Configuration on the Alibaba Cloud Console

Prerequisites

A VPC and its subnets have been created on Alibaba Cloud.

Procedure

1. Log in to the Alibaba Cloud console.
2. Choose Products and Services > Network & CDN > Hybrid cloud-network > VPN Gateway.
3. Configure a VPN gateway.
   1. Choose VPN > VPN Gateways and click Buy VPN Gateway.
   2. Set parameters as prompted.

      Table 1 describes the VPN gateway parameters. For other parameters, use their default settings.

      Table 1 Key parameters for creating a VPN gateway

      Parameter	Description	Value
      InstanceName	Name of a VPN gateway.	vpngw-ali
      Region.	Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across regions. For low network latency and fast resource access, select the region nearest to you.	CN North-Beijing2
      VPC	Select VPC information.	vpc-ali
      Bandwidth	VPN forwarding bandwidth specification.	5Mbps
      IPsec-VPN	-	Enabled
      SSL-VPN	-	Disabled
      Billing Cycle	Specifies the required duration of the VPN gateway.	One month

4. Configure a user gateway.
   1. Choose VPN > Customer gateway, and click Create Customer Gateway.
   2. Set parameters as prompted.

      Table 2 describes the customer gateway parameters. For other parameters, use their default settings.

      Table 2 Parameters for creating a customer gateway

      Parameter	Description	Value
      Name	Name of the Huawei VPN gateway.	cgw-hw01
      IP address	IP address used by the Huawei Cloud VPN gateway to communicate with the active EIP of the Alibaba Cloud VPN gateway.	1.1.1.2
      Indicates the AS number.	BGP AS number. The value must be the same as the BGP ASN set in Table 1.	64512

   3. Configure the user gateway corresponding to the standby EIP of the Huawei Cloud VPN gateway by referring to step 2.

5. Configure VPN connections.
   1. Choose VPN > IPsec Connections and click Create IPsec Connection.
   2. Set parameters as prompted.

      Parameters of the VPN connection are described in Table 3. For other parameters, use their default settings.

      Table 3 Description of key VPN connection parameters

      Module	Parameter	Description	Value
      -	Parameter	Name of a VPN connection.	vpn-ali
      	Bind Resource to VIP Subnet	Selecting a VPN gateway	VPN gateway
      	VPN Gateway	Select Alibaba Cloud VPN gateway.	vpngw-ali
      	User gateway address	Select the Huawei Cloud VPN gateway.	cgw-hw01
      	Routing Mode	Select Destination Route Mode	Destination routing mode
      	Immediately effective	-	Yes
      	Specifies a pre-shared key.	The value must be the same as the pre-shared key of the Huawei Cloud VPN connection.	Set this parameter based on the site requirements.
      	Advanced Settings	-	Enabled
      IKE configuration	Version	The IKE configuration must be the same as the IKE Policy of the Huawei Cloud VPN connection.	Version: IKEv2 Negotiation mode: main Encryption Algorithm: AES-128 Authentication Algorithm: SHA2-256 DH group: Group 14 SA lifetime: 86400 LocalId: 1.1.1.1 RomoteId: 1.1.1.2
      	Negotiation Mode
      	Encryption Algorithm
      	Authentication Algorithm
      	DH group
      	SA lifetime
      	LocalId
      	RomoteId
      Configure IPsec.	Encryption Algorithm	The IPsec configuration must be the same as the IPsec Policy of the Huawei Cloud VPN connection. NOTE: The NAT traversal function must be enabled.	Encryption Algorithm: AES-128 Authentication Algorithm: SHA2-256 DH group: Group 14 SA lifetime: 3600 DPD: enabled NAT traversal: enabled
      	Authentication Algorithm
      	DH group
      	SA lifetime
      	DPD
      	Establishing an IPsec tunnel in a NAT traversal scenario
      BGP Configuration	BGP Configuration	-	Enabled
      	Tunnel CIDR block	The value must be the same as the tunnel interface CIDR block configured in Table 3.	169.254.70.0/30
      	Local BGP address	The value must be the same as the peer interface address configured in Table 3.	169.254.70.1
      	Local Autonomous System Number	The value must be the same as the BGP ASN set in Table 2.	65515
      Health Check	Health Check	-	Health check: enabled Destination IP address: 192.168.0.10 Source IP address: 172.16.0.10 Retry interval: 3 Retry counts: 3
      	Target IP address.	Private IP address of the server in the Huawei Cloud VPC subnet. The value is only an example.
      	Specifies a source IP address.	Alibaba Cloud Private IP address of the server in the VPC subnet. The value is only an example.
      	Re-execution interval	-
      	Retry Attempts	-

   3. Repeat the preceding steps to configure a VPN connection for the user gateway (cgw-hw02) corresponding to the standby EIP of the Huawei Cloud VPN gateway.

6. Configure routes.

   BGP routes cannot be automatically advertised to the VPC. You need to configure a static route to the VPN gateway.

   1. Select Route Table.
   2. Click the name of a route table. On the Route List > Custom Routes tab page, click Add Route.
   3. Set parameters as prompted.

      Table 4 Route table parameters

      Parameter	Description	Value
      Destination network segment	Local subnet of the Huawei Cloud VPN gateway. If there are multiple local subnets, create multiple routes.	192.168.0.0/24
      Next-hop type.	Select a VPN gateway.	VPN Gateway
      Next Hop	Select Alibaba Cloud VPN gateway.	vpn-ali/xxxxxxxxx
      Publish to VPC	-	Yes