---
title: "Alibaba Cloud"
slug: "360026027294-configuring-a-site-to-site-ipsec-tunnel-to-alibaba-cloud"
updated: 2026-04-07T09:05:20Z
published: 2026-04-07T09:05:20Z
canonical: "support.perimeter81.com/360026027294-configuring-a-site-to-site-ipsec-tunnel-to-alibaba-cloud"
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Alibaba Cloud

<meta charset="utf-8">

## Introduction

This guide will walk you through the process of establishing a Site-to-Site VPN tunnel between your Check Point SASE network and your Alibaba Cloud environment.

**Breakdown of topics**

1. Pre-requisites
2. Configuration Steps
3. Verifying the Setup
4. Troubleshooting
5. Support Contacts

## Pre-requisites

To successfully follow this guide, you should have:

1. An active Check Point SASE account and network.
2. The Check Point SASE app is installed on your devices.
3. An active Alibaba Cloud account with admin permissions.

## Configuration Steps

## Setting a tunnel on Alibaba Cloud

1. Log in to the VPC console.
2. In the **Management Platform** on the left side, choose **VPN > IPsec Connections**.
3. Select a region.
4. On the **IPsec Connections** page, select **Create IPsec Connection**.
5. On the **Create IPsec Connection** page, configure the IPsec-VPN connection with the following information, and select **OK**.

- **Name:** Enter the name of the IPsec-VPN connection.
- **VPN Gateway:** Select the VPN Gateway to connect - If none exists, create a new one.
- **Customer Gateway:** Select the customer gateway to connect. If none exists, create a new one for the P81 gateway public IP.
- **Local Network:** Enter the CIDR block of the VPC to be connected with the on-premises data center. This parameter is used for phase two negotiation.
- **Remote Network:** Enter the CIDR block of the on-premises data center to be connected with the VPC. This parameter is used for phase two negotiation (if you didn't select a specific subnet) **P81 default is - 10.255.0.0/16.**
- **Effective Immediately:** Choose Yes.
- **Advanced Configuration:** IKE Configurations.
  - **Pre-Shared Key:** Enter the pre-shared key used for the authentication between the VPN Gateway and the customer gateway. By default, it is an automatically generated value. But you can also specify a pre-shared key - this key should be used also in the P81 side.
  - **Version:** IKEv1
  - **Negotiation Mode:** Main mode
  - **Encryption Algorithm:** aes256
  - **Encryption Algorithm:** sha1
  - **DH Group:** group2
  - **SA Life Cycle (seconds):** Set the SA lifecycle for phase one negotiation. The default value is 86,400 seconds.
  - **LocalId:** Local VPN Gateway public IP address
  - **RemoteId:** P81 gateway public IP address

**Advanced Configuration: IPSec Configurations**

- **Encryption Algorithm:** aes256
- **Authentication Algorithm:** sha1
- **DH Group:** group2
- **SA Life Cycle (seconds):** Set the SA lifecycle for phase two negotiation. The default value is 86,400s.

**Health Check - Optional**

## Setting access rules in Alibaba security groups

1. Go to your security group that is associated with your server.
2. Add Allow rule with 10.255.0.0/16 object to the desired ports.

## Setting routes in Alibaba cloud

1. Go to your VPN.
2. Select **Route Tables**.
3. Add the following route under the System route table or on your custom route table: 10.255.0.0/16. The next hop should be the VPN Gateway you created for P81.

## Check Point SASE setting

1. Go to the Gateway in your network from which you want to create the tunnel to Alibaba Cloud.
2. Select the three-dotted menu (...) and select **Add Tunnel**.
3. In the **General Settings**section, specify these:
  - **Name:** Set the name for the Tunnel.
  - **Shared Secret:** Enter the same Shared secret you set in Alibaba Cloud.
  - **Public IP** and **Remote ID:** Enter **AliBaba VPN Gateway** Public IP address.
  - In **Check Point SASE Gateway Proposal Subnets,** select **Any** or **Specific Subnet**.
  - In **Remote Gateway Proposal Subnets,**enter your Alibaba Cloud subnet/s.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Barracuda_General(7).PNG)
4. In the **Advanced Settings**section, specify these:
  - **IKE Version:** V1
  - **IKE Lifetime:** 8h
  - **Tunnel Lifetime:** 1h
  - **Dead Peer Detection Delay:** 10s
  - **Dead Peer Detection Timeout:** 30s
  - **Phase 1:**
    - **Encryption (Phase 1):** aes256
    - **Integrity (Phase 1):** sha1
    - **Key Exchange Method:** modp1024
  - **Phase 2:**
    - **Encryption (Phase 2):** aes256
    - **Integrity (Phase 2):** sha1
    - **Key Exchange Method****:**modp1024  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Alibaba_V1_256_SHA1_1024.PNG)
5. Click **Add Tunnel.**

<meta charset="utf-8">

## Verifying the Setup

After following the above steps, your tunnel should be active. To verify, go to your Check Point SASE dashboard, locate the tunnel you just created, and check the tunnel status. It should indicate that the tunnel is "Up", signifying a successful connection. Next, connect to your network using the Check Point SASE agent and attempt to access one of the resources in your environment.

## Troubleshooting

If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

## Support Contacts

If you have any difficulties or questions, don't hesitate to contact Check Point SASE's support team. We offer 24/7 chat support on our website at [sase.checkpoint.com](https://www.sase.checkpoint.com/), or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success