalId value of Tunnel 2 on Alibaba Cloud. } children { vco_child2 { local_ts = 0.0.0.0/0 # Specify that the CIDR block of the protected data flows for the destination-based route mode on Alibaba Cloud is 0.0.0.0/0. remote_ts = 0.0.0.0/0 # Specify that the CIDR block of the protected data flows for the destination-based route mode on Alibaba Cloud is 0.0.0.0/0. mode = tunnel rekey_time = 85500 life_time = 86400 # The SA lifecycle of Tunnel 2, which must be the same as that specified in the IPsec configurations of Tunnel 2 on Alibaba Cloud. dpd_action = restart start_action = start close_action = start esp_proposals = aes-sha1-modp1024 # The encryption algorithm, authentication algorithm, and DH group of Tunnel 2, which must be the same as those specified in the IPsec configurations of Tunnel 2 on Alibaba Cloud. A value of group2 indicates modp1024. if_id_out = 43 # Specify that the XFRM virtual network interface of Tunnel 2 is used as the egress port and ingress port of Tunnel 2. if_id_in = 43 updown = /root/connect_2.sh # Execute the /root/connect_2.sh script to configure routing based on the UP/DOWN status of Tunnel 2. } } } } secrets { ike-vco1 { secret = 123456**** # The PSK of Tunnel 1, which must be the same as that configured for Tunnel 1 on Alibaba Cloud. } ike-vco2 { secret = 123456**** # The PSK of Tunnel 2, which must be the same as that configured for Tunnel 2 on Alibaba Cloud. } }
Press the
Esc
key, enter:wq
, and then press the Enter key to save the change.
Refer to the following steps to create a script that configures routing to control the traffic from the data center to the VPC whose CIDR block is 10.0.0.0/16.
Run the following command to open the /root/connect_1.sh file:
sudo vi /root/connect_1.sh
Press the
I
key to enter the edit mode.Add the following configurations to the script.
If the status of Tunnel 1 is UP, add a route to transmit traffic from the data center to the VPC whose CIDR block is 10.0.0.0/16 through the XFRM virtual network interface of Tunnel 1. In addition, set the metric value of this route to 100 to make this route have a higher priority than the route that points to the XFRM virtual network interface of Tunnel 2. If the status of Tunnel 1 is DOWM, withdraw the route.
#!/usr/bin/env bash if [ x"$PLUTO_VERB" == "xup-client" ]; then echo "ip route add 10.0.0.0/16 dev ipsec0" >> /root/vpn_route.log;ip route add 10.0.0.0/16 dev ipsec0 metric 100 elif [ x"$PLUTO_VERB" == "xdown-client" ]; then echo "ip route del 10.0.0.0/16 dev ipsec0" >> /root/vpn_route.log;ip route del 10.0.0.0/16 dev ipsec0 metric 100 fi
Press the
Esc
key, enter:wq
, and then press the Enter key to save the change.Repeat the preceding steps to modify the /root/connect_2.sh file.
If the status of Tunnel 2 is UP, add a route to transmit traffic from the data center to the VPC whose CIDR block is 10.0.0.0/16 through the XFRM virtual network interface of Tunnel 2. In addition, set the metric value of this route to 101 to make this route have a lower priority than the route that points to the XFRM virtual network interface of Tunnel 1. If the status of Tunnel 2 is DOWM, withdraw the route.
#!/usr/bin/env bash if [ x"$PLUTO_VERB" == "xup-client" ]; then echo "ip route add 10.0.0.0/16 dev ipsec1" >> /root/vpn_route.log;ip route add 10.0.0.0/16 dev ipsec1 metric 101 elif [ x"$PLUTO_VERB" == "xdown-client" ]; then echo "ip route del 10.0.0.0/16 dev ipsec1" >> /root/vpn_route.log;ip route del 10.0.0.0/16 dev ipsec1 metric 101 fi
Run the following commands to make the /root/connect_1.sh and /root/connect_2.sh files executable:
sudo chmod +x /root/connect_1.sh sudo chmod +x /root/connect_2.sh
Restart the strongSwan process.
sudo systemctl restart strongswan
View the tunnel status and routes.
In normal cases, after you perform the preceding steps, an IPsec-VPN connection is established between the strongSwan device and the VPN gateway. You can run the following commands to view the tunnel status and routes of the IPsec-VPN connection:
sudo swanctl --list-sas # View the tunnel status. route -n # View the routing configurations.
On the data center side, configure routes from the data center to the strongSwan device and from the strongSwan device to the data center.
Then, you can test the network connectivity between the data center and Alibaba Cloud VPC. For more information, see the "Step 6: Test the network connectivity" section of the Connect a VPC to a data center in dual-tunnel mode topic.