All Products
Search

This Product

    VPN Gateway:Configure a Cisco firewall

    Document Center

    VPN Gateway:Configure a Cisco firewall

    Last Updated:Sep 14, 2024

    To establish an IPsec-VPN connection between a data center and a virtual private cloud (VPC) on Alibaba Cloud, you must add VPN configurations to the gateway device in the data center after you configure the VPN gateway on Alibaba Cloud. This topic describes how to add VPN configurations to a Cisco firewall.

    Scenario

    image

    In this example, a company has deployed a VPC on Alibaba Cloud. The CIDR block of the VPC is 10.0.0.0/16. Applications are deployed on an Elastic Compute Service (ECS) instance in the VPC. The company has a data center that needs to use the CIDR block 192.168.0.0/16 to communicate with the VPC. The company wants to establish an IPsec-VPN connection between the data center and the VPC on the cloud to implement mutual resource access.

    Important

    In this scenario, a Cisco firewall in the data center establishes an IPsec-VPN connection to Alibaba Cloud in dual-tunnel mode by using two public IP addresses. If your VPN gateway supports only IPsec-VPN connections in single-tunnel mode, see the Configure a Cisco firewall to use a single tunnel section of this topic.

    We recommend that you upgrade your VPN gateway to enable the dual-tunnel mode. IPsec-VPN connections in dual-tunnel mode support disaster recovery across zones. This effectively enhances the high availability of the network. For more information, see Upgrade a VPN gateway to enable the dual-tunnel mode.

    CIDR block plan and sample VPN configurations

    CIDR block plan

    Resource

    CIDR block

    IP address

    Data center

    CIDR block that needs to communicate with the VPC: 192.168.0.0/16

    Server IP address: 192.168.50.198

    Cisco firewall

    N/A

    Physical interfaces that connect to the Internet on the Cisco firewall:

    • GigabitEthernet 0/0: This interface is configured with a public IP address. In this example, 121.XX.XX.211 is used.

    • GigabitEthernet 0/2: This interface is configured with a public IP address. In this example, 121.XX.XX.77 is used.

    • GigabitEthernet 0/1: This interface connects to the data center and is configured with the IP address 192.168.50.217.

    VPC

    Primary CIDR block: 10.0.0.0/16

    vSwitch 1: 10.0.10.0/24

    vSwitch 2: 10.0.20.0/24

    ECS instance IP address: 10.0.10.33

    Public VPN gateway

    N/A

    • IPsec address 1: 39.XX.XX.218

    • IPsec address 2: 182.XX.XX.19

    Note

    After you create a VPN gateway, the system automatically assigns IP addresses to the VPN gateway.

    CIDR block plan for BGP dynamic routing

    In addition to static routing, this topic also describes how to configure a Cisco firewall to establish an IPsec-VPN connection that uses Border Gateway Protocol (BGP) dynamic routing. If you do not need to use BGP dynamic routing, skip this section. The following table describes the CIDR block plan for BGP dynamic routing.

    Resource

    Tunnel

    BGP tunnel CIDR block

    BGP IP address

    BGP local ASN

    VPN gateway

    Tunnel 1

    169.254.10.0/30

    Note

    On a VPN gateway, the CIDR block of each tunnel must be unique.

    169.254.10.1

    65530

    Tunnel 2

    169.254.20.0/30

    169.254.20.1

    Cisco firewall

    Tunnel 1

    169.254.10.0/30

    169.254.10.2

    65000

    Tunnel 2

    169.254.20.0/30

    169.254.20.2

    Sample VPN configurations

    • In this example, Tunnel 1 is the active tunnel and Tunnel 2 is the standby tunnel. The two tunnels use the same sample values.

    • The VPN configurations on Alibaba Cloud and the Cisco firewall must be the same for each tunnel.

    Parameter

    Sample value on Alibaba Cloud

    Sample value on the Cisco firewall

    Pre-shared key

    123456****

    123456****

    Internet Key Exchange (IKE) configurations

    IKE version

    ikev2

    ikev2

    Negotiation mode

    main

    main

    Encryption algorithm

    aes

    aes

    Authentication algorithm

    sha1

    sha1

    Diffie-Hellman (DH) group

    group14

    group14

    Security association (SA) lifetime (seconds)

    86400

    86400

    IPsec configurations

    Encryption algorithm

    aes

    aes

    Authentication algorithm

    sha1

    sha1

    DH group

    group14

    group14

    SA lifetime (seconds)

    86400

    86400

    Procedure

    Note

    • In this example, the software Adaptive Security Appliance (ASA) 9.19.1 is used to describe how to configure a Cisco firewall. The commands may vary with software versions. Consult the documentation or your vendor based on your actual environment during operations.

    • In this scenario, we recommend that you use destination-based routing mode - static routing or destination-based routing mode - BGP dynamic routing.

    Destination-based routing mode - static routing

    Prerequisites

    This topic describes only how to add VPN configurations to a Cisco firewall. The procedure for configuring a VPN gateway on Alibaba Cloud is omitted. Before you configure the Cisco firewall, make sure that you have completed the following tasks: create a VPN gateway, create a customer gateway, create an IPsec-VPN connection, and configure routing for the VPN gateway. For more information, see Connect a VPC to a data center in dual-tunnel mode.

    Procedure

    1. Log on to the CLI of the Cisco firewall and enter the configuration mode. 

      ciscoasa> enable
Password: ********             # Enter the password for entering the enable mode. 
ciscoasa# configure terminal   # Enter the configuration mode. 
ciscoasa(config)#

    2. View the interface configurations and route configurations for Internet access.

      Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used: 

      ciscoasa(config)# show running-config interface 
!
interface GigabitEthernet0/0
 nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
 security-level 0
 ip address 121.XX.XX.211 255.255.255.255    # The public IP address of the GigabitEthernet 0/0 interface. 
!
interface GigabitEthernet0/1                # The interface that connects to the data center. 
 nameif private                             # The name of the GigabitEthernet 0/1 interface. 
 security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
 ip address 192.168.50.217 255.255.255.0    # The IP address of the GigabitEthernet 0/1 interface. 
!
interface GigabitEthernet0/2                
 nameif outside2                            # The name of the GigabitEthernet 0/2 interface. 
 security-level 0
 ip address 121.XX.XX.77 255.255.255.255    # The public IP address of the GigabitEthernet 0/2 interface. 
!

route outside1 39.XX.XX.218 255.255.255.255 192.XX.XX.172 # The route for accessing the public IP address of Tunnel 1 on Alibaba Cloud. The next hop is a public IP address. 
route outside2 182.XX.XX.19 255.255.255.255 192.XX.XX.158   # The route for accessing the public IP address of Tunnel 2 on Alibaba Cloud. The next hop is a public IP address. 
route private 192.168.0.0 255.255.0.0 192.168.50.216        # The route that points to the data center.

    3. Enable the IKEv2 feature for the public interfaces. 

      crypto ikev2 enable outside1
crypto ikev2 enable outside2

    4. Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ikev2 policy 10     
 encryption aes             # Specify the encryption algorithm. 
 integrity sha              # Specify the authentication algorithm. 
 group 14                   # Specify the DH group. 
 prf sha                    # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on Alibaba Cloud. 
 lifetime seconds 86400     # Specify the SA lifetime.

    5. Create an IPsec proposal and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL    # Create an IPsec proposal. 
 protocol esp encryption aes                         # Specify the encryption algorithm. The Encapsulating Security Payload (ESP) protocol is used on Alibaba Cloud. Therefore, use the ESP protocol. 
 protocol esp integrity sha-1                        # Specify the authentication algorithm. The ESP protocol is used on Alibaba Cloud. Therefore, use the ESP protocol. 
crypto ipsec profile ALIYUN-PROFILE                  
 set ikev2 ipsec-proposal ALIYUN-PROPOSAL            # Create an IPsec profile and apply the proposal that is created.  
 set ikev2 local-identity address                    # Set the format of the local ID to IP address, which is the same as the format of the remote ID on Alibaba Cloud. 
 set pfs group14                                     # Specify the Perfect Forward Secrecy (PFS) and DH group. 
 set security-association lifetime seconds 86400     # Specify the time-based SA lifetime. 
 set security-association lifetime kilobytes unlimited # Disable the traffic-based SA lifetime.

