Use IPsec-VPN and an Express Connect circuit - VPN Gateway

This topic describes how to configure active/standby connections between a data center and a virtual private cloud (VPC) by using an IPsec-VPN connection and an Express Connect circuit. The IPsec-VPN connection is associated with a transit router.

Background information

The following scenario is used an example. A company has a data center in Shanghai, and has deployed a VPC in the China (Hangzhou) region. Applications and services are deployed on Elastic Compute Service (ECS) instances in the VPC. The company wants to establish active/standby connections between the data center and the VPC.

IPsec+物理专线主备链路上云-绑定TR

Networking

Network settings

The following network settings are used in this topic:

The data center is connected to Alibaba Cloud through an Express Connect circuit and an IPsec-VPN connection.
When the Express Connect circuit and IPsec-VPN connection work as expected, all traffic between the data center and the VPC is preferably forwarded through the Express Connect circuit. When the Express Connect circuit is down, the IPsec-VPN connection takes over.
When you create an IPsec-VPN connection, set Gateway Type to Public and set Associate Resource to CEN.
Border Gateway Protocol (BGP) dynamic routing is configured for the data center, the virtual border router (VBR), and the IPsec-VPN connection to implement route learning and advertising. This facilitates route configuration.
Only IPsec-VPN connections in specific regions support BGP. For more information about regions, see VPN Gateway supports BGP dynamic routing.
Important
The following content describes the data transfer in this scenario:
- When the Express Connect circuit, the IPsec-VPN connection, and BGP dynamic routing work as expected, the Cloud Enterprise Network (CEN) can learn routes that point to the data center through the Express Connect circuit and the IPsec-VPN connection. In addition, the data center can learn routes that point to the VPC from the CEN instance through the Express Connect circuit and the IPsec-VPN connection. By default, the routes learned through the Express Connect circuit have a higher priority than those learned through the IPsec-VPN connection. Therefore, data is preferably transferred through the Express Connect circuit between the VPC and the data center.
- When the BGP peer configured between the data center and the VBR instance is interrupted, the routes learned through the Express Connect circuit are withdrawn and the routes learned through the IPsec-VPN connection automatically take effect. Data is transferred through the IPsec-VPN connection between the VPC and the data center. After the BGP peer configured between the data center and the VBR instance is restored, the Express Connect circuit takes over and the IPsec-VPN connection serves as a standby connection.

Network planning

Important

When you allocate CIDR blocks, make sure that the CIDR blocks of the data center and VPC do not overlap.

Resource	CIDR block and IP address
VPC	Primary CIDR block: 172.16.0.0/16 vSwitch 1 CIDR block: 172.16.10.0/24, deployed in Zone H vSwitch 2 CIDR block: 172.16.20.0/24, deployed in Zone I IP address of the ECS instance attached to vSwitch 1: 172.16.10.1.
IPsec-VPN connection	BGP configuration: The CIDR block of the tunnel, the BGP IP address, and the autonomous system number (ASN) on the data center side are 169.254.10.0/30, 169.254.10.1, and 45104 (default), respectively.
VBR	VBR configuration: VLAN ID: 201 IPv4 address on the Alibaba Cloud side: 10.0.0.2/30 IPv4 address on the user side: 10.0.0.1/30 In this example, the IPv4 address on the user side is the IPv4 address of the gateway device in the data center. ASN: 45104 The default ASN of the VBR is 45104.
On-premises gateway device	Public IP address: 211.XX.XX.68
On-premises gateway device	BGP configuration: The CIDR block of the tunnel, the BGP IP address, and the ASN on the data center side are 169.254.10.0/30, 169.254.10.2, and 65530, respectively.
Data center	CIDR blocks to be connected to the VPC: 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24

Prerequisites

Make sure that the following prerequisites are met before you start:

A VPC is created in the China (Hangzhou) region. Applications are deployed on the ECS instance in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
A CEN instance is created. An Enterprise Edition transit router is created in the China (Hangzhou) and China (Shanghai) regions. For more information, see Create a CEN instance and Create a route router.
Important
When you create a transit router, you must configure a CIDR block for the transit router. Otherwise, IPsec connections cannot be associated with the transit router.
If you have created a transit router, you can configure a CIDR block for the transit router. For more information, see Transit router CIDR blocks.

