Configuring a Site-to-Site IPSec Tunnel to Alibaba Cloud

In order to establish Site-To-Site IPSEC VPN connection between Alibaba Cloud and Perimeter 81 please follow the steps below: 

Setting Tunnel on Alibaba Cloud

1. Log in to the VPC console.

2. In the Management Portal on the left side, choose VPN > IPsec Connections.

3. Select a region.

4. On the IPsec Connections page, select Create IPsec Connection.

5. On the Create IPsec Connection page, configure the IPsec-VPN connection with the following information and select OK.

Name - Enter the name of the IPsec-VPN connection.

VPN Gateway - Select the VPN Gateway to connect - If none exists, create a new one.

Customer Gateway - Select the customer gateway to connect - If none exists, create a new one for P81 gateway public IP.

Local Network - Enter the CIDR block of the VPC to be connected with the on-premises data center. This parameter is used for phase two negotiation.

Remote Network - Enter the CIDR block of the on-premises data center to be connected with the VPC. This parameter is used for phase two negotiation (if you didn't select a specific subnet) P81 default is - 10.255.0.0/16.

Effective Immediately - Choose Yes.

Advanced Configuration: IKE Configurations

  • Pre-Shared Key - Enter the pre-shared key used for the authentication between the VPN Gateway and the customer gateway. By default, it is an automatically generated value. But you can also specify a pre-shared key - this key should be used also in P81 side
  • Version - IKEv1
  • Negotiation Mode - Main mode
  • Encryption Algorithm - aes256
  • Encryption Algorithm - sha1
  • DH Group - group2
  • SA Life Cycle (seconds) - Set the SA lifecycle for phase one negotiation. The default value is
    86,400 seconds
  • LocalId - Local VPN Gateway public IP address
  • RemoteId - P81 gateway public IP address

Advanced Configuration: IPSec Configurations

  • Encryption Algorithm - aes256
  • Authentication Algorithm. - sha1
  • DH Group - group2
  • SA Life Cycle (seconds) - Set the SA lifecycle for phase two negotiation. Default value: 86,400s

Health Check - Optional

 

Setting Access rules in Alibaba Security Groups

1. Go to your security group that is associated with your server.

2. Add Allow rule with 10.255.0.0/16 object to the desired ports.

 

Setting Routes in Alibaba Cloud

1. Go to your VPN.

2. Select Route Tables.

3. Add the following route under the System route table or on your custom route table: 10.255.0.0/16 - The next hop should be the VPN Gateway you created for P81. 

Perimeter81 Setting

1. Go to the Gateway in your network from which you want to create the tunnel to Alibaba Cloud.

2. Select the three-dotted menu (...) and select Add Tunnel.

Name - Set the name for the Tunnel.

Shared Secret - Put the same Shared secret you set in Alibaba Cloud.

Public IP and Remote ID - enter AliBaba VPN Gateway Public IP address.

In Perimeter 81 Gateway Proposal Subnets, select Any or Specific Subnet.

In Remote Gateway Proposal Subnets put your Alibaba Cloud subnet/s.

Advanced Settings:

  • IKE Version - V1
  • IKE Lifetime - 8h
  • Tunnel Lifetime - 1h
  • Dead Peer Detection Delay - 10s
  • Dead Peer Detection Timeout - 30s
  • Encryption (Phase 1) - aes256
  • Encryption (Phase 2) - aes256
  • Integrity (Phase 1) - sha1
  • Integrity (Phase 2) - sha1
  • Deffie-Hellman Groups (Phase 1) - 2
  • Deffie-Hellman Groups (Phase 1) - 2
    • Select Add Tunnel
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.