Create and manage an IPsec-VPN connection in dual-tunnel mode - VPN Gateway

You can create IPsec-VPN connections to establish encrypted communication between your on-premises data center and a virtual private cloud (VPC). This topic describes how to create and manage IPsec-VPN connections in dual-tunnel mode.

Before you begin

Before you create an IPsec-VPN connection, make sure that a VPN gateway and a customer gateway are created.

Create an IPsec-VPN connection

Log on to the VPN gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
On the IPsec Connections page, click Bind VPN Gateway.

On the Create Ipsec-vpn Connection (VPN) page, configure the IPsec-VPN connection based on the following information, and then click OK.

Basic configurations

Parameter	Description
Name	Enter a name for the IPsec-VPN connection.
Region	Select the region where the VPN gateway to be associated with the IPsec-VPN connection is deployed. The IPsec-VPN connection is created in the same region as the VPN gateway.
Resource Group	Select the resource group to which the VPN gateway belongs. If you leave this parameter empty, the system displays the VPN gateways in all resource groups.
Bind VPN Gateway	Select the VPN gateway to be associated with the IPsec-VPN connection.
Routing Mode	Select the routing mode of the IPsec-VPN connection. Destination Routing Mode (default): routes and forwards traffic based on the destination IP address. Protected Data Flows: routes and forwards traffic based on the source and destination IP addresses. If you select Protected Data Flows, you must configure Local Network and Remote Network. After the IPsec-VPN connection is configured, the system automatically adds a policy-based route to the Policy-based Route Table of the VPN gateway. The Source CIDR Block of the policy-based route is the Local Network of the IPsec-VPN connection. The Destination CIDR Block of the policy-based route is the Remote Network of the IPsec-VPN connection. The next hop of the policy-based route points to the policy-based route of the IPsec-VPN connection. By default, the policy-based route is not published. You can advertise the policy-based route to the VPC route table based on your business requirements.
Local Network	If Routing Mode is set to Protected Data Flows, you must enter the VPC CIDR block to be connected to the data center. Phase-2 negotiation is based on protected data flows on both sides. We recommend that you keep the value of Local Network the same as the remote network CIDR block on the data center side. Click the icon to the right of the text box to add multiple CIDR blocks on the VPC side that need to communicate with the data center. Note If you configure multiple CIDR blocks, you must set the IKE version to ikev2.
Remote Network	If Routing Mode is set to Protected Data Flows, you must enter the data center CIDR block to be connected to the VPC. Phase-2 negotiation is based on protected data flows on both sides. We recommend that you keep the value of Remote Network the same as the local network CIDR block on the VPC side. Click the icon to the right of the text box to add multiple CIDR blocks on the data center side that need to communicate with the VPC. Note If you configure multiple CIDR blocks, you must set the IKE version to ikev2.
Effective Immediately	Specify whether to immediately start IPsec negotiations after the configuration takes effect. Yes (default): The system immediately starts IPsec negotiations after the configuration is complete. No: The system starts IPsec negotiations only when inbound traffic is detected.

Tunnel configurations

Configure tunnel parameters as described in the following table. By default, Tunnel 1 is the active tunnel and Tunnel 2 is the standby tunnel. IP Address 1 of the VPN gateway is used to establish Tunnel 1 and IP Address 2 of the VPN gateway is used to establish Tunnel 2. You cannot change the roles of the tunnels.

Important

When you create an IPsec-VPN connection in dual-tunnel mode, you must configure two tunnels and ensure that they are available. If you configure or use only one of the tunnels, you cannot experience the high redundancy of the dual-tunnel mode and zone-disaster recovery.