    6. Create tunnel groups and specify the pre-shared keys for tunnels, which must be the same as those on Alibaba Cloud. 

      tunnel-group 39.XX.XX.218 type ipsec-l2l                #  Specify the encapsulation mode l2l for Tunnel 1. 
tunnel-group 39.XX.XX.218 ipsec-attributes             
 ikev2 remote-authentication pre-shared-key 123456****  # Specify the peer pre-shared key for Tunnel 1, which is the pre-shared key on Alibaba Cloud. 
 ikev2 local-authentication pre-shared-key 123456****   # Specify the local pre-shared key for Tunnel 1, which must be the same as that on Alibaba Cloud. 
!
tunnel-group 182.XX.XX.19 type ipsec-l2l                # Specify the encapsulation mode l2l for Tunnel 2. 
tunnel-group 182.XX.XX.19 ipsec-attributes
 ikev2 remote-authentication pre-shared-key 123456****  # Specify the peer pre-shared key for Tunnel 2, which is the pre-shared key on Alibaba Cloud. 
 ikev2 local-authentication pre-shared-key 123456****   # Specify the local pre-shared key for Tunnel 2, which must be the same as that on Alibaba Cloud. 
!

    7. Create tunnel interfaces. 

      interface Tunnel1                                  # Create an interface for Tunnel 1. 
 nameif ALIYUN1
 ip address 169.254.10.2 255.255.255.252           # Specify the IP address of the interface. 
 tunnel source interface outside1                  # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of Tunnel 1. 
 tunnel destination 39.XX.XX.218                   # Specify the public IP address of Tunnel 1 on Alibaba Cloud as the destination address of Tunnel 1. 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ALIYUN-PROFILE    # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 1. 
 no shutdown                                       # Enable the interface for Tunnel 1. 
!
interface Tunnel2                                  # Create an interface for Tunnel 2. 
 nameif ALIYUN2                
 ip address 169.254.20.2 255.255.255.252           # Specify the IP address of the interface. 
 tunnel source interface outside2                  # Specify the IP address of the GigabitEthernet 0/2 interface as the source address of Tunnel 2. 
 tunnel destination 182.XX.XX.19                   # Specify the public IP address of Tunnel 2 on Alibaba Cloud as the destination address of Tunnel 2. 
 tunnel mode ipsec ipv4                            
 tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 2. 
 no shutdown                                       # Enable the interface for Tunnel 2. 
!

    8. View the status of the IPsec-VPN connection.

      You can run the command framed in red in the following figure to view the SAs that have been successfully negotiated.IPsec-sa-1IPsec-sa-2

      More query commands

      Query commands related to IPsec SA negotiations

      show crypto isakmp sa # Display the negotiated SA information on the control plane. This is the command of the previous version.
show crypto ikev2 sa  # Display the negotiated SA, role, and protected data flow in Phase 1 and Phase 2 on the control plane.
show crypto ipsec sa peer XX.XX.XX.XX # Query the details of the specified peer SA.
show ipsec sa         # Display basic information such as the SA, role, protected data flow, and traffic statistics in Phase 1 and Phase 2 on the forwarding plane.

      Query commands related to VPN traffic statistics

      show crypto ikev2 stats     # Display the statistics on protocol packets, encrypted packets, and abnormal packets.
show crypto protocol statistics all # Display the statistics on protocol packets and encrypted packets.
show ipsec stats            # Display the IPsec statistics.

    9. Configure static routes that point to the Alibaba Cloud VPC (CIDR block: 10.0.0.0/16). 

      route ALIYUN1 10.0.0.0 255.255.0.0 39.XX.XX.218 4  # Specify the route for forwarding traffic from the data center to the Alibaba Cloud VPC over the interface for Tunnel 1. This route has a higher priority. 
route ALIYUN2 10.0.0.0 255.255.0.0 182.XX.XX.19 5  # Specify the route for forwarding traffic from the data center to the Alibaba Cloud VPC over the interface for Tunnel 2. The priority of this route is lower than that of the route that points to the interface for Tunnel 1.

    10. In the data center, configure the routes for traffic between clients and the Cisco firewall.

      Then, you can test the network connectivity between the data center and the Alibaba Cloud VPC. For more information, see the "Step 6: Test the network connectivity" section of the Connect a VPC to a data center in dual-tunnel mode topic.

    Destination-based routing mode - BGP dynamic routing

    Prerequisites

    This topic describes only how to add VPN configurations to a Cisco firewall. The procedure for configuring a VPN gateway on Alibaba Cloud is omitted. Before you configure the Cisco firewall, make sure that you have completed the following tasks: create a VPN gateway, create a customer gateway, create an IPsec-VPN connection, and enable BGP. For more information, see Connect a VPC to a data center in dual-tunnel and BGP routing mode.

    Procedure

    1. Log on to the CLI of the Cisco firewall and enter the configuration mode. 

      ciscoasa> enable
Password: ********             # Enter the password for entering the enable mode. 
ciscoasa# configure terminal   # Enter the configuration mode. 
ciscoasa(config)#

    2. View the interface configurations and route configurations for Internet access.

      Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used: 

      ciscoasa(config)# show running-config interface 
!
interface GigabitEthernet0/0
 nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
 security-level 0
 ip address 121.XX.XX.211 255.255.255.255    # The public IP address of the GigabitEthernet 0/0 interface. 
!
interface GigabitEthernet0/1                # The interface that connects to the data center. 
 nameif private                             # The name of the GigabitEthernet 0/1 interface. 
 security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
 ip address 192.168.50.217 255.255.255.0    # The IP address of the GigabitEthernet 0/1 interface. 
!
interface GigabitEthernet0/2                
 nameif outside2                            # The name of the GigabitEthernet 0/2 interface. 
 security-level 0
 ip address 121.XX.XX.77 255.255.255.255    # The public IP address of the GigabitEthernet 0/2 interface. 
!

route outside1 39.XX.XX.218 255.255.255.255 192.XX.XX.172 # The route for accessing the public IP address of Tunnel 1 on Alibaba Cloud. The next hop is a public IP address. 
route outside2 182.XX.XX.19 255.255.255.255 192.XX.XX.158   # The route for accessing the public IP address of Tunnel 2 on Alibaba Cloud. The next hop is a public IP address. 
route private 192.168.0.0 255.255.0.0 192.168.50.216        # The route that points to the data center.

    3. Enable the IKEv2 feature for the public interfaces. 

      crypto ikev2 enable outside1
crypto ikev2 enable outside2

    4. Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ikev2 policy 10     
 encryption aes             # Specify the encryption algorithm. 
 integrity sha              # Specify the authentication algorithm. 
 group 14                   # Specify the DH group. 
 prf sha                    # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on Alibaba Cloud. 
 lifetime seconds 86400     # Specify the SA lifetime.

    5. Create an IPsec proposal and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL    # Create an IPsec proposal. 
 protocol esp encryption aes                         # Specify the encryption algorithm. The Encapsulating Security Payload (ESP) protocol is used on Alibaba Cloud. Therefore, use the ESP protocol. 
 protocol esp integrity sha-1                        # Specify the authentication algorithm. The ESP protocol is used on Alibaba Cloud. Therefore, use the ESP protocol. 
crypto ipsec profile ALIYUN-PROFILE                  
 set ikev2 ipsec-proposal ALIYUN-PROPOSAL            # Create an IPsec profile and apply the proposal that is created.  
 set ikev2 local-identity address                    # Set the format of the local ID to IP address, which is the same as the format of the remote ID on Alibaba Cloud. 
 set pfs group14                                     # Specify the Perfect Forward Secrecy (PFS) and DH group. 
 set security-association lifetime seconds 86400     # Specify the time-based SA lifetime. 
 set security-association lifetime kilobytes unlimited # Disable the traffic-based SA lifetime.

    6. Create tunnel groups and specify the pre-shared keys for tunnels, which must be the same as those on Alibaba Cloud. 

      tunnel-group 39.XX.XX.218 type ipsec-l2l                #  Specify the encapsulation mode l2l for Tunnel 1. 
tunnel-group 39.XX.XX.218 ipsec-attributes             
 ikev2 remote-authentication pre-shared-key 123456****  # Specify the peer pre-shared key for Tunnel 1, which is the pre-shared key on Alibaba Cloud. 
 ikev2 local-authentication pre-shared-key 123456****   # Specify the local pre-shared key for Tunnel 1, which must be the same as that on Alibaba Cloud. 
!
tunnel-group 182.XX.XX.19 type ipsec-l2l                # Specify the encapsulation mode l2l for Tunnel 2. 
tunnel-group 182.XX.XX.19 ipsec-attributes
 ikev2 remote-authentication pre-shared-key 123456****  # Specify the peer pre-shared key for Tunnel 2, which is the pre-shared key on Alibaba Cloud. 
 ikev2 local-authentication pre-shared-key 123456****   # Specify the local pre-shared key for Tunnel 2, which must be the same as that on Alibaba Cloud. 
!

