VPN Gateway:Create and manage IPsec-VPN connections in dual-tunnel mode

Prerequisites

• The feature to use the dual-tunnel mode is in public preview. To use this feature, you need to apply for the permission from your account manager.

• Before you create an IPsec-VPN connection in dual-tunnel mode, we recommend that you learn about the regions that support the dual-tunnel mode and networking information. For more information, see Introduction to IPsec-VPN connections that are associated with transit routers in dual-tunnel mode.

• Before you create an IPsec-VPN connection, learn about the procedure and make sure that the prerequisites are met. For more information, see Procedure.

Create an IPsec-VPN connection

1. Log on to the VPN gateway console.

2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

3. In the top navigation bar, select the region in which you want to create an IPsec-VPN connection.

   The IPsec-VPN connection must be created in the same region as the transit router to be associated with the IPsec-VPN connection.

4. On the IPsec Connections page, click Create IPsec Connection.

5. On the Create IPsec-VPN Connection page, configure the following parameters and click OK.

   Basic configurations

   Note

   When you create a VPN gateway or an IPsec-VPN connection associated with a transit router for the first time, the system automatically creates the service-linked role AliyunServiceRoleForVpn. The service-linked role allows a VPN gateway to access other cloud resources such as elastic network interfaces (ENIs) and security groups. This helps you create a VPN gateway or an IPsec-VPN connection. If the AliyunServiceRoleForVpn role already exists, the system does not create the role again. For more information about this service-linked role, see AliyunServiceRoleForVpn.

   Parameter	Description
   Name	Specify a name for the IPsec-VPN connection.
   Resource Group	Select a resource group for the Cloud Enterprise Network (CEN) instance. If you leave this parameter empty, the system displays the CEN instances in all resource groups.
   Associate Resource	Select the type of network resource to be associated with the IPsec-VPN connection. Select Do Not Associate or CEN. If you select CEN, the system automatically associates the IPsec-VPN connection with the specified transit router of the current Alibaba Cloud account. If you select Do Not Associate, the IPsec-VPN connection is not associated with any resources. After the IPsec-VPN connection is created, you can manually associate the IPsec-VPN connection with a transit router of the current Alibaba Cloud account or a different Alibaba Cloud account in the CEN console. For more information, see Attach an IPsec-VPN connection to a transit router. Note If you want to associate another transit router with the IPsec-VPN connection, you must delete the VPN connection from the original transit router and create a VPN connection for the new transit router. For more information, see Delete a network instance connection and Attach an IPsec-VPN connection to a transit router.
   Gateway Type	The type of gateway used by the IPsec-VPN connection. Default value: Public. Valid values: Public (default): creates the IPsec-VPN connection over the Internet. Private: creates the IPsec-VPN connection over private networks.
   CEN Instance ID	The ID of the CEN instance to which the transit router belongs. Note This parameter is required if Associate Resource is set to CEN.
   Transit Router	The ID of the transit router that belongs to the CEN instance in the region.
   Routing Mode	The routing mode of the IPsec-VPN connection. Valid values: Destination Routing Mode (default): routes and forwards traffic based on the destination IP address. Protected Data Flows: routes and forwards traffic based on the source and destination IP addresses. If you select Protected Data Flows, you must configure the Local Network and Remote Network parameters. After the IPsec-VPN connection is configured, the system automatically adds destination-based routes to the route table of the IPsec-VPN connection. By default, the routes are advertised to the route table of the transit router that is associated with the IPsec-VPN connection.
   Local CIDR Block	The CIDR block on the Alibaba Cloud side. This CIDR block is used in Phase 2 negotiations. Click the icon next to the field to add more CIDR blocks. Note If you specify multiple CIDR blocks, you must set the Internet Key Exchange (IKE) version to ikev2.
   Remote Network	The CIDR block of the data center to be connected. This CIDR block is used in Phase 2 negotiations. Click the icon next to the field to add more CIDR blocks. Note If you specify multiple CIDR blocks, you must set the IKE version to ikev2.
   Effective Immediately	Specifies whether to immediately start IPsec-VPN negotiations. Yes (default): immediately starts IPsec-VPN negotiations after the IPsec-VPN connection is created. No: starts IPsec-VPN negotiations when inbound traffic is detected.
   Enable BGP	If you want to use BGP routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off. Before you use BGP dynamic routing, make sure that your on-premises gateway supports BGP and we recommend that you learn about how BGP works and the limits. For more information, see Configure BGP dynamic routing.
   Local ASN	The autonomous system number (ASN) of the IPsec-VPN connection on the Alibaba Cloud side. Default value: 45104. Valid values: 1 to 4294967295. You can enter the ASN in two segments and separate the first 16 bits from the following 16 bits with a period (.). Enter the number in each segment in decimal format. For example, if you enter 123.456, the ASN is 123 × 65536 + 456 = 8061384. Note We recommend that you use a private ASN to establish a connection to Alibaba Cloud over BGP. For more information about the valid values of a private ASN, see the relevant documentation.

   Tunnel configurations

   Important

   When you create an IPsec-VPN connection in dual-tunnel mode, you must configure two tunnels and ensure that they are available. If you configure or use only one of the tunnels, you cannot experience the redundancy of the active/standby tunnels in the IPsec-VPN connection and the cross-zone disaster recovery capability.

   Parameter	Description
   Customer Gateway	The customer gateway to be associated with the tunnels.
   Pre-Shared Key	The pre-shared key that is used to verify identities between the tunnels and peers. The key must be 1 to 100 characters in length, and can contain digits, letters, and the following special characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : ' , . < > / ?. The key cannot contain spaces. If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After the IPsec-VPN connection is created, you can click Edit in the Actions column of a tunnel to view the pre-shared key generated by the system. For more information, see the Modify the configurations of a tunnel section of this topic. Important Make sure that the tunnels and peers use the same pre-shared key. Otherwise, tunnel communication cannot be established.

   Encryption Configuration

   Parameter	Description
   Encryption Configuration: IKE Configurations
   Version	The IKE version. Valid values: ikev1 ikev2 (default) Compared with IKEv1, IKEv2 simplifies SA negotiations and provides better support for scenarios in which communication is established among multiple CIDR blocks. We recommend that you use IKEv2.
   Negotiation Mode	The negotiation mode. Default value: main. Valid values: main: This mode offers higher security during negotiations. aggressive: This mode supports faster negotiations and supports a higher success rate. Connections negotiated in both modes ensure the same level of security for data transmission.
   Encryption Algorithm	Select the encryption algorithm that is used in Phase 1 negotiations. Valid values: aes, aes192, aes256, des, and 3des. Default value: aes, which specifies AES-128. Note Recommended: aes, aes192, and aes256. Not recommended: des and 3des. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES ensures secure data transmission and has little impact on network latency, throughput, and forwarding performance. Triple DES (3DES) offers enhanced security through its triple-layered encryption technique. Compared with AES, 3DES encryption requires a large amount of computation, takes a long time, and downgrades forwarding performance.
   Authentication Algorithm	Select the authentication algorithm that is used in Phase 1 negotiations. Supported algorithms are sha1 (default), md5, sha256, sha384, and sha512. Note When you add VPN configurations on your on-premises gateway device, you may need to specify the Probabilistic Random Forest (PRF) algorithm. The PRF algorithm can be consistent with the authentication algorithm in the IKE configurations.
   DH Group	The Diffie-Hellman (DH) key exchange algorithm that is used in Phase 1 negotiations. Default value: group2. Valid values: group1: DH group 1. group2: DH group 2. group5: DH group 5. group14: DH group 14.
   SA Life Cycle (seconds)	The lifetime of the SA after Phase 1 negotiations succeed. Unit: seconds Default value: 86400. Valid values: 0 to 86400.
   LocalId	Enter an identifier of the tunnel for Phase 1 negotiations. The default value is the gateway IP address of the tunnel. This parameter is used only to identify Alibaba Cloud in IPsec-VPN negotiations. You can use an IP address or a fully qualified domain name (FQDN) as the ID. The value cannot contain spaces. We recommend that you use a private IP address. If you set the LocalId parameter to an FQDN, such as example.aliyun.com, the peer ID of the IPsec-VPN connection on an on-premises gateway device must be the same as the value of the LocalId parameter. In this case, we recommend that you set the negotiation mode to aggressive.
   RemoteId	Enter an identifier of the peer for Phase 1 negotiations. The default value is the IP address of the customer gateway. This parameter is used only to identify on-premises gateway devices in IPsec-VPN negotiations. You can use an IP address or an FQDN as the ID. The value cannot contain spaces. We recommend that you use a private IP address. If you set the RemoteId parameter to an FQDN, such as example.aliyun.com, the local ID of the on-premises gateway device must be the same as the value of the RemoteId parameter. In this case, we recommend that you set the negotiation mode to aggressive.
   Encryption Configuration: IPsec Configurations
   Encryption Algorithm	Select the encryption algorithm that is used in Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des. By default, a value of aes specifies AES-128. Note Recommended: aes, aes192, and aes256. Not recommended: des and 3des. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES ensures secure data transmission and has little impact on network latency, throughput, and forwarding performance. Triple DES (3DES) offers enhanced security through its triple-layered encryption technique. Compared with AES, 3DES encryption requires a large amount of computation, takes a long time, and downgrades forwarding performance.
   Authentication Algorithm	Select the authentication algorithm that is used in Phase 2 negotiations. Supported algorithms are sha1 (default), md5, sha256, sha384, and sha512.
   DH Group	The DH key exchange algorithm that is used in Phase 2 negotiations. Default value: group2. Valid values: disabled: does not use a DH key exchange algorithm. If the local gateway device of the peer does not support PFS, select disabled. If you select a value other than disabled, PFS is enabled by default. In this case, the key is updated for each negotiation. Therefore, you must enable PFS for the local gateway device of the peer. group1: DH group 1. group2: DH group 2. group5: DH group 5. group14: DH group 14.
   SA Life Cycle (seconds)	Enter a lifetime for the SA after Phase 2 negotiations succeed. Unit: seconds Default value: 86400. Valid values: 0 to 86400.
   DPD	Specifies whether to enable the dead peer detection (DPD) feature. By default, the DPD feature is enabled. After you enable the DPD feature, the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within the specified period of time, the connection fails. Then, the Internet Security Association and Key Management Protocol (ISAKMP) SA, IPsec SA, and IPsec tunnel are deleted. If a DPD packet timeout occurs, the IPsec-VPN connection automatically reinitiates IPsec-VPN negotiations with the tunnel. If IKEv1 is used, the timeout period of DPD packets is 30 seconds. If IKEv2 is used, the timeout period of DPD packets is 130 seconds.
   NAT Traversal	Specifies whether to enable the NAT traversal feature. By default, the NAT traversal feature is enabled. After you enable NAT traversal, the initiator does not check UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.