Parameter	Description
Enable BGP	Specifies whether to enable BGP dynamic routing for the tunnels. BGP dynamic routing is disabled by default. After you enable BGP dynamic routing, the tunnels can automatically learn and advertise data center routes and VPC routes over BGP. This reduces network maintenance costs and avoids user configuration errors. Before you use BGP dynamic routing, we recommend that you learn about how it works and the limits.
Local ASN	If you enable BGP dynamic routing, enter the ASN of the tunnel. Both tunnels use the same ASN. Default value: 45104. Valid values: 1 to 4294967295. Note We recommend that you use a private ASN to establish a connection to Alibaba Cloud over BGP. For more information about the valid values of a private ASN, see the relevant documentation.
Customer Gateway	The customer gateway to be associated with the tunnels. Both tunnels can be associated with the same customer gateway.
Pre-Shared Key	The pre-shared key that is used to verify identities between the tunnels and peers. The key must be 1 to 100 characters in length and can contain digits, uppercase letters, lowercase letters, and the following special characters: ~`!@#$%^&()_-+={}[]\\|;:',.<>/?. The key cannot contain space characters. If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After you create the IPsec-VPN connection, you can click Edit* for the tunnel to view the pre-shared key that is generated by the system. For more information, see Modify the configurations of a tunnel. Important Make sure that the tunnels and peer use the same pre-shared key. Otherwise, tunnel communication cannot be established.

Encryption Configurations: IKE Configurations

Parameter	Description
Version	The IKE version. Valid values: ikev1 ikev2 (default) Compared with IKEv1, IKEv2 simplifies the SA negotiations and provides better support for scenarios in which multiple CIDR blocks are used. We recommend that you use IKEv2.
Negotiation Mode	The negotiation mode. Valid values: main (default): The main mode provides higher security during negotiations. aggressive: The aggressive mode is faster and has a higher success rate during negotiations. The modes support the same security level for data transmission.
Encryption Algorithm	The encryption algorithm that is used in Phase 1 negotiations. Valid values: aes (aes128, default), aes192, aes256, des, and 3des. Note If the bandwidth of the VPN gateway is 200 Mbps or higher, we recommend that you use the aes, aes192, or aes256 encryption algorithm. We do not recommend that you use the 3des encryption algorithm. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES has little impact on network latency, throughput, and forwarding performance while ensuring data transmission security. 3des is a triple data encryption algorithm. It takes a long time to encrypt data and has a high algorithm complexity and a large amount of computation. Compared with AES, 3DES reduces forwarding performance.
Authentication Algorithm	The authentication algorithm that is used in Phase 1 negotiations. Valid values: sha1 (default), md5, sha256, sha384, and sha512. Note When you add VPN configurations to your on-premises gateway device, you may need to specify the Probabilistic Random Forest (PRF) algorithm. Make sure that the PRF algorithm is also used as the authentication algorithm in IKE negotiation.
DH Group (Perfect Forward Secrecy)	The Diffie-Hellman (DH) key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1: DH group 1. group2 (default): DH group 2. group5: DH group 5. group14: DH group 14.
SA Life Cycle (seconds)	Specify the lifecycle of the SA after Phase 1 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 To 86400.
LocalId	The local ID of the tunnel. The default value is the IP address of the tunnel. This parameter is used only to identify Alibaba Cloud in IPsec-VPN negotiations. You can use an IP address or a fully qualified domain name (FQDN) as the ID. The value cannot contain space characters. We recommend that you use a private IP address. If you use an FQDN as the LocalId, for example, example.aliyun.com, the peer ID on the on-premises gateway device must be the same as the value of LocalId. We recommend that you set the negotiation mode to aggressive.
RemoteId	The peer ID of the tunnel. The default value is the IP address of the customer gateway. This parameter is used only to identify on-premises gateway devices in IPsec-VPN negotiations. You can use an IP address or an FQDN as the ID. The value cannot contain space characters. We recommend that you use a private IP address. If you use an FQDN as the RemoteId, for example, example.aliyun.com, the local ID on the on-premises gateway device must be the same as the value of RemoteId. We recommend that you set the negotiation mode to aggressive.

