All Products
Search
Document Center

VPN Gateway:Create multiple IPsec-VPN connections over the Internet for load balancing

更新時間:Oct 28, 2024

This topic describes how to create multiple IPsec-VPN connections over the Internet between a data center and a virtual private cloud (VPC) and use the connections to implement load balancing based on equal-cost multipath (ECMP) routing.

Background information

2024-08-14_15-42-12

The preceding scenario is used as an example in this topic. An enterprise owns a data center in Hangzhou and created a VPC in the China (Shanghai) region. Applications are deployed on an Elastic Compute Service (ECS) instance in the VPC. The enterprise wants to use VPN Gateway to enable the data center and VPC to communicate over encrypted connections. The enterprise also wants to create multiple encrypted connections between the data center and VPC to implement load balancing based on ECMP routing.

To do this, the enterprise needs to create multiple IPsec-VPN connections between the data center and Alibaba Cloud, and attach the IPsec-VPN connections and VPC to the same Cloud Enterprise Network (CEN) instance. This way, the data center and VPC can communicate over encrypted connections and load balancing based on ECMP routing can be implemented.

Network design

Network settings

The following network settings are used in this topic:

  • Set the Gateway Type parameter of the IPsec-VPN connections to Public. This way, the IPsec-VPN connections between the data center and Alibaba Cloud are created over the Internet.

  • Set the Associate Resource parameter of the IPsec-VPN connections to CEN. This way, the IPsec-VPN connections are aggregated for ECMP routing.

  • Configure BGP dynamic routing over IPsec.

CIDR blocks

Note

When you plan CIDR blocks, make sure that the CIDR blocks of the data center and VPC do not overlap.

Resource

CIDR block and IP address

VPC

Primary CIDR block: 10.0.0.0/16.

  • vSwitch 1: 10.0.0.0/24, in Zone F

  • vSwitch 2: 10.0.1.0/24, in Zone G

  • IP address of the ECS instance attached to vSwitch 1: 10.0.0.1.

IPsec-VPN connections

BGP configurations:

  • IPsec-VPN Connection 1: The CIDR block of the tunnel, the BGP IP address, and the autonomous system number (ASN) on the Alibaba Cloud side are 169.254.10.0/30, 169.254.10.1, and 65531, respectively.

  • IPsec-VPN Connection 2: The CIDR block of the tunnel, the BGP IP address, and the ASN on the Alibaba Cloud side are 169.254.11.0/30, 169.254.11.1, and 65531, respectively.

  • IPsec-VPN Connection 3: The CIDR block of the tunnel, the BGP IP address, and the ASN on the Alibaba Cloud side are 169.254.12.0/30, 169.254.12.1, and 65531, respectively.

On-premises gateway device

Public IP addresses of the on-premises gateway devices

  • On-premises Gateway Device 1: 11.XX.XX.1.

  • On-premises Gateway Device 2: 11.XX.XX.2.

  • On-premises Gateway Device 3: 11.XX.XX.3.

BGP configurations on on-premises gateway devices:

  • On-premises Gateway Device 1: The CIDR block of the tunnel, the BGP IP address, and the ASN on the data center side are 169.254.10.0/30, 169.254.10.2, and 65530, respectively.

  • On-premises Gateway Device 2: The CIDR block of the tunnel, the BGP IP address, and the ASN on the data center side are 169.254.11.0/30, 169.254.11.2, and 65530, respectively.

  • On-premises Gateway Device 3: The CIDR block of the tunnel, the BGP IP address, and the ASN on the data center side are 169.254.12.0/30, 169.254.12.2, and 65530, respectively.

Data center

CIDR blocks to be connected to the VPC:

  • 192.168.0.0/24

  • 192.168.1.0/24

  • 192.168.2.0/24

Prerequisites

Perform the following operations before you start:

  • A VPC is created in the China (Shanghai) region. Applications are deployed on the ECS instance in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

  • A CEN instance is created. An Enterprise Edition transit router is created in the China (Hangzhou) and China (Shanghai) regions. For more information, see Create a CEN instance and Create a transit router.

    Important

    When you create a transit router, you must configure a CIDR block for the transit router. Otherwise, IPsec connections cannot be associated with the transit router.

    If you have created a transit router, you can configure a CIDR block for the transit router. For more information, see Transit router CIDR blocks.

  • You understand the security group rules of the ECS instance in the VPC. Make sure that the rules allow the ECS instance to communicate with the data center. For more information, see View security group rules and Add a security group rule.

Procedure

IPsec连接绑定TR最佳实践-公网-流程图

Step 1: Create customer gateways

Before you create IPsec-VPN connections, you need to create customer gateways to provide information about the on-premises gateway devices to Alibaba Cloud.

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.

  3. In the top navigation bar, select the region of the customer gateway.

    VPN gateways do not support cross-border IPsec-VPN connections. Therefore, you need to follow the nearby access principle and select a region that is closest to your data center when you choose the region in which your customer gateways are deployed. China (Hangzhou) is selected in this example.

    For more information about cross-border connections, see What is VPN Gateway?.

  4. On the Customer Gateway page, click Create Customer Gateway.

  5. In the Create Customer Gateway panel, configure the following parameters and click OK.

    Create three customer gateways that use the following configurations in the China (Hangzhou) region. Use the default values for the other parameters. For more information, see Create and manage a customer gateway.

    Parameter

    Description

    Customer Gateway 1

    Customer Gateway 2

    Customer Gateway 3

    Name

    Enter a name for each customer gateway.

    Enter Customer-Gateway1.

    Enter Customer-Gateway2.

    Enter Customer-Gateway3.

    IP Address

    Enter the public IP addresses of the on-premises gateway devices to be connected to Alibaba Cloud.

    Enter the public IP address of On-premises Gateway Device 1: 11.XX.XX.1.

    Enter the public IP address of On-premises Gateway Device 2: 11.XX.XX.2.

    Enter the public IP address of On-premises Gateway Device 3: 11.XX.XX.3.

    ASN

    Enter the BGP ASN of the on-premises gateway devices.

    In this example, 65530 is used.

Step 2: Create IPsec-VPN connections

After you create customer gateways, you need to create IPsec-VPN connections between Alibaba Cloud and the data center.

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  3. In the top navigation bar, select the region of the IPsec-VPN connection.

    The IPsec-VPN connections and customer gateways must be created in the same region. China (Hangzhou) is selected in this example.

  4. On the IPsec Connections page, click Create IPsec-VPN Connection.

  5. On the Create IPsec-VPN Connection page, configure the parameters that are described in the following table and click OK.

    Create three IPsec-VPN connections that use the following configurations in the China (Hangzhou) region. Use the default values for the other parameters. For more information, see Create and manage IPsec-VPN connections associated with transit routers.

    Parameter

    Description

    IPsec-VPN Connection 1

    IPsec-VPN Connection 2

    IPsec-VPN Connection 3

    Name

    Enter a name for the IPsec-VPN connection.

    Enter IPsec-VPN Connection 1.

    Enter IPsec-VPN Connection 2.

    Enter IPsec-VPN Connection 3.

    Associate Resource

    Select the type of network resource that you want to associate with the IPsec-VPN connections.

    CEN is selected in this example.

    Gateway Type

    Select the type of gateway used by the IPsec-VPN connections.

    In this example, Public is selected.

    CEN Instance ID

    Select a CEN instance.

    In this example, the CEN instance created in the Preparations section is selected.

    Transit Router

    The transit router to be associated with the IPsec-VPN connections.

    The system automatically selects a transit router in the region in which the IPsec-VPN connections are created.

    Zone

    Select the zone in which the IPsec-VPN connections are created. Make sure that the IPsec-VPN connections are created in a zone that supports transit routers.

    In this example, Hangzhou Zone H is selected.

    Routing Mode

    The routing mode.

    In this example, Destination Routing Mode is selected.

    Note

    If BGP is used, we recommend that you set the Routing Mode parameter to Destination Routing Mode.

    Effective Immediately

    Select whether to immediately apply the settings of the IPsec-VPN connection. Valid values:

    • If you set the Effective Immediately parameter to Yes when you create an IPsec-VPN connection, the negotiations immediately start after the configuration is complete.

    • If you set the Effective Immediately parameter to No when you create an IPsec-VPN connection, the negotiations start when inbound traffic is detected.

    In this example, Yes is selected.

    Customer Gateway

    Select the customer gateways to be associated with the IPsec-VPN connections.

    Select Customer-Gateway1.

    Select Customer-Gateway2.

    Select Customer-Gateway3.

    Pre-Shared Key

    Enter a pre-shared key that is used to authenticate the on-premises gateway device.

    • The key must be 1 to 100 characters in length, and can contain digits, letters, and the following special characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : ' , . < > / ?. The key cannot contain spaces.

    • If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After an IPsec-VPN connection is created, you can click Edit in the Actions column of the IPsec-VPN connection to view the pre-shared key that is generated for the IPsec-VPN connection. For more information, see the Modify an IPsec-VPN connection section of this topic.

    Important

    The IPsec-VPN connection and peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.

    Enter fddsFF123****.

    Enter fddsFF456****.

    Enter fddsFF789****.

    Enable BGP

    Specify whether to enable BGP. By default, BGP is disabled.

    In this example, BGP is enabled.

    Local ASN

    Enter the ASN of the IPsec-VPN connections.

    Enter 65531.

    Enter 65531.

    Enter 65531.

    Encryption Settings

    Set encryption configurations, including IKE configurations and IPsec configurations.

    Use the default values of parameters except for the following parameters.

    • Set the DH Group parameter in the IKE Configurations section to group14.

    • Set the DH Group parameter in the IPsec Configurations section to group14.

    Note

    You need to select encryption parameters based on the on-premises gateway device to ensure that the encryption configurations for the IPsec connection are the same as those for the on-premises gateway device.

    BGP Configuration

    Tunnel CIDR Block

    Enter the CIDR block that is used by the IPsec tunnel.

    The CIDR block must fall into 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, or 169.254.169.252/30.

    Enter 169.254.10.0/30.

    Enter 169.254.11.0/30.

    Enter 169.254.12.0/30.

    Local BGP IP address

    Enter a BGP IP address for the IPsec-VPN connection.

    The IP address must fall into the CIDR block of the IPsec tunnel.

    Enter 169.254.10.1.

    Enter 169.254.11.1.

    Enter 169.254.12.1.

    Advanced Configuration

    Specify whether to enable advanced features to automatically advertise and learn routes for IPsec-VPN connections. The advanced features are enabled by default.

    In this example, the advanced features are enabled.

    After the IPsec-VPN connections are created, the system assigns a gateway IP address to each IPsec-VPN connection. The gateway IP address is an endpoint on the Alibaba Cloud side of the IPsec-VPN connection. You can view the gateway IP address of the IPsec-VPN connection on the details page, as shown in the following figure.查看公网IP地址

    The following table describes the gateway IP addresses that are assigned to IPsec-VPN Connection 1, IPsec-VPN Connection 2, and IPsec-VPN Connection 3.

    IPsec-VPN connections

    Gateway IP address

    IPsec-VPN Connection 1

    120.XX.XX.191

    IPsec-VPN Connection 2

    47.XX.XX.213

    IPsec-VPN Connection 3

    47.XX.XX.161

    Note

    The system assigns gateway IP addresses to IPsec-VPN connections only after you associate the IPsec-VPN connections with transit routers. When you create an IPsec-VPN connection, if you set Associate Resource to Do Not Associate or VPN Gateway, the system does not assign a gateway IP address to the IPsec-VPN connection.

  6. Return to the IPsec-VPN connection page, find the IPsec-VPN connection that you created, and then click Generate Peer Configuration in the Actions column.

    Download the configurations of the three IPsec-VPN connections to your on-premises machine so that you can use the configurations when you add VPN configurations to the on-premises gateway devices.

Step 3: Configure on-premises gateway devices

After the IPsec-VPN connections are created, perform the following steps to add the VPN and BGP configurations in the IPsec-VPN connection configurations that you downloaded to the on-premises gateway devices (On-premises Gateway Device 1, On-premises Gateway Device 2, and On-premises Gateway Device 3). This way, the data center can communicate with Alibaba Cloud over the IPsec-VPN connections.

Note

In this example, the software Adaptive Security Appliance (ASA) 9.19.1 is used to describe how to configure a Cisco firewall. The commands may vary with software versions. Consult the documentation or your vendor based on your actual environment during operations. For more information, see Configure local gateways.

The following content contains third-party product information, which is only for reference. Alibaba Cloud does not make guarantees or other forms of commitments for the performance and reliability of third-party products, or the potential impacts of operations performed by using these products.

  1. Configure the on-premises gateway device.

    Configuration example for On-premises Gateway Device 1

    1. Log on to the CLI of the Cisco firewall and enter the configuration mode.

      ciscoasa> enable
      Password: ********             # Enter the password for entering the enable mode. 
      ciscoasa# configure terminal   # Enter the configuration mode. 
      ciscoasa(config)#     
    2. View the interface configurations.

      Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used:

      # View the interface configurations of On-premises Gateway Device 1.
      ciscoasa(config)# show running-config interface
      !
      interface GigabitEthernet0/0                # The interface that connects to the Internet. 
       nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
       security-level 0
       ip address 11.XX.XX.1 255.255.255.255      # The public IP address of the GigabitEthernet 0/0 interface. 
      !
      interface GigabitEthernet0/1                # The interface that connects to the data center. 
       nameif private                             # The name of the GigabitEthernet 0/1 interface. 
       security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
       ip address 192.168.50.216 255.255.255.0    # The IP address of the GigabitEthernet 0/1 interface. 
      !
    3. Enable the IKEv2 feature for the public interfaces.

      # Add the following configurations to On-premises Gateway Device 1:
      crypto ikev2 enable outside1 # Enable the IKEv2 feature for the interface outside1 of On-premises Gateway Device 1, which is a public interface.

    4. Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, Diffie-Hellman (DH) group, and security association (SA) lifetime in the IKE phase. The values must be the same as those on the Alibaba Cloud side.

      # Add the following configurations to On-premises Gateway Device 1:
      crypto ikev2 policy 10     
       encryption aes             # Specify the encryption algorithm. 
       integrity sha              # Specify the authentication algorithm. 
       group 14                   # Specify the DH group. 
       prf sha                    # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on the Alibaba Cloud side. 
       lifetime seconds 86400     # Specify the SA lifetime.

    5. Create an IPsec proposal and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.

      # Add the following configurations to On-premises Gateway Device 1:
      crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL    # Create an IPsec proposal. 
       protocol esp encryption aes                         # Specify the encryption algorithm. The Encapsulating Security Payload (ESP) protocol is used on the Alibaba Cloud side. Therefore, use the ESP protocol. 
       protocol esp integrity sha-1                        # Specify the authentication algorithm. The ESP protocol is used on the Alibaba Cloud side. Therefore, use the ESP protocol. 
      crypto ipsec profile ALIYUN-PROFILE                  
       set ikev2 ipsec-proposal ALIYUN-PROPOSAL            # Create an IPsec profile and apply the proposal that is created.  
       set ikev2 local-identity address                    # Set the format of the local ID to IP address, which is the same as the format of the remote ID on the Alibaba Cloud side. 
       set pfs group14                                     # Specify the Perfect Forward Secrecy (PFS) and DH group. 
       set security-association lifetime seconds 86400     # Specify the time-based SA lifetime. 
       set security-association lifetime kilobytes unlimited # Disable the traffic-based SA lifetime.