   BGP Configuration

   If BGP is enabled for the IPsec-VPN connection, you can configure the CIDR block of the BGP tunnel and the IP address of the BGP tunnel on the Alibaba Cloud side. If you disable BGP dynamic routing for the IPsec-VPN connection, you can enable this feature for the tunnels after the IPsec-VPN connection is created. For more information, see the Enable BGP dynamic routing for the tunnels after an IPsec-VPN connection is created section of this topic.

   Parameter	Description
   Tunnel CIDR Block	Enter the CIDR block of the tunnel. The CIDR block must fall into 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30. Note The two tunnels of an IPsec-VPN connection must use different CIDR blocks.
   Local BGP IP address	The BGP IP address of the tunnel. This IP address must fall within the CIDR block of the tunnel.

   Advanced configurations

   When you create an IPsec-VPN connection, the system enables the following advanced features by default.

   Parameter	Description
   Automatic Advertising	After this feature is enabled, the system automatically advertises routes in the route table of the transit router that is associated with the IPsec-VPN connection to the BGP route table of the IPsec-VPN connection. Note This feature takes effect only if the BGP dynamic routing feature is enabled for the IPsec-VPN connection and data center. You can disable this feature by turning off Route Synchronization. For more information, see the "Disable route synchronization" section of the Route Synchronization topic.
   Automatically Associate with Default Route Table of Transit Router	After this feature is enabled, the IPsec-VPN connection is associated with the default route table of the transit router. The transit router queries the default route table to forward traffic from the IPsec-VPN connection.
   Automatically Advertise System Routes to Default Route Table of Transit Router	After this feature is enabled, the system advertises the routes in the destination-based route table and the BGP route table of the IPsec-VPN connection to the default route table of the transit router.

   You can also disable the preceding advanced features and use the transit router to establish network communication based on your business requirements. For more information, see Manage routes.

   Tag

   When you create an IPsec-VPN connection, you can add tags to the IPsec-VPN connection to facilitate resource aggregation and search. For more information, see Overview.

   Parameter	Description
   Tag Key	The tag key of the IPsec-VPN connection. You can select or enter a tag key.
   Tag Value	The tag value of the IPsec-VPN connection. You can select or enter a tag value. You can leave the Tag Value parameter empty.

What to do next

After an IPsec-VPN connection is created, you can download the peer configurations of the IPsec-VPN connection and load the configurations to an on-premises gateway device. For more information, see Download the peer configuration of an IPsec-VPN connection and Examples for configuring local gateways.

View the tunnels of an IPsec-VPN connection

After you create an IPsec-VPN connection, you can view the status and information of the tunnels on the details page of the IPsec-VPN connection.

1. Log on to the VPN Gateway console.

2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

3. In the top navigation bar, select the region of the IPsec-VPN connection.

4. On the IPsec Connections page, click the ID the IPsec-VPN connection that you want to manage.

5. The details page of the IPsec-VPN connection appears. On the Tunnel tab, you can view the status and information of the tunnels.

   Field	Description
   Tunnel/Tunnel ID	The tunnel ID.
   Gateway IP Address	The gateway IP address assigned by the system to the tunnel, which is used to establish an encrypted tunnel.
   Tunnel CIDR Block	The CIDR block of the tunnel. If you enable BGP dynamic routing for the tunnel, the value is displayed.
   Local BGP IP address	The BGP IP address of the tunnel. If you enable BGP dynamic routing for the tunnel, the value is displayed.
   Connection Status	The status of the IPsec-VPN negotiations of the tunnel. If the IPsec-VPN negotiations succeed, Phase 2 negotiations succeeded. is displayed. If the IPsec-VPN negotiations fail, the failure information is displayed in the console. You can troubleshoot the issue based on the information. For more information, see Troubleshoot IPsec-VPN connection issues.
   Customer Gateway	The customer gateway that is associated with the tunnel. The customer gateway is configured with an IP address and BGP ASN on the data center side.
   Status	The status of the tunnel. Valid values: Active Updating Deleting