Encryption Configurations: Ipsec Configurations

Parameter	Description
Encryption Algorithm	The encryption algorithm that is used in Phase 2 negotiations. Valid values: aes (aes128, default), aes192, aes256, des, and 3des. Note If the bandwidth of the VPN gateway is 200 Mbps or higher, we recommend that you use the aes, aes192, or aes256 encryption algorithm. We do not recommend that you use the 3des encryption algorithm. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES has little impact on network latency, throughput, and forwarding performance while ensuring data transmission security. 3des is a triple data encryption algorithm. It takes a long time to encrypt data and has a high algorithm complexity and a large amount of computation. Compared with AES, 3DES reduces forwarding performance.
Authentication Algorithm	The authentication algorithm that is used in Phase 2 negotiations. Valid values: sha1 (default), md5, sha256, sha384, and sha512.
DH Group (Perfect Forward Secrecy)	The DH key exchange algorithm that is used in Phase 2 negotiations. Valid values: disabled: The DH key exchange algorithm is not used. For clients that do not support PFS, select disabled. If you select a value other than disabled, the Perfect Forward Secrecy (PFS) feature is enabled by default. This feature ensures that a key is updated each time renegotiation occurs. Therefore, you must also enable PFS on the client. group1: DH group 1. group2 (default): DH group 2. group5: DH group 5. group14: DH group 14.
SA Life Cycle (seconds)	Specify the lifecycle of the SA after Phase 2 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 To 86400.
DPD	Specify whether to enable the dead peer detection (DPD) feature. This feature is enabled by default. After you enable the DPD feature, the IPsec-VPN connection sends DPD packets to check the liveness and availability of the peer. If no response is received from the peer within the specified period of time, the connection is interrupted. Then, ISAKMP SA, IPsec SA, and IPsec-VPN tunnels are deleted. If a DPD timeout occurs, IPsec-VPN negotiation is reinitiated. The DPD timeout period is 30 seconds. Note In scenarios where IPsec-VPN connections use IKEv2, the DPD timeout period of some existing VPN gateways may be 130 seconds or 3,600 seconds. You can upgrade your VPN gateway to the latest version.
NAT Traversal	Specify whether to enable the NAT traversal feature. By default, the NAT traversal feature is enabled. After you enable NAT traversal, the initiator does not check UDP ports during IKE negotiation and can automatically discover NAT gateway devices on the IPsec-VPN tunnels.

BGP Configuration

If you enable BGP dynamic routing for the IPsec-VPN connection, you can configure the BGP parameters that are described in the following table. If BGP is disabled for the IPsec-VPN connection, you can enable BGP for the tunnel after the IPsec-VPN connection is created. For more information, see Enable BGP for a tunnel.

Parameter

Description

Tunnel CIDR Block

Enter the CIDR block of the tunnel.

The CIDR block must fall into 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, or 169.254.169.252/30.

Note

On a VPN gateway, the CIDR block of each tunnel must be unique.

Local BGP IP address

Enter the BGP IP address of the tunnel.

This IP address must fall within the CIDR block of the tunnel.

Tags

When you create an IPsec-VPN connection, you can add tags to the IPsec-VPN connection to facilitate resource aggregation and search. For more information, see Tags.

Parameter	Description
Tag Key	The tag key of the IPsec-VPN connection. You can select or enter a tag key.
Tag Value	Select or enter a tag value. You can leave the tag value empty.

To configure VPN gateway routes later, click Cancel in the dialog box that appears.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage, and click Download Configuration in the Actions column.
In the IPsec-VPN Connection Configuration dialog box, copy the configuration and save it to a local path. You can use the configuration to configure your on-premises gateway device.

What to do next

Configure VPN gateway routes.
Configure your on-premises gateway device based on the IPsec-VPN connection configuration you download.

View the tunnel information of an IPsec-VPN connection

After you create an IPsec-VPN connection, you can view the status and information of the tunnels on the details page of the IPsec-VPN connection.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage, and click the ID of the IPsec-VPN connection.