    7. Create tunnel interfaces. 

      interface Tunnel1                                  # Create an interface for Tunnel 1. 
 nameif ALIYUN1
 ip address 169.254.10.2 255.255.255.252           # Specify the IP address of the interface. 
 tunnel source interface outside1                  # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of Tunnel 1. 
 tunnel destination 39.XX.XX.218                   # Specify the public IP address of Tunnel 1 on Alibaba Cloud as the destination address of Tunnel 1. 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ALIYUN-PROFILE    # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 1. 
 no shutdown                                       # Enable the interface for Tunnel 1. 
!
interface Tunnel2                                  # Create an interface for Tunnel 2. 
 nameif ALIYUN2                
 ip address 169.254.20.2 255.255.255.252           # Specify the IP address of the interface. 
 tunnel source interface outside2                  # Specify the IP address of the GigabitEthernet 0/2 interface as the source address of Tunnel 2. 
 tunnel destination 182.XX.XX.19                   # Specify the public IP address of Tunnel 2 on Alibaba Cloud as the destination address of Tunnel 2. 
 tunnel mode ipsec ipv4                            
 tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 2. 
 no shutdown                                       # Enable the interface for Tunnel 2. 
!

    8. View the status of the IPsec-VPN connection.

      You can run the command framed in red in the following figure to view the SAs that have been successfully negotiated.IPsec-sa-1IPsec-sa-2

      More query commands

      Query commands related to IPsec SA negotiations

      show crypto isakmp sa # Display the negotiated SA information on the control plane.
show crypto ikev2 sa  # Display the negotiated SA, role, and protected data flow in Phase 1 and Phase 2 on the control plane.
show crypto ipsec sa peer XX.XX.XX.XX # Query the details of the specified peer SA.
show ipsec sa         # Display basic information such as the SA, role, protected data flow, and traffic statistics in Phase 1 and Phase 2 on the forwarding plane.

      Query commands related to VPN traffic statistics

      show crypto ikev2 stats     # Display the statistics on protocol packets, encrypted packets, and abnormal packets.
show crypto protocol statistics all # Display the statistics on protocol packets and encrypted packets.
show ipsec stats            # Display the IPsec statistics.

    9. Configure BGP dynamic routing. 

      router bgp 65000
 address-family ipv4 unicast
  neighbor 169.254.10.1 remote-as 65530       # Specify the BGP peer, which is the IP address of Tunnel 1 on Alibaba Cloud. 
  neighbor 169.254.10.1 ebgp-multihop 255
  neighbor 169.254.10.1 activate              # Activate the BGP peer. 
  neighbor 169.254.20.1 remote-as 65530       # Specify the BGP peer, which is the IP address of Tunnel 2 on Alibaba Cloud. 
  neighbor 169.254.20.1 ebgp-multihop 255
  neighbor 169.254.20.1 activate              # Activate the BGP peer. 
  network 192.168.0.0 mask 255.255.0.0 # Advertise the CIDR block of the data center. 
 exit-address-family

    10. View the BGP peer status and BGP routes.

      2024-07-18_13-35-41查看路由

    11. In the data center, configure the routes for traffic between clients and the Cisco firewall.

      Then, you can test the network connectivity between the data center and the Alibaba Cloud VPC. For more information, see the "Step 6: Test the network connectivity" section of the Connect a VPC to a data center in dual-tunnel mode topic.

    Protected data flow mode - static routing

    Prerequisites

    This topic describes only how to add VPN configurations to a Cisco firewall. The procedure for configuring a VPN gateway on Alibaba Cloud is omitted. Before you configure the Cisco firewall, make sure that you have completed the following tasks: create a VPN gateway, create a customer gateway, and create an IPsec-VPN connection. For more information, see Connect a VPC to a data center in dual-tunnel mode.

    • When you create an IPsec-VPN connection, set the Routing Mode parameter to Protected Data Flows, the Local Network parameter to 10.0.0.0/16, and the Remote Network parameter to 192.168.0.0/16.

      Important

      In the scenario where you need to specify multiple local CIDR blocks or peer CIDR blocks, we recommend that you use destination-based routing mode - static routing or destination-based routing mode - BGP dynamic routing. For more information, see the "Recommended solutions" section of the Configuration suggestions and FAQ about enabling communication among CIDR blocks topic.

    • After the IPsec-VPN connection is created, you need to advertise a policy-based route. For more information, see the "Advertise a policy based route" section of the Configure policy-based routes topic. Destination-based route configuration is not required.

    Procedure

    1. Log on to the CLI of the Cisco firewall and enter the configuration mode. 

      ciscoasa> enable
Password: ********             # Enter the password for entering the enable mode. 
ciscoasa# configure terminal   # Enter the configuration mode. 
ciscoasa(config)#

    2. View the interface configurations and route configurations for Internet access.

      Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used: 

      ciscoasa(config)# show running-config interface 
!
interface GigabitEthernet0/0
 nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
 security-level 0
 ip address 121.XX.XX.211 255.255.255.255    # The public IP address of the GigabitEthernet 0/0 interface. 
!
interface GigabitEthernet0/1                # The interface that connects to the data center. 
 nameif private                             # The name of the GigabitEthernet 0/1 interface. 
 security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
 ip address 192.168.50.217 255.255.255.0    # The IP address of the GigabitEthernet 0/1 interface. 
!
interface GigabitEthernet0/2                
 nameif outside2                            # The name of the GigabitEthernet 0/2 interface. 
 security-level 0
 ip address 121.XX.XX.77 255.255.255.255    # The public IP address of the GigabitEthernet 0/2 interface. 
!

route outside1 39.XX.XX.218 255.255.255.255 192.XX.XX.172 # The route for accessing the public IP address of Tunnel 1 on Alibaba Cloud. The next hop is a public IP address. 
route outside2 182.XX.XX.19 255.255.255.255 192.XX.XX.158   # The route for accessing the public IP address of Tunnel 2 on Alibaba Cloud. The next hop is a public IP address. 
route private 192.168.0.0 255.255.0.0 192.168.50.216        # The route that points to the data center.

    3. Enable the IKEv2 feature for the public interfaces. 

      crypto ikev2 enable outside1
crypto ikev2 enable outside2

    4. Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ikev2 policy 10     
 encryption aes             # Specify the encryption algorithm. 
 integrity sha              # Specify the authentication algorithm. 
 group 14                   # Specify the DH group. 
 prf sha                    # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on Alibaba Cloud. 
 lifetime seconds 86400     # Specify the SA lifetime.

    5. Create an IPsec proposal and specify the encryption algorithm and authentication algorithm in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL    # Create an IPsec proposal. 
 protocol esp encryption aes                         # Specify the encryption algorithm. The ESP protocol is used on Alibaba Cloud. Therefore, use the ESP protocol. 
 protocol esp integrity sha-1                        # Specify the authentication algorithm. The ESP protocol is used on Alibaba Cloud. Therefore, use the ESP protocol.

    6. Define the protected data flows.

      Specify the CIDR blocks that are allowed to transmit traffic over the IPsec-VPN connection. In this example, the CIDR block 192.168.0.0/16 of the data center is allowed to communicate with the CIDR block 10.0.0.0/16 of the Alibaba Cloud VPC. 

      access-list acl_tun extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.0.0

    7. Create IPsec policies. 

      # Create an IPsec policy for Tunnel 1.
crypto map TUNL1 1 match address acl_tun                      # Apply the protected data flows that are defined. 
crypto map TUNL1 1 set pfs group14 # Specify the DH group. 	
crypto map TUNL1 1 set peer 39.XX.XX.218                      # Specify the peer ID, which is the IPsec address 1 on Alibaba Cloud. 
crypto map TUNL1 1 set ikev2 ipsec-proposal ALIYUN-PROPOSAL   # Apply the IPsec proposal. 
crypto map TUNL1 1 set ikev2 pre-shared-key 0 123456****      # Specify the pre-shared key, which must be the same as that specified in the tunnel-group command. 
crypto map TUNL1 1 set security-association lifetime seconds  86400             # Specify the time-based IPsec SA lifetime. 
crypto map TUNL1 1 set security-association lifetime kilobytes unlimited        # Disable the traffic-based IPsec SA lifetime. 
crypto map TUNL1 interface outside1                                             # Apply the IPsec policy to the public interface GigabitEthernet 0/0. 
!
# Create an IPsec policy for Tunnel 2.
crypto map TUNL2 1 match address acl_tun                      # Apply the protected data flows that are defined. 
crypto map TUNL2 1 set pfs group14                            # Specify the DH group. 	
crypto map TUNL2 1 set peer 182.XX.XX.19                      # Specify the peer ID, which is the IPsec address 2 on Alibaba Cloud. 
crypto map TUNL2 1 set ikev2 ipsec-proposal ALIYUN-PROPOSAL   # Apply the IPsec proposal. 
crypto map TUNL2 1 set ikev2 pre-shared-key 0 123456****      # Specify the pre-shared key, which must be the same as that specified in the tunnel-group command. 
crypto map TUNL2 1 set security-association lifetime seconds  86400             # Specify the time-based IPsec SA lifetime. 
crypto map TUNL2 1 set security-association lifetime kilobytes unlimited        # Disable the traffic-based IPsec SA lifetime. 
crypto map TUNL2 interface outside2                                             # Apply the IPsec policy to the public interface GigabitEthernet 0/2. 

