Designlet: Implementing IPSec VPN Connectivity with Alibaba Cloud VMware Service
Introduction
This document provides recommendations and guidelines on connecting the on-prem data center to Alibaba Cloud VMware Service using IPSec VPN.
You must be aware of several prerequisites and considerations before configuring the network.
Refer to the table below to summarise the use case, considerations, and other details to see if IPSec VPN meets your requirements.
Scope of the Document
Learn about configuring IPSec VPN in Alibaba Cloud. Understand pre-requisites, use-case, and design considerations. Readers are expected to have fundamental knowledge about networking and the public cloud.
Summary and Considerations
Use Case |
Customers can always use IPSec VPN for connectivity between on-prem and Alibaba Cloud VMware Service and looking for a ready-to-go, low-cost solution. The peak bandwidth can be reached up to 200 Mbps, ideal for data transfer with some latency tolerance. |
Pre-requisites |
Pre-requisites required for setting up IPSec VPN: On-Prem
Alibaba Cloud
|
General Considerations/Recommendations |
|
Performance Considerations |
|
Document Reference |
|
Last Updated |
June 2022 |
Planning and Implementation
When setting up an IPSec VPN, many best practices and recommendations are to keep in mind.
Planning
-
The gateway device in the data center supports the IKEv1 and IKEv2 protocols. IPsec-VPN supports the IKEv1 and IKEv2 protocols. All gateway devices that support the two protocols can connect to VPN gateways on Alibaba Cloud.
-
A static public IP address is assigned to the gateway device in the data center.
-
The CIDR block of the data center does not overlap with the CIDR block of the VPC.
Implementation
Below are the high-level steps to set up an IPSec VPN connection.
Create a VPN Gateway
-
Login to Alibaba Cloud Console
-
Navigate Virtual Private Cloud
-
Click on VPN Gateway
-
Click on Create VPN Gateway
-
Provide Name
-
Select Region and Zone
-
Select Gateway and Network Type
-
Select VPC
-
Select vSwitch, if required
-
Select Peak bandwidth
-
Enable IPSec VPN
-
Choose a preferred billing cycle
-
Buy Now
-
Create Customer Gateway
-
Navigate to Customer Gateway
-
Click on Create Customer Gateway
-
Provide Name
-
Customer Gateway Public IP Address
-
Click Ok
-
Create IPSec Connection
-
Provide Name
-
Select VPN Gateway
-
Select Customer Gateway
-
Select Routing Mode
-
Set Pre-Shared Key
-
Configure Advanced Configurations, if required. Skip this step to keep the default configuration.
-
IKE Version
-
Negotiation Mode
-
Encryption Mode
-
Authentication Algorithm
-
IPSec Advanced Configuration
-
Configure Gateway Device
-
Download the IPSec Configuration from Cloud Console
-
Login to the On-Prem Gateway device
-
Configure the Gateway device based on the IPSec Tunnel Configuration
Configure Routes
-
Add Policy-based routes to enable the flow of traffic
-
Go to VPN Gateway
-
Select the VPN Gateway
-
Configure Route