    6. Create tunnel groups and specify the pre-shared keys for tunnels, which must be the same as those on the Alibaba Cloud side.

      # Add the following configurations to On-premises Gateway Device 1:
      tunnel-group 120.XX.XX.191 type ipsec-l2l                  # Set the encapsulation mode of the tunnel to l2l. 
      tunnel-group 120.XX.XX.191 ipsec-attributes             
       ikev2 remote-authentication pre-shared-key fddsFF123****  # Specify the peer pre-shared key for the tunnel, which is the pre-shared key on the Alibaba Cloud side. 
       ikev2 local-authentication pre-shared-key fddsFF123****   # Specify the local pre-shared key for the tunnel, which must be the same as that on the Alibaba Cloud side. 
      !
    7. Create tunnel interfaces.

      # Add the following configurations to On-premises Gateway Device 1:
      interface Tunnel1                                  # Create an interface for the tunnel. 
       nameif ALIYUN1
       ip address 169.254.10.2 255.255.255.252           # Specify the IP address of the interface. 
       tunnel source interface outside1                  # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of the tunnel. 
       tunnel destination 120.XX.XX.191                   # Specify the public IP address of IPsec-VPN Connection 1 on the Alibaba Cloud side as the destination address of the tunnel. 
       tunnel mode ipsec ipv4
       tunnel protection ipsec profile ALIYUN-PROFILE    # Apply the IPsec profile ALIYUN-PROFILE on the tunnel. 
       no shutdown                                       # Enable the interface for the tunnel. 
      !
    8. Configure routes.

      # Add the following configurations to On-premises Gateway Device 1:
      route outside1 120.XX.XX.191 255.255.255.255 192.XX.XX.172   # Configure a route that points to the public IP address of IPsec-VPN Connection 1 on the Alibaba Cloud side. The next hop is an external IP address. 
      route private 192.168.0.0 255.255.255.0 192.168.50.215         # The route that points to the data center. 
      route private 192.168.1.0 255.255.255.0 192.168.50.215
      route private 192.168.2.0 255.255.255.0 192.168.50.215
      
      router bgp 65530
       address-family ipv4 unicast
        neighbor 169.254.10.1 remote-as 65531       # Specify the BGP peer, which is the BGP IP address of IPsec-VPN Connection 1 on the Alibaba Cloud side. 
        neighbor 169.254.10.1 ebgp-multihop 255
        neighbor 169.254.10.1 activate              # Activate the BGP peer. 
        network 192.168.0.0 mask 255.255.255.0        # Advertise the CIDR block of the data center. 
        network 192.168.1.0 mask 255.255.255.0
        network 192.168.2.0 mask 255.255.255.0
       exit-address-family

    Configuration example for On-premises Gateway Device 2

    1. Log on to the CLI of the Cisco firewall and enter the configuration mode.

      ciscoasa> enable
      Password: ********             # Enter the password for entering the enable mode. 
      ciscoasa# configure terminal   # Enter the configuration mode. 
      ciscoasa(config)#     
    2. View the interface configurations.

      Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used:

      # View the interface configurations of On-premises Gateway Device 2.
      ciscoasa(config)# show running-config interface
      !
      interface GigabitEthernet0/0                # The interface used to connect to the Internet. 
       nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
       security-level 0
       ip address 11.XX.XX.2 255.255.255.255      # The public IP address of the GigabitEthernet 0/0 interface. 
      !
      interface GigabitEthernet0/1                # The interface that connects to the data center. 
       nameif private                             # The name of the GigabitEthernet 0/1 interface. 
       security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
       ip address 192.168.50.218 255.255.255.0    # The IP address of the GigabitEthernet 0/1 interface. 
      !
    3. Enable the IKEv2 feature for the public interfaces.

      # Add the following configurations to On-premises Gateway Device 2:
      crypto ikev2 enable outside1 # Enable the IKEv2 feature for the interface outside1 of On-premises Gateway Device 2, which is a public interface.

    4. Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase. The values must be the same as those on the Alibaba Cloud side.

      # Add the following configurations to On-premises Gateway Device 2:
      crypto ikev2 policy 10     
       encryption aes             # Specify the encryption algorithm. 
       integrity sha              # Specify the authentication algorithm. 
       group 14                   # Specify the DH group. 
       prf sha                    # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on the Alibaba Cloud side. 
       lifetime seconds 86400     # Specify the SA lifetime.

    5. Create an IPsec proposal and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.

      # Add the following configurations to On-premises Gateway Device 2:
      crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL    # Create an IPsec proposal. 
       protocol esp encryption aes                         # Specify the encryption algorithm. The ESP protocol is used on the Alibaba Cloud side. Therefore, use the ESP protocol. 
       protocol esp integrity sha-1                        # Specify the authentication algorithm. The ESP protocol is used on the Alibaba Cloud side. Therefore, use the ESP protocol. 
      crypto ipsec profile ALIYUN-PROFILE                  
       set ikev2 ipsec-proposal ALIYUN-PROPOSAL            # Create an IPsec profile and apply the proposal that is created.  
       set ikev2 local-identity address                    # Set the format of the local ID to IP address, which is the same as the format of the remote ID on the Alibaba Cloud side. 
       set pfs group14                                     # Specify the PFS and DH group. 
       set security-association lifetime seconds 86400     # Specify the time-based SA lifetime. 
       set security-association lifetime kilobytes unlimited # Disable the traffic-based SA lifetime.

    6. Create tunnel groups and specify the pre-shared keys for tunnels, which must be the same as those on the Alibaba Cloud side.

      # Add the following configurations to On-premises Gateway Device 2:
      tunnel-group 47.XX.XX.213 type ipsec-l2l                  # Specify the encapsulation mode l2l for the tunnel. 
      tunnel-group 47.XX.XX.213 ipsec-attributes             
       ikev2 remote-authentication pre-shared-key fddsFF456****  # Specify the peer pre-shared key for the tunnel, which is the pre-shared key on the Alibaba Cloud side. 
       ikev2 local-authentication pre-shared-key fddsFF456****   # Specify the local pre-shared key for the tunnel, which must be the same as that on the Alibaba Cloud side. 
      !
    7. Create tunnel interfaces.

      # Add the following configurations to On-premises Gateway Device 2:
      interface Tunnel1                                  # Create an interface for the tunnel. 
       nameif ALIYUN1
       ip address 169.254.11.2 255.255.255.252           # Specify the IP address of the interface. 
       tunnel source interface outside1                  # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of the tunnel. 
       tunnel destination 47.XX.XX.213                   # Specify the public IP address of IPsec-VPN Connection 2 on the Alibaba Cloud side as the destination address of the tunnel. 
       tunnel mode ipsec ipv4
       tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on the tunnel. 
       no shutdown                                       # Enable the interface for the tunnel. 
      !
    8. Configure routes.

      # Add the following configurations to On-premises Gateway Device 2:
      route outside1 47.XX.XX.213 255.255.255.255 192.XX.XX.173   # Configure a route that points to the public IP address of On-premises Gateway Device 2 on the Alibaba Cloud side. The next hop is an external public IP address. 
      route private 192.168.0.0 255.255.255.0 192.168.50.217         # The route that points to the data center. 
      route private 192.168.1.0 255.255.255.0 192.168.50.217
      route private 192.168.2.0 255.255.255.0 192.168.50.217
      
      router bgp 65530
       address-family ipv4 unicast
        neighbor 169.254.11.1 remote-as 65531       # Specify the BGP peer, which is the BGP IP address of On-premises Gateway Device 2 on the Alibaba Cloud side. 
        neighbor 169.254.11.1 ebgp-multihop 255
        neighbor 169.254.11.1 activate              # Activate the BGP peer. 
        network 192.168.0.0 mask 255.255.255.0        # Advertise the CIDR block of the data center. 
        network 192.168.1.0 mask 255.255.255.0
        network 192.168.2.0 mask 255.255.255.0
       exit-address-family

    Configuration example for On-premises Gateway Device 3

    1. Log on to the CLI of the Cisco firewall and enter the configuration mode.

      ciscoasa> enable
      Password: ********             # Enter the password for entering the enable mode. 
      ciscoasa# configure terminal   # Enter the configuration mode. 
      ciscoasa(config)#     
    2. View the interface configurations.

      Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used:

      # View the interface configurations of On-premises Gateway Device 3.
      ciscoasa(config)# show running-config interface
      !
      interface GigabitEthernet0/0                # The interface used to connect to the Internet. 
       nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
       security-level 0
       ip address 11.XX.XX.3 255.255.255.255      # The public IP address of the GigabitEthernet 0/0 interface. 
      !
      interface GigabitEthernet0/1                # The interface that connects to the data center. 
       nameif private                             # The name of the GigabitEthernet 0/1 interface. 
       security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
       ip address 192.168.50.213 255.255.255.0    # The IP address of the GigabitEthernet 0/1 interface. 
      !
    3. Enable the IKEv2 feature for the public interfaces.

      # Add the following configurations to On-premises Gateway Device 3:
      crypto ikev2 enable outside1 # Enable the IKEv2 feature for the interface outside1 of On-premises Gateway Device 3, which is a public interface.

    4. Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase. The values must be the same as those on the Alibaba Cloud side.

      # Add the following configurations to On-premises Gateway Device 3:
      crypto ikev2 policy 10     
       encryption aes             # Specify the encryption algorithm. 
       integrity sha              # Specify the authentication algorithm. 
       group 14                   # Specify the DH group. 
       prf sha                    # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on the Alibaba Cloud side. 
       lifetime seconds 86400     # Specify the SA lifetime.

    5. Create an IPsec proposal and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.

      # Add the following configurations to On-premises Gateway Device 3:
      crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL    # Create an IPsec proposal. 
       protocol esp encryption aes                         # Specify the encryption algorithm. The ESP protocol is used on the Alibaba Cloud side. Therefore, use the ESP protocol. 
       protocol esp integrity sha-1                        # Specify the authentication algorithm. The ESP protocol is used on the Alibaba Cloud side. Therefore, use the ESP protocol. 
      crypto ipsec profile ALIYUN-PROFILE                  
       set ikev2 ipsec-proposal ALIYUN-PROPOSAL            # Create an IPsec profile and apply the proposal that is created.  
       set ikev2 local-identity address                    # Set the format of the local ID to IP address, which is the same as the format of the remote ID on the Alibaba Cloud side. 
       set pfs group14                                     # Specify the PFS and DH group. 
       set security-association lifetime seconds 86400     # Specify the time-based SA lifetime. 
       set security-association lifetime kilobytes unlimited # Disable the traffic-based SA lifetime.

    6. Create tunnel groups and specify the pre-shared keys for tunnels, which must be the same as those on the Alibaba Cloud side.

      # Add the following configurations to On-premises Gateway Device 3:
      tunnel-group 47.XX.XX.161 type ipsec-l2l                  # Specify the encapsulation mode l2l for the tunnel. 
      tunnel-group 47.XX.XX.161 ipsec-attributes             
       ikev2 remote-authentication pre-shared-key fddsFF789****  # Specify the peer pre-shared key for the tunnel, which is the pre-shared key on the Alibaba Cloud side. 
       ikev2 local-authentication pre-shared-key fddsFF789****   # Specify the local pre-shared key for the tunnel, which must be the same as that on the Alibaba Cloud side. 
      !
    7. Create tunnel interfaces.

      # Add the following configurations to On-premises Gateway Device 3:
      interface Tunnel1                                  # Create an interface for the tunnel. 
       nameif ALIYUN1
       ip address 169.254.12.2 255.255.255.252           # Specify the IP address of the interface. 
       tunnel source interface outside1                  # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of the tunnel. 
       tunnel destination 47.XX.XX.161                   # Specify the public IP address for On-premises Gateway Device 3 on the Alibaba Cloud side as the destination address of the tunnel. 
       tunnel mode ipsec ipv4
       tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on the tunnel. 
       no shutdown                                       # Enable the interface for the tunnel. 
      !
    8. Configure routes.

      # Add the following configurations to On-premises Gateway Device 3:
      route outside1 47.XX.XX.161 255.255.255.255 192.XX.XX.174   # Configure a route that points to the public IP address of On-premises Gateway Device 3 on the Alibaba Cloud side. The next hop is an external IP address. 
      route private 192.168.0.0 255.255.255.0 192.168.50.214         # The route that points to the data center. 
      route private 192.168.1.0 255.255.255.0 192.168.50.214
      route private 192.168.2.0 255.255.255.0 192.168.50.214
      
      router bgp 65530
       address-family ipv4 unicast
        neighbor 169.254.12.1 remote-as 65531       # Specify the BGP peer, which is the BGP IP address of On-premises Gateway Device 3 on the Alibaba Cloud side. 
        neighbor 169.254.12.1 ebgp-multihop 255
        neighbor 169.254.12.1 activate              # Activate the BGP peer. 
        network 192.168.0.0 mask 255.255.255.0        # Advertise the CIDR block of the data center. 
        network 192.168.1.0 mask 255.255.255.0 
        network 192.168.2.0 mask 255.255.255.0 
       exit-address-family

    After you complete the preceding configurations, IPsec-VPN connections can be established between the data center and Alibaba Cloud. Routes from the data center are propagated to the BGP route table of the IPsec-VPN connections through BGP dynamic routing.

  2. Add routes to the data center based on your network environment. The routes must allow network traffic to be transmitted from the data center to the VPC over On-premises Gateway Device 1, On-premises Gateway Device 2, and On-premises Gateway Device 3 at the same time. Contact your vendor to obtain the information about specific commands.

Step 4: Create a VPC connection

After you create IPsec-VPN connections, the IPsec-VPN connections are automatically associated with a transit router. You must log on to the CEN console, create a VPC connection, and associate the VPC with a transit router. This way, the data center can communicate with the VPC.

  1. Log on to the CEN console.

  2. On the Instances page, click the ID of the CEN instance that you want to manage.

  3. On the Basic Settings > Transit Router tab, find the transit router in the China (Shanghai) region and click Create Connection in the Actions column.

  4. On the Connection with Peer Network Instance page, set the following parameters and click OK.

    Associate the VPC in the China (Shanghai) region with a transit router based on the following table. Use the default values for the other parameters. For more information, see Connect VPCs.

    Parameter

    Description

    VPC connection

    Instance Type

    Select the type of network instance that you want to attach to the transit router.

    In this example, VPC is selected.

    Region

    Select the region of the network instance.

    In this example, China (Shanghai) is selected.

    Transit Router

    The system automatically displays the transit router in the current region.

    Resource Owner ID

    Specify whether the network instance belongs to the current Alibaba Cloud account.

    In this example, Your Account is selected.

    Billing Method

    Select a billing method for the VPC connection. Default value: Pay-As-You-Go. For more information about the billing rules for transit routers, see Billing rules.

    Attachment Name

    The name of the VPC connection.

    In this example, VPC-connection is used.

    Network Instance

    Select a network instance.

    In this example, the VPC created in the China (Shanghai) region is used.

    vSwitch

    Select the vSwitches that are deployed in the zones of the transit router.

    • If the transit router (TR) supports only one zone in the current region, you need to select a vSwitch in the zone.

    • If the TR supports multiple zones in the current region, you need to select at least two vSwitches that reside in different zones. When the VPC and TR communicate, the vSwitches are used to implement zone-disaster recovery.

      We recommend that you select a vSwitch in each zone to reduce the network latency and improve network performance because data can be transmitted over a shorter distance.

    Make sure that each selected vSwitch has at least one idle IP address. If the VPC does not have a vSwitch in the zone supported by the TR or the vSwitch does not have an idle IP address, create a new vSwitch in the zone. For more information, see Create and manage a vSwitch.

    In this example, vSwitch 1 is selected in Zone F and vSwitch 2 is selected in Zone G.

    Advanced Settings

    Specify whether to enable the advanced features. By default, all advanced features are enabled.

    In this example, the default setting is used.

Step 5: Create an inter-region connection

The transit router associated with the IPsec-VPN connections and the transit router associated with the VPC are deployed in different regions. By default, the data center cannot communicate with the VPC in this scenario. To allow the data center to communicate with the VPC across regions, you need to create an inter-region connection between the transit router in the China (Hangzhou) region and the transit router in the China (Shanghai) region.

  1. On the Instances page, find the CEN instance that you want to manage and click its ID.

  2. Navigate to the Basic Settings > Bandwidth Plans tab and click Set Region Connection.

  3. On the Connection with Peer Network Instance page, set the following parameters and click OK.

    Create an inter-region connection based on the following table. Use the default values for the other parameters. For more information, see Create an inter-region connection.

    Parameter

    Description

    Instance Type

    In this example, Inter-region Connection is selected.

    Region

    Select one of the regions to be connected.

    In this example, China (Hangzhou) is selected.

    Transit Router

    The ID of the transit router in the selected region is automatically displayed.

    Attachment Name

    Enter a name for the inter-region connection.

    In this example, Cross-Region-test is used.

    Peer Region

    Select the other region to be connected.

    In this example, China (Shanghai) is selected.

    Transit Router

    The ID of the transit router in the selected region is automatically displayed.

    Bandwidth Allocation Mode

    The following modes are supported:

    • Allocate from Bandwidth Plan: Bandwidth is allocated from a bandwidth plan.

    • Pay-By-Data-Transfer: You are charged for data transfer over the inter-region connection.

    In this example, Pay-By-Data-Transfer is selected.

    Bandwidth

    Specify a maximum bandwidth value for the inter-region connection. Unit: Mbit/s.

    Default Line Type

    Select a line type for the inter-region connection.

    Advanced Settings

    Use the default settings. All advanced features are enabled.

After an inter-region connection is created, the system automatically advertises and learns routes. The IPsec-VPN connections use BGP dynamic routing to propagate the routes from the VPC to the data center, and also propagate the routes from the data center to the transit router to implement network communication between the data center and the VPC. For more information, see Routing configuration.

Step 6: Test the connectivity

After you create an inter-region connection, the traffic between the data center and VPC is load balanced by using the three IPsec-VPN connections. This section describes how to test the network connectivity and how to check whether the three IPsec-VPN connections are used to load-balance the traffic.

  1. Test the network connectivity.

    1. Log on to an ECS instance in the connected VPC. For more information, see Connect to an ECS instance.

    2. Run the ping command on the ECS instance to access a client in the data center.

      ping <IP address of the client in the data center>

      If the ECS instance receives echo reply messages, the data center can communicate with the VPC.

  2. Check whether loads are balanced.

    Use multiple clients in the data center to continuously send requests to the ECS instance in the VPC. Then, navigate to the details pages of the three IPsec-VPN connections to view the traffic monitoring data. If all details pages display traffic monitoring data, the three IPsec-VPN connections are used to load-balance the traffic.

    1. Log on to the VPN Gateway console.

    2. In the top navigation bar, select the region in which the IPsec-VPN connection is created.

    3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

    4. On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click its ID.

      Go to the details page of the IPsec-VPN connection and view the traffic monitoring data on the Monitor tab.

Routing configuration

In this topic, the default routing configuration is used to create the IPsec-VPN connections, VPC connection, and inter-region connection. When the default routing configuration is used, CEN automatically learns and distributes routes to enable the data center to communicate with the VPC. The following sections describe the default routing configuration.

IPsec-VPN connections

If you associate an IPsec-VPN connection with a transit router when you create the IPsec-VPN connection and enable all advanced features, the system automatically applies the following routing configuration to the IPsec-VPN connection:

  • The IPsec-VPN connection is associated with the default route table of the transit router. The transit router forwards traffic from the IPsec-VPN connection based on the default route table.

  • The destination-based routes that you configure for the IPsec-VPN connection and the routes learned from the data center through the IPsec-VPN connection by using BGP dynamic routing are automatically propagated to the default route table of the transit router.

  • The transit router automatically propagates the routes in the default route table to the BGP route table associated with the IPsec-VPN connection.

    The routes learned from the VPC through the IPsec-VPN connection by using BGP dynamic routing are automatically propagated to the data center.

VPCs

If all advanced features are enabled when you create a VPC, the system automatically applies the following routing configuration to the VPC:

  • Associate with Default Route Table of Transit Router

    After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table.

  • Propagate System Routes to Default Route Table of Transit Router

    After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router.

  • Automatically Create Route That Points to Transit Router and Adds to All Route Tables of Current VPC

    After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The routes point to the VPC connection.

    Important

    If such a route is already in the route table of the VPC, the system cannot advertise this route. You must manually add a route that points to the VPC connection to the route table of the VPC. Otherwise, network communication cannot be established between the VPC and the transit router.

    To check whether such routes exist, click Check Route below Advanced Settings.

Inter-region connections

If all advanced features are enabled when you create an inter-region connection, the system automatically applies the following routing configuration to the inter-region connection:

  • Associate with Default Route Table of Transit Router

    After this feature is enabled, the inter-region connection is automatically associated with the default route table of the transit router. The transit router uses the default route table to forward network traffic across regions.

  • Propagate System Routes to Default Route Table of Transit Router

    After this feature is enabled, the inter-region connection is associated with the default route tables of the transit routers in the connected regions.

  • Automatically Advertise Routes to Peer Region

    After this feature is enabled, the routes in the route table of the transit router in the current region are automatically advertised to the route table of the peer transit router for cross-region communication. The route tables of the transit routers refer to the route tables that are associated with the inter-region connection.

Route entries

This section describes the route entries used by the transit routers, IPsec-VPN connections, VPC, and on-premises gateway devices. You can check the route entries in the Alibaba Cloud Management Console.

  • For more information about routes of transit routers, see View routes of an Enterprise Edition transit router.

  • For more information about routes of VPCs, see Create and manage a route table.

  • To view the route entries of an IPsec-VPN connection, go to the details page of the IPsec-VPN connection:

    1. Log on to the VPN Gateway console.

    2. In the top navigation bar, select the region in which the IPsec-VPN connection is created.

    3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

    4. On the IPsec Connections page, find the IPsec-VPN connection and click its ID.

      Go to the details page of the IPsec-VPN connection and view the route entries on the BGP Route Table tab.

Table 1: Default route entries of the transit router in China (Hangzhou)

Destination CIDR block

Next hop

Route type

10.0.0.0/24

Inter-region connection

Automatically learned route

10.0.1.0/24

Inter-region connection

Automatically learned route

192.168.0.0/24

IPsec-VPN Connection 1

Automatically learned route

192.168.0.0/24

IPsec-VPN Connection 2

Automatically learned route

192.168.0.0/24

IPsec-VPN Connection 3

Automatically learned route

192.168.1.0/24

IPsec-VPN Connection 1

Automatically learned route

192.168.1.0/24

IPsec-VPN Connection 2

Automatically learned route

192.168.1.0/24

IPsec-VPN Connection 3

Automatically learned route

192.168.2.0/24

IPsec-VPN Connection 1

Automatically learned route

192.168.2.0/24

IPsec-VPN Connection 2

Automatically learned route

192.168.2.0/24

IPsec-VPN Connection 3

Automatically learned route

Table 2: Default route entries of the transit router in China (Shanghai)

Destination CIDR block

Next hop

Route type

10.0.0.0/24

VPC connection

Automatically learned route

10.0.1.0/24

VPC connection

Automatically learned route

192.168.0.0/24

Inter-region connection

Automatically learned route

192.168.0.0/24

Inter-region connection

Automatically learned route

192.168.0.0/24

Inter-region connection

Automatically learned route

192.168.1.0/24

Inter-region connection

Automatically learned route

192.168.1.0/24

Inter-region connection

Automatically learned route

192.168.1.0/24

Inter-region connection

Automatically learned route

192.168.2.0/24

Inter-region connection

Automatically learned route

192.168.2.0/24

Inter-region connection

Automatically learned route

192.168.2.0/24

Inter-region connection

Automatically learned route

Table 3: Route entries in the system route table of the VPC

Destination CIDR block

Next hop

Route type

10.0.0.0/24

Data center

System route

10.0.1.0/24

Data center

System route

10.0.0.0/8

VPC connection

Custom route

172.16.0.0/12

VPC connection

Custom route

192.168.0.0/16

VPC connection

Custom route

Table 4: Route entries in the BGP route tables of the IPsec-VPN connections

Destination CIDR block

Source

Route entries in the BGP route table of IPsec-VPN Connection 1

10.0.0.0/24

Learned from Alibaba Cloud

10.0.1.0/24

Learned from Alibaba Cloud

192.168.0.0/24

Learned from the data center

192.168.1.0/24

Learned from the data center

192.168.2.0/24

Learned from the data center

Route entries in the BGP route table of IPsec-VPN Connection 2

10.0.0.0/24

Learned from Alibaba Cloud

10.0.1.0/24

Learned from Alibaba Cloud

192.168.0.0/24

Learned from the data center

192.168.1.0/24

Learned from the data center

192.168.2.0/24

Learned from the data center

Route entries in the BGP route table of IPsec-VPN Connection 3

10.0.0.0/24

Learned from Alibaba Cloud

10.0.1.0/24

Learned from Alibaba Cloud

192.168.0.0/24

Learned from the data center

192.168.1.0/24

Learned from the data center

192.168.2.0/24

Learned from the data center

Table 5: Route entries learned by the on-premises gateway devices from Alibaba Cloud

Destination CIDR block

Next hop

Route entries learned by On-premises Gateway Device 1 from Alibaba Cloud

10.0.0.0/24

IPsec-VPN Connection 1

10.0.1.0/24

IPsec-VPN Connection 1

Route entries learned by On-premises Gateway Device 2 from Alibaba Cloud

10.0.0.0/24

IPsec-VPN Connection 2

10.0.1.0/24

IPsec-VPN Connection 2

Route entries learned by On-premises Gateway Device 3 from Alibaba Cloud

10.0.0.0/24

IPsec-VPN Connection 3

10.0.1.0/24

IPsec-VPN Connection 3