If an IPsec-VPN connection is associated with a transit router and the IPsec-connection has only one encrypted tunnel, the IPsec-VPN connection is interrupted when the tunnel is down. The dual-tunnel mode is introduced to improve the availability of IPsec-VPN connections. Each IPsec-VPN connection consists of two tunnels that serve as Equal-Cost Multipath Routing (ECMP) paths. When a tunnel is down, traffic is forwarded through the other tunnel. In a region that contains multiple zones, the two tunnels of an IPsec-VPN connection are automatically spread in different zones to implement zone-disaster recovery.
Limits
The feature to use the dual-tunnel mode in scenarios where IPsec-VPN connections are associated with transit routers is in public preview. To use the feature, contact your account manager to apply for the permission.
Only the Thailand (Bangkok) region supports IPsec-VPN connections in dual-tunnel mode. IPsec-VPN connections created in this region use the dual-tunnel by default and you cannot create IPsec-VPN connections in single-tunnel mode.
NoteThe supported region described in this topic is for reference only. The information in the VPN gateway console shall prevail.
IPsec-VPN connections in the regions that do not support the dual-tunnel mode support only the single-tunnel mode.
Networking in dual-tunnel mode
An IPsec-VPN connection in single-tunnel mode has only one encrypted tunnel. If the tunnel is down, the connection is interrupted. An IPsec-VPN connection in dual-tunnel mode has two encrypted tunnels and ECMP routing is applied. Both two tunnels can be used for data transfer. If one tunnel is down, the other one takes over.
When you create a IPsec-VPN connection in dual-tunnel mode, the system automatically deploys the two tunnels in different zones to implement cross-zone disaster recovery. If a region has only one zone, the two tunnels are deployed in the same zone. In this case, cross-zone disaster recovery is not supported. However, the other tunnel can still take over if one tunnel is down.
When you create a dual-tunnel IPsec-VPN connection, you must configure two tunnels and ensure that they are available. If you configure or use only one of the tunnels, IPsec-VPN connection redundancy based on active/standby tunnels and zone-disaster recovery are not supported.
Descriptions of data transfer
Data transfer from the transit router to the data center
ECMP routing is applied if both tunnels of the IPsec-VPN connection are available. Traffic from the transit router to the data center is randomly distributed in the tunnels. If one tunnel is down, the other one automatically takes over.
Data transfer from the data center to the transit router
The traffic path depends on the route configuration of the data center.
Alibaba Cloud uses two tunnels to transfer data to the data center and traffic is randomly distributed in the tunnels. Therefore, we recommend that you configure ECMP routing to use both tunnels to transfer data from the data center to the transit router. If you configure active/standby routing or configure routes to make specific traffic flow through only one tunnel to the cloud, data may not be transferred to the data center as expected.
Guides on route configurations for the dual-tunnel mode
We recommend that you configure routes for dual-tunnel IPsec-VPN connections based on the following suggestions:
We recommend that you use BGP dynamic routing If you need to use static routing, make sure that the on-premises gateway supports ECMP routing. Otherwise, data from the data center to the cloud cannot be transferred through the ECMP path, but data from the cloud can be transferred to the data center through the ECMP path. As a result, the traffic paths may not meet your requirements.
We recommend that you configure the same routing protocol (static or BGP) for the two tunnels of an IPsec-VPN connection.
If an IPsec-VPN connection uses Border Gateway Protocol (BGP) dynamic routing, the Local ASN of the two tunnels must be the same. The peer ASNs of the two tunnels can be different, but we recommend that you use the same peer ASN.
Differences between the dual-tunnel mode and single-tunnel mode
After a single-tunnel IPsec-VPN connection is upgraded to a dual-tunnel IPsec-VPN connection, the billing method does not change and no additional fees are charged.
Item | Single-tunnel mode | Dual-tunnel mode |
Number of tunnels for each IPsec-VPN connection | 1 | 2 |
Maximum bandwidth supported by each IPsec-VPN connection | 1000 Mbps | 2000 Mbps Each tunnel supports up to 1,000 Mbit/s. You can increase the bandwidth of an IPsec-VPN connection by using other methods. For more information, see How do I increase the bandwidth of an IPsec-VPN connection? |
Maximum number of customer gateways that can be associated | 1 | 2 Both tunnels can be associated with the same customer gateway or different customer gateways |
High availability | You need to create multiple IPsec-VPN connections to implement high availability. | Two tunnels of one IPsec-VPN connection can implement high availability. |
Health check | Supported | Unsupported Two tunnels automatically form an ECMP path and both tunnels can be used to transfer data. If one tunnel is down, routes on the tunnel are automatically withdrawn, and the other tunnel can automatically take over without using health checks. |
Gateway IP address | After an IPsec-VPN connection is created, one gateway IP address is automatically assigned. | After an IPsec-VPN connection is created, two gateway IP addresses are automatically assigned. |
Required number of IP addresses of the on-premises gateway device | One | One or two We recommend that you configure two IP addresses for the on-premises gateway device to create a dual-tunnel IPsec-VPN connection. Alternatively, you can use two on-premises gateway devices, each of which is assigned one IP address. |
Regions that support BGP dynamic routing | Only some regions support BGP dynamic routing. For more information, see Regions that support BGP dynamic routing. | Regions that support the dual-tunnel mode support BGP dynamic routing by default. |