Procedure

IPsec+物理专线主备上云-绑定TR-配置流程

Step 1: Deploy an Express Connect circuit

You must deploy an Express Connect circuit to connect the data center to Alibaba Cloud.

Create a dedicated Express Connect circuit.
In this example, a dedicated Express Connect circuit named Circuit1 is created in the China (Shanghai) region. For more information, see Create and manage a dedicated connection over an Express Connect circuit.

Create a VBR.

Log on to the Express Connect console.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
In the top navigation bar, select the region where you want to create the VBR.
In this example, China (Shanghai) is selected.
On the Virtual Border Routers (VBRs) page, click Create VBR.

In the Create VBR panel, configure the following parameters and click OK.

The following table describes only the key parameters. The default values are used for the other parameters. For more information, see Create and manage a VBR.

Parameter	Description	VBR
Account Type	Select the account type of the VBR.	In this example, Current account is selected.
Name	Enter a name for the VBR.	In this example, `VBR` is used.
Physical Connection Information	Select the Express Connect circuit to be associated with the VBR.	In this example, Dedicated Physical Connection is selected, and the Express Connect circuit created in Step 1 is selected.
VLAN ID	Enter a VLAN ID for the VBR. Note Make sure that the VLAN ID of the VBR is the same as the VLAN ID of the interface that the on-premises gateway device uses to connect to the Express Connect circuit.	In this example, `201` is used.
Set VBR Bandwidth Value	Specify a maximum bandwidth value for the VBR.	Select a maximum bandwidth value based on your business requirements.
IPv4 Address (Alibaba Cloud Gateway)	Specify an IPv4 address to route network traffic from the VPC to the data center.	In this example, `10.0.0.2` is used.
IPv4 Address (Data Center Gateway)	Specify an IPv4 address for the gateway device in the data center to route network traffic from the data center to the VPC.	In this example, `10.0.0.1` is used.
Subnet Mask (IPv4 Address)	Enter the subnet mask of the specified IPv4 addresses.	In this example, `255.255.255.252` is used.

Configure a BGP group for the VBR.

On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
On the details page, click the BGP Groups tab.

On the BGP Groups tab, click Create BGP Group, set the following parameters, and then click OK.

The following table describes only the key parameters. The default values are used for the other parameters. For more information, see Create a BGP group.

Parameter	Description	VBR
Name	The name of the BGP group.	In this example, `VBR-BGP` is used.
Peer ASN	Enter the ASN of the gateway device in the data center.	In this example, `65530` is used.
Local ASN	Enter the ASN of the VBR.	In this example, `45104` is used.

Configure a BGP peer for the VBR.

On the VBR details page, click the BGP Peers tab.
On the BGP Peers tab, click Create BGP Peer.

In the Create BGP Peer panel, set the following parameters and click OK.

The following table describes only the key parameters. The default values are used for the other parameters. For more information, see Create a BGP peer.

Parameter	Description	VBR
BGP Group	The BGP group to which you want to add the BGP peer.	In this example, `VBR-BGP` is selected.
BGP Peer IP Address	The IP address of the BGP peer.	In this example, the IP address `10.0.0.1` is entered. This is the IP address of the interface that the on-premises gateway device uses to connect to the Express Connect circuit.

Configure BGP routing for the on-premises gateway device.

After you configure BGP for the on-premises gateway device, the on-premises gateway device and the VBR can work as BGP peers and enable automatic route learning and advertising.

Note

In this example, the software Adaptive Security Appliance (ASA) 9.19.1 is used to describe how to configure a Cisco firewall. The commands may vary with software versions. Consult the documentation or your vendor based on your actual environment during operations. For more information, see Configure local gateways.

The following content contains third-party product information, which is only for reference. Alibaba Cloud does not make guarantees or other forms of commitments for the performance and reliability of third-party products, or the potential impacts of operations performed by using these products.

interface GigabitEthernet0/3                
 nameif VBR1                             # Configure the name of the interface that connects to VBR1. 
 security-level 0
 ip address 10.0.0.1 255.255.255.0       # Configure a private IP address for the GigabitEthernet 0/3 interface. 
 no shutdown                             # Enable the interface. 
!

router bgp 65530                         # Enable BGP and configure the ASN of the data center. 65530 is used in this example. 
bgp router-id 10.0.0.1                   # Enter the ID of the BGP router. In this example, 10.0.0.1 is used. 
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 10.0.0.2 remote-as 45104        # Create a BGP peer for the VBR. 
network 192.168.0.0 mask 255.255.255.0   # Advertise the CIDR block of the data center. 
network 192.168.1.0 mask 255.255.255.0
network 192.168.2.0 mask 255.255.255.0 
neighbor 10.0.0.2 activate               # Activate the BGP peer. 
neighbor 10.0.0.2 weight 1000            # Set the weights of the routes learned through the Express Connect circuit to 1000. 
exit-address-family
!

Step 2: Configure a CEN instance

After you deploy an Express Connect circuit, the data center can connect to Alibaba Cloud through the Express Connect circuit. However, the data center cannot communicate with the VPC. You must attach the VBR and the VPC to a CEN instance to enable communication between the data center and the VPC.

Attach the VPC to the CEN instance.

Log on to the CEN console.
On the Instances page, find the CEN instance that you created and click its ID.
On the Basic Information > Transit Router tab, find the transit router that you want to manage in the China (Hangzhou) region and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, configure the following parameters and click OK.

The following table describes only the key parameters. The default values are used for other parameters. For more information, see Create a VPC connection.

Parameter	Description	VPC connection
Instance Type	Select the type of network instance.	In this example, Virtual Private Cloud (VPC) is selected.
Region	Select the region of the network instance.	In this example, China (Hangzhou) is selected.
Transit Router	The system automatically displays the transit router in the current region.
Resource Owner ID	Specify whether the network instance belongs to the current Alibaba Cloud account.	In this example, Your Account is selected.
Billing Method	Select a billing method for the VPC connection. Default value: Pay-As-You-Go. For more information about the billing rules for transit routers, see Billing rules.
Attachment Name	Enter a name for the VPC connection.	In this example, `VPC-Attachment` is used.
Network Instance	Select a network instance.	In this example, the VPC created in the Preparations section is selected.
vSwitch	Select the vSwitches that are deployed in the zones of the transit router. If the transit router (TR) supports only one zone in the current region, you need to select a vSwitch in the zone. If the TR supports multiple zones in the current region, you need to select at least two vSwitches that reside in different zones. When the VPC and TR communicate, the vSwitches are used to implement zone-disaster recovery. We recommend that you select a vSwitch in each zone to reduce the network latency and improve network performance because data can be transmitted over a shorter distance. Make sure that each selected vSwitch has at least one idle IP address. If the VPC does not have a vSwitch in the zone supported by the TR or the vSwitch does not have an idle IP address, create a new vSwitch in the zone. For more information, see Create and manage a vSwitch.	In this example, vSwitch 1 is selected in Zone H and vSwitch 2 is selected in Zone I.
Advanced configurations	Specify whether to enable the advanced features. By default, all advanced features are enabled.	In this example, the default settings are used.

Attach the VBR to the CEN instance.

On the Basic Settings > Transit Router tab, find the transit router in the China (Shanghai) region and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, configure the parameters and click OK. The following table describes the parameters.

The following table describes only the key parameters. The default values are used for the other parameters. For more information, see Connect a VBR to an Enterprise Edition transit router.

Parameter	Description	VBR
Instance Type	Specify the type of network instance.	In this example, Virtual Border Router (VBR) is selected.
Region	Select the region of the network instance.	In this example, China (Shanghai) is selected.
Transit Router	The system automatically displays the transit router in the current region.
Resource Owner ID	Specify whether the network instance belongs to the current Alibaba Cloud account.	In this example, Your Account is selected.
Attachment Name	Enter a name for the network connection.	In this example, `VBR-Attachment` is used.
Network Instance	Select a network instance.	In this example, the VBR is selected.
Advanced Settings	Specify whether to enable the advanced features. By default, all advanced features are enabled.	In this example, the default settings are used.

Create an inter-region connection.

The transit router associated with the VBR and the transit router associated with the VPC are deployed in different regions. By default, the VBR cannot communicate with the VPC in this scenario. To allow the VBR to communicate with the VPC across regions, you need to create an inter-region connection between the transit router in the China (Hangzhou) region and the transit router in the China (Shanghai) region.

On the Instances page, find the CEN instance that you want to manage and click its ID.
Navigate to the Basic Settings > Bandwidth Plans tab and click Set Region Connection.

On the Connection with Peer Network Instance page, set the following parameters and click OK.

Create an inter-region connection based on the following table. Use the default values for the other parameters. For more information, see Create an inter-region connection.

Parameter	Description
Instance Type	In this example, Inter-region Connection is selected.
Region	Select one of the regions to be connected. In this example, China (Hangzhou) is selected.
Transit Router	The ID of the transit router in the selected region is automatically displayed.
Attachment Name	Enter a name for the inter-region connection. In this example, `Cross-Region-test` is used.
Peer Region	Select the other region to be connected. In this example, China (Shanghai) is selected.
Transit Router	The ID of the transit router in the selected region is automatically displayed.
Bandwidth Allocation Mode	The following modes are supported: Allocate from Bandwidth Plan: Bandwidth is allocated from a bandwidth plan. Pay-By-Data-Transfer: You are charged for data transfer over the inter-region connection. In this example, Pay-By-Data-Transfer is selected.
Bandwidth	Specify a maximum bandwidth value for the inter-region connection. Unit: Mbit/s.
Default Line Type	Select a line type for the inter-region connection.
Advanced Settings	Use the default settings. All advanced features are enabled.

Step 3: Create an IPsec-VPN connection

After you complete the preceding steps, the data center can communicate with the VPC through the Express Connect circuit. The following section describes how to create an IPsec-VPN connection.

Log on to the VPN Gateway console.

Create a customer gateway.

Before you create an IPsec-VPN connection, you need to create a customer gateway to provide information about the on-premises gateway device to Alibaba Cloud.

In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.
In the top navigation bar, select the region of the customer gateway.
VPN gateways do not support cross-border IPsec-VPN connections. Therefore, you need to follow the nearby access principle and select a region that is closest to your data center when you choose the region in which your customer gateway is deployed. In this example, China (Shanghai) is selected.
For more information about cross-border connections, see What is VPN Gateway?.
On the Customer Gateway page, click Create Customer Gateway.

In the Create Customer Gateway panel, configure the following parameters and click OK.

The following table describes only the key parameters. The default values are used for the other parameters. For more information, see Create a customer gateway.

Parameter	Description	Customer Gateway
Name	Enter a name for the customer gateway.	In this example, `Customer-Gateway` is used.
IP Address	Enter the public IP address of the on-premises gateway device to be connected to Alibaba Cloud.	In this example, `211.XX.XX.68` is used.
ASN	Enter the BGP ASN of the on-premises gateway device.	In this example, `65530` is used.

Create an IPsec-VPN connection.

After you create a customer gateway, you need to create an IPsec-VPN connection from Alibaba Cloud to the on-premises gateway device.

In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region where you want to create the IPsec-VPN connection.
The IPsec-VPN connection and the customer gateway must be created in the same region. In this example, China (Shanghai) is selected.
On the IPsec-VPN connection page, click Create IPsec-VPN Connection.

On the Create IPsec-VPN Connection page, set the parameters for the IPsec-VPN connection, and click OK.

You are charged for using IPsec-VPN connections. For more information, see Billing.

Parameter	Description	IPsec-VPN connection
Name	The name of the IPsec-VPN connection.	In this example, `IPsec` is used.
Associate Resource	Select the type of network resource that you want to associate with the IPsec-VPN connections.	CEN is selected in this example.
Gateway Type	Select the type of gateway used by the IPsec-VPN connection.	In this example, Public is selected.
CEN Instance ID	Select a CEN instance.	In this example, the CEN instance created in the Preparations section is selected.
Transit Router	The transit router to be associated with the IPsec-VPN connection.	The system automatically selects the transit router in the region in which the IPsec-VPN connection is created.
Zone	Select the zone in which the IPsec-VPN connections are created. Make sure that the IPsec-VPN connections are created in a zone that supports transit routers.	In this example, Shanghai Zone F is selected.
Routing Mode	The routing mode.	In this example, Destination Routing Mode is selected.
Effective Immediately	Select whether to immediately apply the settings of the IPsec-VPN connection. Valid values: If you set the Effective Immediately parameter to Yes when you create an IPsec-VPN connection, the negotiations immediately start after the configuration is complete. If you set the Effective Immediately parameter to No when you create an IPsec-VPN connection, the negotiations start when inbound traffic is detected.	In this example, Yes is selected.
Customer Gateway	Select the customer gateways to be associated with the IPsec-VPN connection.	In this example, Customer-Gateway is selected.
Pre-Shared Key	Enter a pre-shared key that is used to authenticate the on-premises gateway device. The key must be 1 to 100 characters in length, and can contain digits, letters, and the following special characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ \| ; : ' , . < > / ?. The key cannot contain spaces. If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After an IPsec-VPN connection is created, you can click Edit in the Actions column of the IPsec-VPN connection to view the pre-shared key that is generated for the IPsec-VPN connection. For more information, see the Modify an IPsec-VPN connection section of this topic. Important The IPsec-VPN connection and peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.	In this example, `fddsFF123****` is used.
Enable BGP	Specify whether to enable BGP. By default, BGP is disabled.	In this topic, BGP is enabled.
Local ASN	Enter the ASN of the IPsec-VPN connection.	In this example, `45104` is used.
Encryption Configuration	Set encryption configurations, including IKE configurations and IPsec configurations.	Use the default values of parameters except for the following parameters. For more information, see Create and manage IPsec-VPN connections associated with transit routers. Set the DH Group parameter in the IKE Configurations section to group14. Set the DH Group parameter in the IPsec Configurations section to group14. Note You need to select encryption parameters based on the on-premises gateway device to ensure that the encryption configurations for the IPsec connection are the same as those for the on-premises gateway device.
BGP Configuration
Tunnel CIDR Block	Enter the CIDR block that is used by the IPsec tunnel. The CIDR block must fall into 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, or 169.254.169.252/30.	In this example, `169.254.10.0/30` is used.
Local BGP IP address	Enter a BGP IP address for the IPsec-VPN connection. The IP address must fall into the CIDR block of the IPsec tunnel.	In this example, `169.254.10.1` is used.
Advanced Settings	Specify whether to enable advanced features to automatically advertise and learn routes for IPsec-VPN connections. The advanced features are enabled by default.	In this example, the advanced features are enabled.

After the IPsec-VPN connection is created, the system assigns a public IP address to the IPsec-VPN connection to connect to the data center. You can view the gateway IP address of the IPsec-VPN connection on the details page, as shown in the following figure. 查看公网IP地址

Note

The system assigns gateway IP addresses to IPsec-VPN connections only after you associate the IPsec-VPN connections with transit routers. When you create an IPsec-VPN connection, if you set Associate Resource to Do Not Associate or VPN Gateway, the system does not assign a gateway IP address to the IPsec-VPN connection.

Download the configuration of the IPsec-VPN connection peer.
Return to the IPsec Connections page, find the IPsec-VPN connection that you created, and then click Download Peer Configuration in the Actions column.

Add VPN configurations and BGP configurations to the on-premises gateway device.

After the IPsec-VPN connection is created, perform the following steps to add the VPN and BGP configurations to the on-premises gateway device. This way, the data center can communicate with Alibaba Cloud over the IPsec-VPN connection.

Note

Log on to the CLI of the Cisco firewall and enter the configuration mode.

ciscoasa> enable
Password: ********             # Enter the password for entering the enable mode. 
ciscoasa# configure terminal   # Enter the configuration mode. 
ciscoasa(config)#

View the interface configurations and route configurations.

Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used:

ciscoasa(config)# show running-config interface 
!
interface GigabitEthernet0/0
 nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
 security-level 0
 ip address 211.XX.XX.68 255.255.255.255    # The public IP address of the GigabitEthernet 0/0 interface. 
!
interface GigabitEthernet0/2                # The interface that connects to the data center. 
 nameif private                             # The name of the GigabitEthernet 0/2 interface. 
 security-level 100                         # The security level of the interface that connects to the data center, which is lower than that of a public interface. 
 ip address 192.168.2.215 255.255.255.0     # The private IP address of the GigabitEthernet 0/2 interface. 
!

route outside1 47.XX.XX.213 255.255.255.255 192.XX.XX.172   # The route for accessing the public IP address of IPsec-VPN connection on the Alibaba Cloud side. The next hop is a public IP address. 
route private 192.168.0.0 255.255.0.0 192.168.2.216         # The route that points to the data center.

Enable the IKEv2 feature for the public interface.

crypto ikev2 enable outside1
crypto ikev2 enable outside2

Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.
Important
When you configure an IPsec-VPN connection on the Alibaba Cloud side, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.
```
crypto ikev2 policy 10     
 encryption aes             # Specify the encryption algorithm. 
 integrity sha              # Specify the authentication algorithm. 
 group 14                   # Specify the DH group. 
 prf sha                    # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on the Alibaba Cloud side. 
 lifetime seconds 86400     # Specify the SA lifetime.
```

Create an IPsec proposal and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.

Important

When you configure an IPsec-VPN connection on the Alibaba Cloud side, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.

crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL    # Create an IPsec proposal. 
 protocol esp encryption aes                         # Specify the encryption algorithm. The Encapsulating Security Payload (ESP) protocol is used on the Alibaba Cloud side. Therefore, use the ESP protocol. 
 protocol esp integrity sha-1                        # Specify the authentication algorithm. The Encapsulating Security Payload (ESP) protocol is used on the Alibaba Cloud side. Therefore, use the ESP protocol. 
crypto ipsec profile ALIYUN-PROFILE                  
 set ikev2 ipsec-proposal ALIYUN-PROPOSAL            # Create an IPsec profile and apply the proposal that is created.  
 set ikev2 local-identity address                    # Set the format of the local ID to IP address, which is the same as the format of the remote ID on the Alibaba Cloud side. 
 set pfs group14                                     # Specify the Perfect Forward Secrecy (PFS) and DH group. 
 set security-association lifetime seconds 86400     # Specify the time-based SA lifetime. 
 set security-association lifetime kilobytes unlimited # Disable the traffic-based SA lifetime.