!

    8. Create tunnel groups and specify the pre-shared keys for tunnels, which must be the same as those on Alibaba Cloud. 

      tunnel-group 39.XX.XX.218 type ipsec-l2l                #  Specify the encapsulation mode l2l for Tunnel 1. 
tunnel-group 39.XX.XX.218 ipsec-attributes             
 ikev2 remote-authentication pre-shared-key 123456****  # Specify the peer pre-shared key for Tunnel 1, which is the pre-shared key on Alibaba Cloud. 
 ikev2 local-authentication pre-shared-key 123456****   # Specify the local pre-shared key for Tunnel 1, which must be the same as that on Alibaba Cloud. 
!
tunnel-group 182.XX.XX.19 type ipsec-l2l                # Specify the encapsulation mode l2l for Tunnel 2. 
tunnel-group 182.XX.XX.19 ipsec-attributes
 ikev2 remote-authentication pre-shared-key 123456****  # Specify the peer pre-shared key for Tunnel 2, which is the pre-shared key on Alibaba Cloud. 
 ikev2 local-authentication pre-shared-key 123456****   # Specify the local pre-shared key for Tunnel 2, which must be the same as that on Alibaba Cloud. 
!

    9. View the status of the IPsec-VPN connection.

      You can run the command framed in red in the following figure to view the SA that has been successfully negotiated.策略路由SA策略路由SA2

      More query commands

      Query commands related to IPsec SA negotiations

      show crypto isakmp sa # Display the negotiated SA information on the control plane.
show crypto ikev2 sa  # Display the negotiated SA, role, and protected data flow in Phase 1 and Phase 2 on the control plane.
show crypto ipsec sa peer XX.XX.XX.XX # Query the details of the specified peer SA.
show ipsec sa         # Display basic information such as the SA, role, protected data flow, and traffic statistics in Phase 1 and Phase 2 on the forwarding plane.

      Query commands related to VPN traffic statistics

      show crypto ikev2 stats     # Display the statistics on protocol packets, encrypted packets, and abnormal packets.
show crypto protocol statistics all # Display the statistics on protocol packets and encrypted packets.
show ipsec stats            # Display the IPsec statistics.

    10. Configure a floating static route that points to the Alibaba Cloud VPC (CIDR block: 10.0.0.0/16). 

      sla monitor 1                                                  # Define an SLA operation that is numbered 1. 
 type echo protocol ipIcmpEcho 10.0.10.33 interface outside1   # Perform the ICMP echo test between the outside1 interface and the IP address 10.0.10.33 on Alibaba Cloud. 
 num-packets 2
 timeout 60
 frequency 5
sla monitor schedule 1 life forever start-time now             # Start SLA 1 immediately for permanent operation. 

track 1 rtr 1 reachability                                     # Create Track 1, associate it with  SLA 1, and test the connectivity between the outside1 interface and the IP address 10.0.10.33 on Alibaba Cloud.

# If the track traces that the connectivity is DOWN, this route is withdrawn. 
# If the track traces that the connectivity is UP, this route is added. 
route outside1 10.0.0.0 255.255.0.0 39.XX.XX.218 1 track 1     
route outside2 10.0.0.0 255.255.0.0 182.XX.XX.19 5

    11. In the data center, configure the routes for traffic between clients and the Cisco firewall.

      Then, you can test the network connectivity between the data center and the Alibaba Cloud VPC. For more information, see the "Step 6: Test the network connectivity" section of the Connect a VPC to a data center in dual-tunnel mode topic.

    IKEv1 configuration example

    If the IKEv1 version is required on the Cisco firewall, you can configure the Cisco firewall based on the description in this section.

    When you establish an IPsec-VPN connection to Alibaba Cloud by using the following configurations, make sure that the IPsec-VPN connection on Alibaba Cloud uses destination-based routing and IKEv1.

    Destination-based routing mode - static routing

    1. Log on to the CLI of the Cisco firewall and enter the configuration mode. 

      ciscoasa> enable
Password: ********             # Enter the password for entering the enable mode. 
ciscoasa# configure terminal   # Enter the configuration mode. 
ciscoasa(config)#

    2. View the interface configurations and route configurations for Internet access.

      Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used: 

      ciscoasa(config)# show running-config interface 
!
interface GigabitEthernet0/0
 nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
 security-level 0
 ip address 121.XX.XX.211 255.255.255.255    # The public IP address of the GigabitEthernet 0/0 interface. 
!
interface GigabitEthernet0/1                # The interface that connects to the data center. 
 nameif private                             # The name of the GigabitEthernet 0/1 interface. 
 security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
 ip address 192.168.50.217 255.255.255.0    # The IP address of the GigabitEthernet 0/1 interface. 
!
interface GigabitEthernet0/2                
 nameif outside2                            # The name of the GigabitEthernet 0/2 interface. 
 security-level 0
 ip address 121.XX.XX.77 255.255.255.255    # The public IP address of the GigabitEthernet 0/2 interface. 
!

route outside1 39.XX.XX.218 255.255.255.255 192.XX.XX.172 # The route for accessing the public IP address of Tunnel 1 on Alibaba Cloud. The next hop is a public IP address. 
route outside2 182.XX.XX.19 255.255.255.255 192.XX.XX.158   # The route for accessing the public IP address of Tunnel 2 on Alibaba Cloud. The next hop is a public IP address. 
route private 192.168.0.0 255.255.0.0 192.168.50.216        # The route that points to the data center.

    3. Enable the IKEv1 feature for the public interfaces. 

      crypto ikev1 enable outside1
crypto ikev1 enable outside2

    4. Create an IKEv1 policy and specify the verification method and the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ikev1 policy 10   
 authentication pre-share   # Specify the pre-shared key as the verification method. 
 encryption aes             # Specify the encryption algorithm. 
 hash sha                   # Specify the authentication algorithm. 
 group 14                   # Specify the DH group. 
 lifetime 86400             # Specify the time-based SA lifetime.

    5. Create an IPsec transform set and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ipsec ikev1 transform-set TRANSFORM esp-aes esp-sha-hmac  # Create an IPsec transform set and specify the encryption algorithm and authentication algorithm. 
crypto ipsec profile ALIYUN-PROFILE                  
 set ikev1 transform-set TRANSFORM                               # Apply the transform set that is created. 
 set pfs group14                                                 # Specify the PFS and DH group. 
 set security-association lifetime seconds 86400                 # Specify the time-based SA lifetime. 
 set security-association lifetime kilobytes unlimited           # Disable the traffic-based SA lifetime. 

crypto isakmp identity address                                   # Set the format of the fully qualified domain name (FQDN) to IP address.

    6. Create tunnel groups and specify the pre-shared keys for tunnels, which must be the same as those on Alibaba Cloud. 

      tunnel-group 39.XX.XX.218 type ipsec-l2l                #  Specify the encapsulation mode l2l for Tunnel 1. 
tunnel-group 39.XX.XX.218 ipsec-attributes             
 ikev1 pre-shared-key 123456****                        # Specify the peer pre-shared key for Tunnel 1, which is the pre-shared key on Alibaba Cloud. 
!
tunnel-group 182.XX.XX.19 type ipsec-l2l                # Specify the encapsulation mode l2l for Tunnel 2. 
tunnel-group 182.XX.XX.19 ipsec-attributes         
 ikev1 pre-shared-key 123456****                        # Specify the peer pre-shared key for Tunnel 2, which is the pre-shared key on Alibaba Cloud. 
!

