Designlet: Implementing IPSec VPN Connectivity with Alibaba Cloud VMware Service

Introduction

This document provides recommendations and guidelines on connecting the on-prem data center to Alibaba Cloud VMware Service using IPSec VPN.

You must be aware of several prerequisites and considerations before configuring the network.

Refer to the table below to summarise the use case, considerations, and other details to see if IPSec VPN meets your requirements.

Scope of the Document

Learn about configuring IPSec VPN in Alibaba Cloud. Understand pre-requisites, use-case, and design considerations. Readers are expected to have fundamental knowledge about networking and the public cloud.

Summary and Considerations

Use Case

Customers can always use IPSec VPN for connectivity between on-prem and Alibaba Cloud VMware Service and looking for a ready-to-go, low-cost solution.

The peak bandwidth can be reached up to 200 Mbps, ideal for data transfer with some latency tolerance.

Pre-requisites

Pre-requisites required for setting up IPSec VPN:

On-Prem

  • Customer Gateway Device: A gateway device with internet access via a public IP address. The device must support the IKEv1 or IKEv2 protocol.

Alibaba Cloud

  • VPC: A virtual private cloud with which the IPSec Tunnel Connectivity is required.

  • VPN Gateway: Deploy a VPN gateway and associate it with the required VPC.

  • Customer Gateway: Configure an on-prem gateway device in the Alibaba Cloud. A gateway device with internet access via a public IP address. The device must support the IKEv1 or IKEv2 protocol.

  • IPSec Tunnel: IPSec tunnel between VPN Gateway and Customer Gateway Device.

  • Routes: Enable routes to allow traffic flow between the two sites. Select either Destination-based routing or Policy-based routing

    • Destination-Based Routing: If a destination-based route is used, traffic is forwarded based only on the destination IP address.

    • Policy-Based Routing: If a policy-based route is used, traffic is forwarded based on both the source IP address and the destination IP address.

General Considerations/Recommendations

  • Multiple IPSec VPN Tunnel is supported.

  • Peak bandwidth can be reached up to 200 Mbps. If there are multiple IPSec VPN Tunnel, the aggregate bandwidth can reach up to 200 Mpbs only.

  • BGP Configuration Supported but optional.

Performance Considerations

  • Select/Upgrade peak bandwidth depending on your usage. The bandwidth options are available as 5 Mbps, 10 Mbps, 20Mbps, 50 Mbps, 100 Mbps and 200 Mbps.

  • You must set the MTU of the local VPN gateway to a value no greater than 1,360 bytes. We recommend that you set the MTU to 1,360 bytes.

  • The TCP protocol negotiates the maximum segment length (MSS) of each packet segment between the sender and the receiver. We recommend that you set the TCP MSS of the on-premises VPN gateway to 1,359 bytes to facilitate the encapsulation and transfer of TCP packets.

Document Reference

Alibaba Cloud VMware Service - Official Documentation

Last Updated

June 2022

 

Planning and Implementation

When setting up an IPSec VPN, many best practices and recommendations are to keep in mind.

Planning

  • ​​​​​​​The gateway device in the data center supports the IKEv1 and IKEv2 protocols. IPsec-VPN supports the IKEv1 and IKEv2 protocols. All gateway devices that support the two protocols can connect to VPN gateways on Alibaba Cloud.

  • A static public IP address is assigned to the gateway device in the data center.

  • The CIDR block of the data center does not overlap with the CIDR block of the VPC.​​​​​​​​​​

 

Implementation

Below are the high-level steps to set up an IPSec VPN connection.

 

Graphical user interface, application</p> <p>Description automatically generated

Create a VPN Gateway

  1. Login to Alibaba Cloud Console

  2. Navigate Virtual Private Cloud

  3. Click on VPN Gateway

  4. Click on Create VPN Gateway

    • Provide Name

    • Select Region and Zone

    • Select Gateway and Network Type

    • Select VPC

    • Select vSwitch, if required

    • Select Peak bandwidth

    • Enable IPSec VPN

    • Choose a preferred billing cycle

    • Buy Now 

Graphical user interface, text, application, email</p> <p>Description automatically generated

Create Customer Gateway

  1. Navigate to Customer Gateway

  2. Click on Create Customer Gateway

    • Provide Name

    • Customer Gateway Public IP Address

    • Click Ok

Graphical user interface, text, application, email</p> <p>Description automatically generatedCreate IPSec Connection

  1. Provide Name

  2. Select VPN Gateway

  3. Select Customer Gateway

  4. Select Routing Mode

  5. Set Pre-Shared Key

  6. Configure Advanced Configurations, if required. Skip this step to keep the default configuration.

    • IKE Version

    • Negotiation Mode

    • Encryption Mode

    • Authentication Algorithm

    • IPSec Advanced Configuration

Graphical user interface, application</p> <p>Description automatically generated

 

Configure Gateway Device

  1. Download the IPSec Configuration from Cloud Console

  2. Login to the On-Prem Gateway device

  3. Configure the Gateway device based on the IPSec Tunnel Configuration

Graphical user interface, text</p> <p>Description automatically generated with medium confidence

Configure Routes

  1. Add Policy-based routes to enable the flow of traffic

  2. Go to VPN Gateway

  3. Select the VPN Gateway

  4. Configure Route

Graphical user interface, application</p> <p>Description automatically generated

Authors and Contributors

 

Filter Tags

Cloud Migration DC Extension DRaaS VPN Alibaba Cloud VMware Service Document Designlet Migrate