Create tunnel groups and specify the pre-shared keys for tunnels, which must be the same as those on the Alibaba Cloud side.

tunnel-group 47.XX.XX.213  type ipsec-l2l                  # Set the encapsulation mode of the tunnel to l2l. 
tunnel-group 47.XX.XX.213  ipsec-attributes             
 ikev2 remote-authentication pre-shared-key fddsFF123****  # Specify the peer pre-shared key for the tunnel, which is the pre-shared key on the Alibaba Cloud side. 
 ikev2 local-authentication pre-shared-key fddsFF123****   # Specify the local pre-shared key for the tunnel, which must be the same as that on the Alibaba Cloud side. 
!

Create a tunnel interface.

interface Tunnel1                                  # Create an interface for the tunnel. 
 nameif ALIYUN1
 ip address 169.254.10.2 255.255.255.252           # Specify the IP address of the interface. 
 tunnel source interface outside1                  # Specify the source address of the tunnel as the GigabitEthernet 0/0 public interface. 
 tunnel destination 47.XX.XX.213                   # Specify the destination address of the tunnel as the public IP address of the IPsec-VPN connection on the Alibaba Cloud side. 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ALIYUN-PROFILE    # Apply the IPsec profile ALIYUN-PROFILE on the tunnel. 
 no shutdown                                       # Enable the interface for the tunnel. 
!

Configure BGP to create a BGP peer between the on-premises gateway device and the IPsec-VPN connection.

router bgp 65530
 address-family ipv4 unicast
  neighbor 169.254.10.1 remote-as 45104       # Specify the BGP peer, which is the IP address of the tunnel on the Alibaba Cloud side. 
  neighbor 169.254.10.1 ebgp-multihop 255
  neighbor 169.254.10.1 activate              # Activate the BGP peer. 
  neighbor 169.254.10.1 weight 500            # Set the weights of the routes learned through the IPsec-VPN connection to 500, which is lower than the weights of the routes learned through the Express Connect circuit. This ensures that traffic from the data center to the VPC is preferably forwarded through the Express Connect circuit. 
 exit-address-family

Step 4: Test the network connectivity

After you complete the preceding steps, the data center can communicate with the VPC through the IPsec-VPN connection or the Express Connect circuit. When the Express Connect circuit and IPsec-VPN connection are working as expected, all traffic between the data center and the VPC is forwarded through the Express Connect circuit. When the Express Connect circuit is not working as expected, the IPsec-VPN connection takes over. The following section describes how to test the network connectivity and whether active/standby connections are established.

Note

Before the test, make sure that you understand the security group rules applied to the ECS instance in the VPC and the access control list (ACL) rules applied to the data center. Make sure that the rules allow mutual access between the VPC and the data center. For more information about ECS security group rules, see View security group rules and Add a security group rule.

Test the network connectivity.
1. Log on to an ECS instance in the connected VPC. For more information, see Connect to an ECS instance.
2. Run the ping command on the ECS instance to access a client in the data center.
```
ping <IP address of the client in the data center>
```
  If the ECS instance receives echo reply messages, the data center can communicate with the VPC.
Test whether active/standby connections are established.
1. Continuously send requests from a client in the data center to an ECS instance in the VPC or use iPerf3 to send requests from the client to the ECS instance. For more information about how to install and use Iperf3, see Test the performance of an Express Connect circuit.
2. Log on to the CEN console and check the traffic monitoring data of the VBR connections. For more information, see Monitor CEN resources.
  When no error occurs, traffic is forwarded through the Express Connect circuit by default. You can view the traffic monitoring data on the Monitoring tab of the VBR.
3. Interrupt the connection over the Express Connect circuit.
  You can disable the interface connected to the Express Connect circuit on the on-premises gateway device to perform a switchover.
4. Log on to the VPN Gateway console and check the traffic data on the details page of the IPsec-VPN connection. For more information, see Monitor CEN resources.
  When the Express Connect circuit is down, the IPsec-VPN connection takes over. You can view traffic monitoring data on the Monitoring tab of the IPsec-VPN connection.