On the details page of the IPsec-VPN connection, you can view the status and information of the tunnels.

Field	Description
Tunnel/Tunnel ID	The tunnel ID.
Tunnel Primary/Secondary Role	The role of the tunnel. Valid values: Primary: active tunnel. Secondary: standby tunnel.
Gateway IP Address	The IP address on the Alibaba Cloud side used to establish the IPsec-VPN connection. By default, the active tunnel uses IP Address 1 of the VPN gateway. By default, the standby tunnel uses IP Address 2 of the VPN gateway.
Pre-Shared Key	The pre-shared key used by the tunnel. The pre-shared key is encrypted by default. You can move the pointer over View to display the pre-shared key.
Tunnel CIDR Block	If you enable BGP dynamic routing for the tunnel, the CIDR block of the tunnel is displayed.
Local BGP IP address	If you enable BGP dynamic routing for the tunnel, the BGP IP address on the Alibaba Cloud side is displayed.
Connection Status	The status of the IPsec-VPN negotiation of the tunnel. Valid values: If the IPsec-VPN negotiation succeeds, Phase 2 Negotiations Succeeded is displayed in the console. If the IPsec-VPN negotiation fails, the failure information is displayed in the console. You can troubleshoot the issue based on the information. For more information about the solution, see Troubleshoot IPsec-VPN connection issues.
Customer Gateway	The customer gateway that is associated with the tunnel. The customer gateway is configured with an IP address and BGP ASN on the data center side.
Status	The status of the tunnel. Valid values: Normal Updating Deleting

Manage IPsec-VPN connections

Enable BGP for a tunnel

If BGP dynamic routing is not enabled when you create an IPsec-VPN connection, you can enable this feature for the tunnels after the IPsec-VPN connection is created.

Before you enable BGP dynamic routing for an IPsec-VPN connection, make sure that the customer gateway associated with the IPsec-VPN connection has a BGP ASN. If no BGP ASN is configured for the customer gateway, BGP dynamic routing cannot be enabled for the IPsec-VPN connection.

You can delete the current IPsec-VPN connection and create a new IPsec-VPN connection. Then, associate the IPsec-VPN connection with a customer gateway that is configured with a BGP ASN.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage, and click the ID of the IPsec-VPN connection.
In the IPsec Connections section of the IPsec-VPN connection details page, click the button to the right of Enable BGP.
In the BGP Configuration dialog box, add BGP configurations, and then click OK.
You must configure BGP dynamic routing for both tunnels. For more information about BGP configuration parameters, see BGP configurations.
If you want to disable BGP dynamic routing for the IPsec-VPN connection, click the button to the right of Enable BGP. In the Disable BGP Configuration dialog box, click OK.

Modify the configurations of a tunnel

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage, and click the ID of the IPsec-VPN connection.
On the details page of the IPsec-VPN connection, find the tunnel that you want to manage, and click Actions > Edit in the column.
On the edit page, modify the configurations of the tunnel, and then click OK.
For more information about the tunnel parameters, see Tunnel configurations.

Modify the configurations of an IPsec-VPN connection

After a VPN gateway is associated with an IPsec-VPN connection, you cannot change the VPN gateway. You can modify only the Routing Mode and Effective Immediately parameters of the IPsec-VPN connection.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage, and click Actions > Edit in the column.
On the Modify IPsec-VPN Connection page, modify the name, CIDR blocks, and other parameters of the IPsec-VPN connection, and then click OK.
For more information about the parameters, see Create an IPsec-VPN connection.

Delete an IPsec-VPN connection

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to delete, and click Actions > Delete in the column.
In the dialog box that appears, confirm the information and click OK.

Create and manage IPsec-VPN connections by calling the API

You can use Alibaba Cloud SDK (recommended), Alibaba Cloud CLI, Terraform, or Resource Orchestration Service to call the API to create and manage IPsec-VPN connections. The following API operations are available: