Configuration on the Alibaba Cloud Console

Prerequisites

A VPC and its subnets have been created on Alibaba Cloud.

Procedure

1. Log in to the Alibaba Cloud console.
2. Choose Products and Services > Network & CDN > Hybrid cloud-network > VPN Gateway.
3. Configure a VPN gateway.
   1. Choose VPN > VPN Gateways and click Buy VPN Gateway.
   2. Set parameters as prompted.

      Table 1 describes the VPN gateway parameters. For other parameters, use their default settings.

      Table 1 Parameters for creating a VPN gateway

      Parameter	Description	Value
      InstanceName	Name of a VPN gateway.	vpngw-ali
      VPC	Select VPC information.	vpc-ali
      Bandwidth	VPN forwarding bandwidth specification.	5Mbps
      IPsec-VPN	-	Enabled
      SSL-VPN	-	Disabled
      Billing Cycle	Specifies the required duration of the VPN gateway.	One month

4. Configure a customer gateway.
   1. Choose VPN > Customer gateway, and click Create Customer Gateway.
   2. Set parameters as prompted.

      Table 2 describes the customer gateway parameters. For other parameters, use their default settings.

      Table 2 Parameters for creating a customer gateway

      Parameter	Description	Value
      Name	Name of the Huawei VPN gateway.	cgw-hw01
      IP address	Active EIP of the Huawei Cloud VPN gateway.	1.1.1.2

   3. Configure the user gateway corresponding to the standby EIP of the Huawei Cloud VPN gateway by referring to step 2.

5. Configure VPN connections.
   1. Choose VPN > IPsec Connections and click Create IPsec Connection.
   2. Set parameters as prompted.

      Parameters of the VPN connection are described in Table 3. For other parameters, use their default settings.

      Table 3 Description of key VPN connection parameters

      Module	Parameter	Description	Value
      -	Name	VPN connection name.	vpn-ali
      	VPN Gateway	Select Alibaba Cloud VPN gateway.	vpngw-ali
      	User gateway address	Select the Huawei Cloud VPN gateway.	cgw-hw01
      	Local CIDR Block	Alibaba Cloud: VPC subnet.	172.16.0.0/24
      	Peer Network	Subnet of the Huawei Cloud VPC. NOTE: If there are multiple local or peer CIDR blocks, you need to create a VPN connection from each local CIDR block to each peer CIDR block. The total number of VPN connections to be created is the number of local CIDR blocks multiplied by the number of peer CIDR blocks. For example, if there are two local CIDR blocks and three peer CIDR blocks, you need to create 2 x 3 VPN connections on Alibaba Cloud.	192.168.0.0/24
      	Immediately effective	-	Yes
      	Specifies a pre-shared key.	The value must be the same as the pre-shared key specified by Table 3.	Set this parameter based on the site requirements.
      	Advanced Settings	-	Enabled
      IKE configuration	Version	The value must be the same as the IKE policy configured in Table 3.	Version: IKEv2 Negotiation mode: main Encryption Algorithm: AES-128 Authentication Algorithm: SHA2-256 DH group: Group 14 SA lifetime: 86400 LocalId: 1.1.1.1 RomoteId: 1.1.1.2
      	Negotiation Mode
      	Encryption Algorithm
      	Authentication Algorithm
      	DH group
      	SA lifetime
      	LocalId
      	RomoteId
      Configure IPsec.	Encryption Algorithm	The value must be the same as the IPsec policy configured in Table 3.	Encryption Algorithm: AES-128 Authentication Algorithm: SHA2-256 DH group: Group 14 SA lifetime: 3600
      	Authentication Algorithm
      	DH group
      	SA lifetime
      Configuring a Health Check	Configuring a Health Check	-	Health check: enabled Destination IP address: 192.168.0.10 Source IP address: 172.16.0.10 Retry interval: 3 Retry counts: 3
      	Target IP address.	Private IP address of the server in the Huawei Cloud VPC subnet. The value is only an example.
      	Specifies a source IP address.	Alibaba Cloud Private IP address of the server in the VPC subnet. The value is only an example.
      	Re-execution interval	-
      	Retry Attempts	-

   3. Repeat the preceding steps to configure a VPN connection for the user gateway (cgw-hw02) corresponding to the standby EIP of the Huawei Cloud VPN gateway.

6. Configure routes.
   You need to add a route to the Huawei Cloud VPC subnet on Alibaba Cloud.

   1. Choose VPN > VPN Gateway.
   2. Click the name of the target VPN gateway. On the Destination Routing Table tab page, click Add Route Entry.
   3. Set parameters as prompted.
      • Configure the route to the active EIP, as described in Table 4.

        Table 4 Parameters of the route table to the active EIP

        Parameter	Description	Value
        Destination network segment	Local subnet of the Huawei Cloud VPN gateway. If there are multiple local subnets, create multiple routes.	192.168.0.0/24
        Next-hop type.	Select IPsec Connection.	IPsec connection
        Next Hop	Select Alibaba Cloud VPN gateway.	vpn-ali/xxxxxxxxx
        Publish to VPC	-	Yes
        Weight Value	-	100

      • Configure the route to the standby EIP, as described in Table 5.

        Table 5 Parameters for configuring the route table of the standby EIP

        Parameter	Description	Value
        Destination network segment	Local subnet of the Huawei Cloud VPN gateway. If there are multiple local subnets, create multiple routes.	192.168.0.0/24
        Next-hop type.	Select IPsec Connection.	IPsec connection
        Next Hop	Select Alibaba Cloud VPN gateway.	vpn-ali/xxxxxxxxx
        Publish to VPC	-	Yes
        Weight Value	-	0