    7. Create tunnel interfaces. 

      interface Tunnel1                                  # Create an interface for Tunnel 1. 
 nameif ALIYUN1
 ip address 169.254.10.2 255.255.255.252           # Specify the IP address of the interface. 
 tunnel source interface outside1                  # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of Tunnel 1. 
 tunnel destination 39.XX.XX.218                   # Specify the public IP address of Tunnel 1 on Alibaba Cloud as the destination address of Tunnel 1. 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ALIYUN-PROFILE    # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 1. 
 no shutdown                                       # Enable the interface for Tunnel 1. 
!
interface Tunnel2                                  # Create an interface for Tunnel 2. 
 nameif ALIYUN2                
 ip address 169.254.20.2 255.255.255.252           # Specify the IP address of the interface. 
 tunnel source interface outside2                  # Specify the IP address of the GigabitEthernet 0/2 interface as the source address of Tunnel 2. 
 tunnel destination 182.XX.XX.19                   # Specify the public IP address of Tunnel 2 on Alibaba Cloud as the destination address of Tunnel 2. 
 tunnel mode ipsec ipv4                            
 tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 2. 
 no shutdown                                       # Enable the interface for Tunnel 2. 
!

    8. Configure static routes that point to the Alibaba Cloud VPC (CIDR block: 10.0.0.0/16). 

      route ALIYUN1 10.0.0.0 255.255.0.0 39.XX.XX.218 4  # Specify the route for forwarding traffic from the data center to the Alibaba Cloud VPC over the interface for Tunnel 1. This route has a higher priority. 
route ALIYUN2 10.0.0.0 255.255.0.0 182.XX.XX.19 5  # Specify the route for forwarding traffic from the data center to the Alibaba Cloud VPC over the interface for Tunnel 2. The priority of this route is lower than that of the route that points to the interface for Tunnel 1.

    9. In the data center, configure the routes for traffic between clients and the Cisco firewall.

      Then, you can test the network connectivity between the data center and the Alibaba Cloud VPC. For more information, see the "Step 6: Test the network connectivity" section of the Connect a VPC to a data center in dual-tunnel mode topic.

    Destination-based routing mode - BGP dynamic routing

    1. Log on to the CLI of the Cisco firewall and enter the configuration mode. 

      ciscoasa> enable
Password: ********             # Enter the password for entering the enable mode. 
ciscoasa# configure terminal   # Enter the configuration mode. 
ciscoasa(config)#

    2. View the interface configurations and route configurations for Internet access.

      Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used: 

      ciscoasa(config)# show running-config interface 
!
interface GigabitEthernet0/0
 nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
 security-level 0
 ip address 121.XX.XX.211 255.255.255.255    # The public IP address of the GigabitEthernet 0/0 interface. 
!
interface GigabitEthernet0/1                # The interface that connects to the data center. 
 nameif private                             # The name of the GigabitEthernet 0/1 interface. 
 security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
 ip address 192.168.50.217 255.255.255.0    # The IP address of the GigabitEthernet 0/1 interface. 
!
interface GigabitEthernet0/2                
 nameif outside2                            # The name of the GigabitEthernet 0/2 interface. 
 security-level 0
 ip address 121.XX.XX.77 255.255.255.255    # The public IP address of the GigabitEthernet 0/2 interface. 
!

route outside1 39.XX.XX.218 255.255.255.255 192.XX.XX.172 # The route for accessing the public IP address of Tunnel 1 on Alibaba Cloud. The next hop is a public IP address. 
route outside2 182.XX.XX.19 255.255.255.255 192.XX.XX.158   # The route for accessing the public IP address of Tunnel 2 on Alibaba Cloud. The next hop is a public IP address. 
route private 192.168.0.0 255.255.0.0 192.168.50.216        # The route that points to the data center.

    3. Enable the IKEv1 feature for the public interfaces. 

      crypto ikev1 enable outside1
crypto ikev1 enable outside2

    4. Create an IKEv1 policy and specify the verification method and the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ikev1 policy 10   
 authentication pre-share   # Specify the pre-shared key as the verification method. 
 encryption aes             # Specify the encryption algorithm. 
 hash sha                   # Specify the authentication algorithm. 
 group 14                   # Specify the DH group. 
 lifetime 86400             # Specify the time-based SA lifetime.

    5. Create an IPsec transform set and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ipsec ikev1 transform-set TRANSFORM esp-aes esp-sha-hmac  # Create an IPsec transform set and specify the encryption algorithm and authentication algorithm. 
crypto ipsec profile ALIYUN-PROFILE                  
 set ikev1 transform-set TRANSFORM                               # Apply the transform set that is created. 
 set pfs group14                                                 # Specify the PFS and DH group. 
 set security-association lifetime seconds 86400                 # Specify the time-based SA lifetime. 
 set security-association lifetime kilobytes unlimited           # Disable the traffic-based SA lifetime. 

crypto isakmp identity address                                   # Set the format of the fully qualified domain name (FQDN) to IP address.

    6. Create tunnel groups and specify the pre-shared keys for tunnels, which must be the same as those on Alibaba Cloud. 

      tunnel-group 39.XX.XX.218 type ipsec-l2l                #  Specify the encapsulation mode l2l for Tunnel 1. 
tunnel-group 39.XX.XX.218 ipsec-attributes             
 ikev1 pre-shared-key 123456****                        # Specify the peer pre-shared key for Tunnel 1, which is the pre-shared key on Alibaba Cloud. 
!
tunnel-group 182.XX.XX.19 type ipsec-l2l                # Specify the encapsulation mode l2l for Tunnel 2. 
tunnel-group 182.XX.XX.19 ipsec-attributes         
 ikev1 pre-shared-key 123456****                        # Specify the peer pre-shared key for Tunnel 2, which is the pre-shared key on Alibaba Cloud. 
!

    7. Create tunnel interfaces. 

      interface Tunnel1                                  # Create an interface for Tunnel 1. 
 nameif ALIYUN1
 ip address 169.254.10.2 255.255.255.252           # Specify the IP address of the interface. 
 tunnel source interface outside1                  # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of Tunnel 1. 
 tunnel destination 39.XX.XX.218                   # Specify the public IP address of Tunnel 1 on Alibaba Cloud as the destination address of Tunnel 1. 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ALIYUN-PROFILE    # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 1. 
 no shutdown                                       # Enable the interface for Tunnel 1. 
!
interface Tunnel2                                  # Create an interface for Tunnel 2. 
 nameif ALIYUN2                
 ip address 169.254.20.2 255.255.255.252           # Specify the IP address of the interface. 
 tunnel source interface outside2                  # Specify the IP address of the GigabitEthernet 0/2 interface as the source address of Tunnel 2. 
 tunnel destination 182.XX.XX.19                   # Specify the public IP address of Tunnel 2 on Alibaba Cloud as the destination address of Tunnel 2. 
 tunnel mode ipsec ipv4                            
 tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 2. 
 no shutdown                                       # Enable the interface for Tunnel 2. 
!

    8. Configure BGP dynamic routing. 

      router bgp 65000
 address-family ipv4 unicast
  neighbor 169.254.10.1 remote-as 65530       # Specify the BGP peer, which is the IP address of Tunnel 1 on Alibaba Cloud. 
  neighbor 169.254.10.1 ebgp-multihop 255
  neighbor 169.254.10.1 activate              # Activate the BGP peer. 
  neighbor 169.254.20.1 remote-as 65530       # Specify the BGP peer, which is the IP address of Tunnel 2 on Alibaba Cloud. 
  neighbor 169.254.20.1 ebgp-multihop 255
  neighbor 169.254.20.1 activate              # Activate the BGP peer. 
  network 192.168.0.0 mask 255.255.0.0 # Advertise the CIDR block of the data center. 
 exit-address-family

    9. In the data center, configure the routes for traffic between clients and the Cisco firewall.

      Then, you can test the network connectivity between the data center and the Alibaba Cloud VPC. For more information, see the "Step 6: Test the network connectivity" section of the Connect a VPC to a data center in dual-tunnel mode topic.

    Configure a Cisco firewall to use a single tunnel

    Configure a Cisco firewall to use a single tunnel

    Scenario

    image

    In this example, a company has deployed a VPC on Alibaba Cloud. The CIDR block of the VPC is 10.0.0.0/16. Applications are deployed on an ECS instance in the VPC. The company has a data center that needs to use the CIDR block 192.168.0.0/16 to communicate with the VPC. The company wants to establish an IPsec-VPN connection between the data center and the VPC on the cloud to implement mutual resource access.

    CIDR block plan and sample VPN configurations

    CIDR block plan

    Resource

    CIDR block

    IP address

    Data center

    CIDR block that needs to communicate with the VPC: 192.168.0.0/16

    Server IP address: 192.168.50.198

    Cisco firewall

    N/A

    Physical interfaces that connect to the Internet on the Cisco firewall:

    • GigabitEthernet 0/0: This interface is configured with a public IP address. In this example, 39.XX.XX.XX.218 is used.