Routing configuration

In this topic, the default routing configuration is used to create the IPsec-VPN connection, VPC connection, VBR connection, and inter-region connection. When the default routing configuration is used, CEN automatically learns and distributes routes to enable the data center to communicate with the VPC. The following sections describe the default routing configuration.

IPsec-VPN connection

If you associate an IPsec-VPN connection with a transit router when you create the IPsec-VPN connection, the system automatically applies the following routing configuration to the IPsec-VPN connection:

The IPsec-VPN connection is associated with the default route table of the transit router. The transit router forwards traffic from the IPsec-VPN connection based on the default route table.
The destination-based routes that you configure for the IPsec-VPN connection and the routes learned from the data center through the IPsec-VPN connection by using BGP dynamic routing are automatically propagated to the default route table of the transit router.
The transit router automatically propagates the routes in the default route table to the BGP route table associated with the IPsec-VPN connection.
The routes learned from the VPC through the IPsec-VPN connection by using BGP dynamic routing are automatically propagated to the data center.

VPC

If you use the default routing configuration (with all advanced features enabled) when you create a VPC, the system automatically applies the following routing configuration to the VPC:

Associate with Default Route Table of Transit Router
After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table.
Propagate System Routes to Default Route Table of Transit Router
After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router.
Automatically Create Route That Points to Transit Router and Adds to All Route Tables of Current VPC
After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The routes point to the VPC connection.
Important
If such a route is already in the route table of the VPC, the system cannot advertise this route. You must manually add a route that points to the VPC connection to the route table of the VPC. Otherwise, network communication cannot be established between the VPC and the transit router.
To check whether such routes exist, click Check Route below Advanced Settings.

VBR

If you use the default routing configuration (with all advanced features enabled) when you create a VBR connection, the system automatically applies the following routing configuration to the VBR:

Associate with Default Route Table of Transit Router
After this feature is enabled, the VBR connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VBR based on the default route table.
Propagate System Routes to Default Route Table of Transit Router
After this feature is enabled, the system routes of the VBR are advertised to the default route table of the transit router. This way, the VBR can communicate with other network instances that are connected to the transit router.
Propagate Routes to VBR
After this feature is enabled, the system automatically advertises the routes in the transit router route table that is associated with the VBR connection to the VBR.

Manage inter-region connection

If you use the default routing configuration (with all advanced features enabled) when you create an inter-region connection, the system automatically applies the following routing configuration to the inter-region connection:

Associate with Default Route Table of Transit Router
After this feature is enabled, the inter-region connection is automatically associated with the default route table of the transit router. The transit router uses the default route table to forward network traffic across regions.
Propagate System Routes to Default Route Table of Transit Router
After this feature is enabled, the inter-region connection is associated with the default route tables of the transit routers in the connected regions.
Automatically Advertise Routes to Peer Region
After this feature is enabled, the routes in the route table of the transit router in the current region are automatically advertised to the route table of the peer transit router for cross-region communication. The route tables of the transit routers refer to the route tables that are associated with the inter-region connection.

View routes

You can check routes in the console.

For more information about routes of transit routers, see View routes of an Enterprise Edition transit router.
For more information about routes of VPCs, see Create and manage a route table.
For more information about routes of VBRs, perform the following steps:
1. Log on to the Express Connect console.
2. In the left-side navigation pane, click Virtual Border Routers (VBRs).
3. In the top navigation bar, select the region where the VBR is deployed.
4. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
  On the details page of the VBR, view the custom routes, BGP routes, and CEN routes of the VBR on the Routes tab.
To view the routes of an IPsec-VPN connection, go to the details page of the IPsec-VPN connection:
1. Log on to the VPN Gateway console.
2. In the top navigation bar, select the region in which the IPsec-VPN connection is created.
3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
4. On the IPsec Connections page, find the IPsec-VPN connection and click its ID.
  Go to the details page of the IPsec-VPN connection and view the route entries on the BGP Route Table tab.