    • GigabitEthernet 0/1: This interface connects to the data center and is configured with the IP address 192.168.50.217.

    VPC

    Primary CIDR block: 10.0.0.0/16

    vSwitch 1: 10.0.10.0/24

    vSwitch 2: 10.0.20.0/24

    ECS instance IP address: 10.0.10.33

    Public VPN gateway

    N/A

    Public IP address of the VPN gateway: 39.XX.XX.218

    Note

    After you create a VPN gateway, the system automatically assigns IP addresses to the VPN gateway.

    CIDR block plan for BGP dynamic routing

    In addition to static routing, this topic also describes how to configure a Cisco firewall to establish an IPsec-VPN connection that uses BGP dynamic routing. If you do not need to use BGP dynamic routing, skip this section. The following table describes the CIDR block plan for BGP dynamic routing.

    Resource

    BGP tunnel CIDR block

    BGP IP address

    BGP local ASN

    VPN gateway

    169.254.10.0/30

    Note

    On a VPN gateway, the CIDR block of each tunnel must be unique.

    169.254.10.1

    65530

    Cisco firewall

    169.254.10.0/30

    169.254.10.2

    65000

    Sample VPN configurations

    The VPN configurations on Alibaba Cloud and the Cisco firewall must be the same.

    Parameter

    Sample value on Alibaba Cloud

    Sample value on the Cisco firewall

    Pre-shared key

    123456****

    123456****

    IKE configurations

    IKE version

    ikev2

    ikev2

    Negotiation mode

    main

    main

    Encryption algorithm

    aes

    aes

    Authentication algorithm

    sha1

    sha1

    DH group

    group14

    group14

    SA lifetime (seconds)

    86400

    86400

    IPsec configurations

    Encryption algorithm

    aes

    aes

    Authentication algorithm

    sha1

    sha1

    DH group

    group14

    group14

    SA lifetime (seconds)

    86400

    86400

    Procedure

    Note

    • In this example, the software Adaptive Security Appliance (ASA) 9.19.1 is used to describe how to configure a Cisco firewall. The commands may vary with software versions. Consult the documentation or your vendor based on your actual environment during operations.

    • In this scenario, we recommend that you use destination-based routing mode - static routing or destination-based routing mode - BGP dynamic routing.

    Destination-based routing mode - static routing

    Prerequisites

    This topic describes only how to add VPN configurations to a Cisco firewall. The procedure for configuring a VPN gateway on Alibaba Cloud is omitted. Before you configure the Cisco firewall, make sure that you have completed the following tasks: create a VPN gateway, create a customer gateway, create an IPsec-VPN connection, and configure routing for the VPN gateway. For more information, see Connect a VPC to a data center in single-tunnel mode.

    Procedure

    1. Log on to the CLI of the Cisco firewall and enter the configuration mode. 

      ciscoasa> enable
Password: ********             # Enter the password for entering the enable mode. 
ciscoasa# configure terminal   # Enter the configuration mode. 
ciscoasa(config)#

    2. View the interface configurations and route configurations for Internet access.

      Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used: 

      ciscoasa(config)# show running-config interface 
!
interface GigabitEthernet0/0
 nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
 security-level 0
 ip address 121.XX.XX.211 255.255.255.255    # The public IP address of the GigabitEthernet 0/0 interface. 
!
interface GigabitEthernet0/1                # The interface that connects to the data center. 
 nameif private                             # The name of the GigabitEthernet 0/1 interface. 
 security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
 ip address 192.168.50.217 255.255.255.0    # The IP address of the GigabitEthernet 0/1 interface. 
!

route outside1 39.XX.XX.218 255.255.255.255 192.XX.XX.172   # The route for accessing the public IP address of the VPN gateway on Alibaba Cloud. The next hop is a public IP address. 
route private 192.168.0.0 255.255.0.0 192.168.50.216        # The route that points to the data center.

    3. Enable the IKEv2 feature for the public interface. 

      crypto ikev2 enable outside1

    4. Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ikev2 policy 10     
 encryption aes             # Specify the encryption algorithm. 
 integrity sha              # Specify the authentication algorithm. 
 group 14                   # Specify the DH group. 
 prf sha                    # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on Alibaba Cloud. 
 lifetime seconds 86400     # Specify the SA lifetime.

    5. Create an IPsec proposal and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL    # Create an IPsec proposal. 
 protocol esp encryption aes                         # Specify the encryption algorithm. The ESP protocol is used on Alibaba Cloud. Therefore, use the ESP protocol. 
 protocol esp integrity sha-1                        # Specify the authentication algorithm. The ESP protocol is used on Alibaba Cloud. Therefore, use the ESP protocol. 
crypto ipsec profile ALIYUN-PROFILE                  
 set ikev2 ipsec-proposal ALIYUN-PROPOSAL            # Create an IPsec profile and apply the proposal that is created.  
 set ikev2 local-identity address                    # Set the format of the local ID to IP address, which is the same as the format of the remote ID on Alibaba Cloud. 
 set pfs group14                                     # Specify the PFS and DH group. 
 set security-association lifetime seconds 86400     # Specify the time-based SA lifetime. 
 set security-association lifetime kilobytes unlimited # Disable the traffic-based SA lifetime.

    6. Create a tunnel group and specify the pre-shared keys for the tunnel, which must be the same as those on Alibaba Cloud. 

      tunnel-group 39.XX.XX.218 type ipsec-l2l                #  Specify the encapsulation mode l2l for the tunnel. 
tunnel-group 39.XX.XX.218 ipsec-attributes             
 ikev2 remote-authentication pre-shared-key 123456****  # Specify the peer pre-shared key for the tunnel, which is the pre-shared key on Alibaba Cloud. 
 ikev2 local-authentication pre-shared-key 123456****   # Specify the local pre-shared key for the tunnel, which must be the same as that on Alibaba Cloud. 
!

    7. Create a tunnel interface. 

      interface Tunnel1                                  # Create an interface for the tunnel. 
 nameif ALIYUN1
 ip address 169.254.10.2 255.255.255.252           # Specify the IP address of the interface. 
 tunnel source interface outside1                  # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of the tunnel. 
 tunnel destination 39.XX.XX.218                   # Specify the public IP address of the VPN gateway on Alibaba Cloud as the destination address of the tunnel. 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on the tunnel. 
 no shutdown                                       # Enable the interface for the tunnel. 
!

    8. Configure a static route that points to the Alibaba Cloud VPC (CIDR block: 10.0.0.0/16). 

      route ALIYUN1 10.0.0.0 255.255.0.0 39.XX.XX.218

    9. In the data center, configure the routes for traffic between clients and the Cisco firewall.

      Then, you can test the network connectivity between the data center and the Alibaba Cloud VPC. For more information, see the "Step 6: Test the network connectivity" section of the Connect a VPC to a data center in single-tunnel mode topic.

    Destination-based routing mode - BGP dynamic routing

    Prerequisites

    This topic describes only how to add VPN configurations to a Cisco firewall. The procedure for configuring a VPN gateway on Alibaba Cloud is omitted. Before you configure the Cisco firewall, make sure that you have completed the following tasks: create a VPN gateway, create a customer gateway, create an IPsec-VPN connection, and enable BGP. For more information, see Connect a VPC to a data center by using an IPsec-VPN connection in single-tunnel mode and enable BGP routing.

    Procedure

    1. Log on to the CLI of the Cisco firewall and enter the configuration mode. 

      ciscoasa> enable
Password: ********             # Enter the password for entering the enable mode. 
ciscoasa# configure terminal   # Enter the configuration mode. 
ciscoasa(config)#

    2. View the interface configurations and route configurations for Internet access.

      Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used: 

      ciscoasa(config)# show running-config interface 
!
interface GigabitEthernet0/0
 nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
 security-level 0
 ip address 121.XX.XX.211 255.255.255.255    # The public IP address of the GigabitEthernet 0/0 interface. 
!
interface GigabitEthernet0/1                # The interface that connects to the data center. 
 nameif private                             # The name of the GigabitEthernet 0/1 interface. 
 security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
 ip address 192.168.50.217 255.255.255.0    # The IP address of the GigabitEthernet 0/1 interface. 
!

route outside1 39.XX.XX.218 255.255.255.255 192.XX.XX.172   # The route for accessing the public IP address of the VPN gateway on Alibaba Cloud. The next hop is a public IP address. 
route private 192.168.0.0 255.255.0.0 192.168.50.216        # The route that points to the data center.

    3. Enable the IKEv2 feature for the public interface. 

      crypto ikev2 enable outside1

    4. Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ikev2 policy 10     
 encryption aes             # Specify the encryption algorithm. 
 integrity sha              # Specify the authentication algorithm. 
 group 14                   # Specify the DH group. 
 prf sha                    # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on Alibaba Cloud. 
 lifetime seconds 86400     # Specify the SA lifetime.

    5. Create an IPsec proposal and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL    # Create an IPsec proposal. 
 protocol esp encryption aes                         # Specify the encryption algorithm. The ESP protocol is used on Alibaba Cloud. Therefore, use the ESP protocol. 
 protocol esp integrity sha-1                        # Specify the authentication algorithm. The ESP protocol is used on Alibaba Cloud. Therefore, use the ESP protocol. 
crypto ipsec profile ALIYUN-PROFILE                  
 set ikev2 ipsec-proposal ALIYUN-PROPOSAL            # Create an IPsec profile and apply the proposal that is created.  
 set ikev2 local-identity address                    # Set the format of the local ID to IP address, which is the same as the format of the remote ID on Alibaba Cloud. 
 set pfs group14                                     # Specify the PFS and DH group. 
 set security-association lifetime seconds 86400     # Specify the time-based SA lifetime. 
 set security-association lifetime kilobytes unlimited # Disable the traffic-based SA lifetime.

    6. Create a tunnel group and specify the pre-shared keys for the tunnel, which must be the same as those on Alibaba Cloud. 

      tunnel-group 39.XX.XX.218 type ipsec-l2l                #  Specify the encapsulation mode l2l for the tunnel. 
tunnel-group 39.XX.XX.218 ipsec-attributes             
 ikev2 remote-authentication pre-shared-key 123456****  # Specify the peer pre-shared key for the tunnel, which is the pre-shared key on Alibaba Cloud. 
 ikev2 local-authentication pre-shared-key 123456****   # Specify the local pre-shared key for the tunnel, which must be the same as that on Alibaba Cloud. 
!

    7. Create a tunnel interface. 

      interface Tunnel1                                  # Create an interface for the tunnel. 
 nameif ALIYUN1
 ip address 169.254.10.2 255.255.255.252           # Specify the IP address of the interface. 
 tunnel source interface outside1                  # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of the tunnel. 
 tunnel destination 39.XX.XX.218                   # Specify the public IP address of the VPN gateway on Alibaba Cloud as the destination address of the tunnel. 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on the tunnel. 
 no shutdown                                       # Enable the interface for the tunnel. 
!

    8. Configure BGP dynamic routing. 

      router bgp 65000
 address-family ipv4 unicast
  neighbor 169.254.10.1 remote-as 65530       # Specify the BGP peer, which is the BGP IP address of the tunnel on Alibaba Cloud. 
  neighbor 169.254.10.1 ebgp-multihop 255
  neighbor 169.254.10.1 activate              # Activate the BGP peer. 
  network 192.168.0.0 mask 255.255.0.0 # Advertise the CIDR block of the data center. 
 exit-address-family

    9. In the data center, configure the routes for traffic between clients and the Cisco firewall.

      Then, you can test the network connectivity between the data center and the Alibaba Cloud VPC. For more information, see the "Step 6: Test the network connectivity" section of the Connect a VPC to a data center in single-tunnel mode topic.

    Protected data flow mode - static routing

    Prerequisites

    This topic describes only how to add VPN configurations to a Cisco firewall. The procedure for configuring a VPN gateway on Alibaba Cloud is omitted. Before you configure the Cisco firewall, make sure that you have completed the following tasks: create a VPN gateway, create a customer gateway, and create an IPsec-VPN connection. For more information, see Connect a VPC to a data center in single-tunnel mode.

    • When you create an IPsec-VPN connection, set the Routing Mode parameter to Protected Data Flows, the Local Network parameter to 10.0.0.0/16, and the Remote Network parameter to 192.168.0.0/16.

      Important

      In the scenario where you need to specify multiple local CIDR blocks or peer CIDR blocks, we recommend that you use destination-based routing mode - static routing or destination-based routing mode - BGP dynamic routing. For more information, see the "Recommended solutions" section of the Configuration suggestions and FAQ about enabling communication among CIDR blocks topic.

    • After the IPsec-VPN connection is created, you need to advertise a policy-based route. For more information, see the "Advertise a policy based route" section of the Configure policy-based routes topic. Destination-based route configuration is not required.

    Procedure

    1. Log on to the CLI of the Cisco firewall and enter the configuration mode. 

      ciscoasa> enable
Password: ********             # Enter the password for entering the enable mode. 
ciscoasa# configure terminal   # Enter the configuration mode. 
ciscoasa(config)#

    2. View the interface configurations.

      Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used: 

      ciscoasa(config)# show running-config interface 
!
interface GigabitEthernet0/0
 nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
 security-level 0
 ip address 121.XX.XX.211 255.255.255.255    # The public IP address of the GigabitEthernet 0/0 interface. 
!
interface GigabitEthernet0/1                # The interface that connects to the data center. 
 nameif private                             # The name of the GigabitEthernet 0/1 interface. 
 security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
 ip address 192.168.50.217 255.255.255.0    # The IP address of the GigabitEthernet 0/1 interface. 
!

route outside1 39.XX.XX.218 255.255.255.255 192.XX.XX.172   # The route for accessing the public IP address of the VPN gateway on Alibaba Cloud. The next hop is a public IP address. 
route private 192.168.0.0 255.255.0.0 192.168.50.216        # The route that points to the data center.

    3. Enable the IKEv2 feature for the public interface. 

      crypto ikev2 enable outside1

    4. Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ikev2 policy 10     
 encryption aes             # Specify the encryption algorithm. 
 integrity sha              # Specify the authentication algorithm. 
 group 14                   # Specify the DH group. 
 prf sha                    # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on Alibaba Cloud. 
 lifetime seconds 86400     # Specify the SA lifetime.

    5. Create an IPsec proposal and specify the encryption algorithm and authentication algorithm in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL    # Create an IPsec proposal. 
 protocol esp encryption aes                         # Specify the encryption algorithm. The ESP protocol is used on Alibaba Cloud. Therefore, use the ESP protocol. 
 protocol esp integrity sha-1                        # Specify the authentication algorithm. The ESP protocol is used on Alibaba Cloud. Therefore, use the ESP protocol.

    6. Define the protected data flows.

      Specify the CIDR blocks that are allowed to transmit traffic over the IPsec-VPN connection. In this example, the CIDR block 192.168.0.0/16 of the data center is allowed to communicate with the CIDR block 10.0.0.0/16 of the Alibaba Cloud VPC. 

      access-list acl_tun extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.0.0

    7. Create an IPsec policy. 

      # Create an IPsec policy for the tunnel.
crypto map TUNL1 1 match address acl_tun                      # Apply the protected data flows that are defined. 
crypto map TUNL1 1 set pfs group14 # Specify the DH group. 	
crypto map TUNL1 1 set peer 39.XX.XX.218                      # Specify the peer ID, which is the public IP address of the VPN gateway on Alibaba Cloud. 
crypto map TUNL1 1 set ikev2 ipsec-proposal ALIYUN-PROPOSAL   # Apply the IPsec proposal. 
crypto map TUNL1 1 set ikev2 pre-shared-key 0 123456****      # Specify the pre-shared key, which must be the same as that specified in the tunnel-group command. 
crypto map TUNL1 1 set security-association lifetime seconds  86400             # Specify the time-based IPsec SA lifetime. 
crypto map TUNL1 1 set security-association lifetime kilobytes unlimited        # Disable the traffic-based IPsec SA lifetime. 
crypto map TUNL1 interface outside1                                             # Apply the IPsec policy to the public interface GigabitEthernet 0/0. 
!

    8. Create a tunnel group and specify the pre-shared keys for the tunnel, which must be the same as those on Alibaba Cloud. 

      tunnel-group 39.XX.XX.218 type ipsec-l2l                #  Specify the encapsulation mode l2l for the tunnel. 
tunnel-group 39.XX.XX.218 ipsec-attributes             
 ikev2 remote-authentication pre-shared-key 123456****  # Specify the peer pre-shared key for the tunnel, which is the pre-shared key on Alibaba Cloud. 
 ikev2 local-authentication pre-shared-key 123456****   # Specify the local pre-shared key for the tunnel, which must be the same as that on Alibaba Cloud. 
!

    9. Configure a static route that points to the Alibaba Cloud VPC (CIDR block: 10.0.0.0/16). 

      route outside1 10.0.0.0 255.255.0.0 39.XX.XX.218

    10. In the data center, configure the routes for traffic between clients and the Cisco firewall.

      Then, you can test the network connectivity between the data center and the Alibaba Cloud VPC. For more information, see the "Step 6: Test the network connectivity" section of the Connect a VPC to a data center in single-tunnel mode topic.

    IKEv1 configuration example

    If the IKEv1 version is required on the Cisco firewall, you can configure the Cisco firewall based on the description in this section.

    When you establish an IPsec-VPN connection to Alibaba Cloud by using the following configurations, make sure that the IPsec-VPN connection on Alibaba Cloud uses destination-based routing and IKEv1.

    Destination-based routing mode - static routing

    1. Log on to the CLI of the Cisco firewall and enter the configuration mode. 

      ciscoasa> enable
Password: ********             # Enter the password for entering the enable mode. 
ciscoasa# configure terminal   # Enter the configuration mode. 
ciscoasa(config)#

    2. View the interface configurations.

      Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used: 

      ciscoasa(config)# show running-config interface 
!
interface GigabitEthernet0/0
 nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
 security-level 0
 ip address 121.XX.XX.211 255.255.255.255    # The public IP address of the GigabitEthernet 0/0 interface. 
!
interface GigabitEthernet0/1                # The interface that connects to the data center. 
 nameif private                             # The name of the GigabitEthernet 0/1 interface. 
 security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
 ip address 192.168.50.217 255.255.255.0    # The IP address of the GigabitEthernet 0/1 interface. 
!

route outside1 39.XX.XX.218 255.255.255.255 192.XX.XX.172   # The route for accessing the public IP address of the VPN gateway on Alibaba Cloud. The next hop is a public IP address. 
route private 192.168.0.0 255.255.0.0 192.168.50.216        # The route that points to the data center.

    3. Enable the IKEv1 feature for the public interface. 

      crypto ikev1 enable outside1

    4. Create an IKEv1 policy and specify the verification method and the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ikev1 policy 10   
 authentication pre-share   # Specify the pre-shared key as the verification method. 
 encryption aes             # Specify the encryption algorithm. 
 hash sha                   # Specify the authentication algorithm. 
 group 14                   # Specify the DH group. 
 lifetime 86400             # Specify the time-based SA lifetime.

    5. Create an IPsec transform set and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ipsec ikev1 transform-set TRANSFORM esp-aes esp-sha-hmac  # Create an IPsec transform set and specify the encryption algorithm and authentication algorithm. 
crypto ipsec profile ALIYUN-PROFILE                  
 set ikev1 transform-set TRANSFORM                               # Apply the transform set that is created. 
 set pfs group14                                                 # Specify the PFS and DH group. 
 set security-association lifetime seconds 86400                 # Specify the time-based SA lifetime. 
 set security-association lifetime kilobytes unlimited           # Disable the traffic-based SA lifetime. 

crypto isakmp identity address                                   # Set the format of the fully qualified domain name (FQDN) to IP address.

    6. Create a tunnel group and specify the pre-shared keys for the tunnel, which must be the same as those on Alibaba Cloud. 

      tunnel-group 39.XX.XX.218 type ipsec-l2l                #  Specify the encapsulation mode l2l for the tunnel. 
tunnel-group 39.XX.XX.218 ipsec-attributes             
 ikev1 pre-shared-key 123456****                        # Specify the peer pre-shared key for the tunnel, which is the pre-shared key on Alibaba Cloud. 
!

    7. Create a tunnel interface. 

      interface Tunnel1                                  # Create an interface for the tunnel. 
 nameif ALIYUN1
 ip address 169.254.10.2 255.255.255.252           # Specify the IP address of the interface for the tunnel. 
 tunnel source interface outside1                  # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of the tunnel. 
 tunnel destination 39.XX.XX.218                   # Specify the public IP address for the VPN gateway on Alibaba Cloud as the destination address of the tunnel. 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on the tunnel. 
 no shutdown                                       # Enable the interface for the tunnel. 
!

    8. Configure a static route that points to the Alibaba Cloud VPC (CIDR block: 10.0.0.0/16). 

      route ALIYUN1 10.0.0.0 255.255.0.0 39.XX.XX.218

    9. In the data center, configure the routes for traffic between clients and the Cisco firewall.

      Then, you can test the network connectivity between the data center and the Alibaba Cloud VPC. For more information, see the "Step 6: Test the network connectivity" section of the Connect a VPC to a data center in single-tunnel mode topic.

    Destination-based routing mode - BGP dynamic routing

    1. Log on to the CLI of the Cisco firewall and enter the configuration mode. 

      ciscoasa> enable
Password: ********             # Enter the password for entering the enable mode. 
ciscoasa# configure terminal   # Enter the configuration mode. 
ciscoasa(config)#

    2. View the interface configurations.

      Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used: 

      ciscoasa(config)# show running-config interface 
!
interface GigabitEthernet0/0
 nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
 security-level 0
 ip address 121.XX.XX.211 255.255.255.255    # The public IP address of the GigabitEthernet 0/0 interface. 
!
interface GigabitEthernet0/1                # The interface that connects to the data center. 
 nameif private                             # The name of the GigabitEthernet 0/1 interface. 
 security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
 ip address 192.168.50.217 255.255.255.0    # The IP address of the GigabitEthernet 0/1 interface. 
!

route outside1 39.XX.XX.218 255.255.255.255 192.XX.XX.172   # The route for accessing the public IP address of the VPN gateway on Alibaba Cloud. The next hop is a public IP address. 
route private 192.168.0.0 255.255.0.0 192.168.50.216        # The route that points to the data center.

    3. Enable the IKEv1 feature for the public interface. 

      crypto ikev1 enable outside1

    4. Create an IKEv1 policy and specify the verification method and the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ikev1 policy 10   
 authentication pre-share   # Specify the pre-shared key as the verification method. 
 encryption aes             # Specify the encryption algorithm. 
 hash sha                   # Specify the authentication algorithm. 
 group 14                   # Specify the DH group. 
 lifetime 86400             # Specify the time-based SA lifetime.

    5. Create an IPsec transform set and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud.

      Important

      When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase on the Cisco firewall. The values must be the same as those on Alibaba Cloud. 

      crypto ipsec ikev1 transform-set TRANSFORM esp-aes esp-sha-hmac  # Create an IPsec transform set and specify the encryption algorithm and authentication algorithm. 
crypto ipsec profile ALIYUN-PROFILE                  
 set ikev1 transform-set TRANSFORM                               # Apply the transform set that is created. 
 set pfs group14                                                 # Specify the PFS and DH group. 
 set security-association lifetime seconds 86400                 # Specify the time-based SA lifetime. 
 set security-association lifetime kilobytes unlimited           # Disable the traffic-based SA lifetime. 

crypto isakmp identity address                                   # Set the format of the fully qualified domain name (FQDN) to IP address.

    6. Create a tunnel group and specify the pre-shared keys for the tunnel, which must be the same as those on Alibaba Cloud. 

      tunnel-group 39.XX.XX.218 type ipsec-l2l                #  Specify the encapsulation mode l2l for the tunnel. 
tunnel-group 39.XX.XX.218 ipsec-attributes             
 ikev1 pre-shared-key 123456****                        # Specify the peer pre-shared key for the tunnel, which is the pre-shared key on Alibaba Cloud. 
!

    7. Create a tunnel interface. 

      interface Tunnel1                                  # Create an interface for the tunnel. 
 nameif ALIYUN1
 ip address 169.254.10.2 255.255.255.252           # Specify the IP address of the interface for the tunnel. 
 tunnel source interface outside1                  # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of the tunnel. 
 tunnel destination 39.XX.XX.218                   # Specify the public IP address for the VPN gateway on Alibaba Cloud as the destination address of the tunnel. 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on the tunnel. 
 no shutdown                                       # Enable the interface for the tunnel. 
!

    8. Configure BGP dynamic routing. 

      router bgp 65000
 address-family ipv4 unicast
  neighbor 169.254.10.1 remote-as 65530       # Specify the BGP peer, which is the BGP IP address on Alibaba Cloud. 
  neighbor 169.254.10.1 ebgp-multihop 255
  neighbor 169.254.10.1 activate              # Activate the BGP peer. 
  network 192.168.0.0 mask 255.255.0.0 # Advertise the CIDR block of the data center. 
 exit-address-family

    9. In the data center, configure the routes for traffic between clients and the Cisco firewall.

      Then, you can test the network connectivity between the data center and the Alibaba Cloud VPC. For more information, see the "Step 6: Test the network connectivity" section of the Connect a VPC to a data center in single-tunnel mode topic.