Configuration on the Alibaba Cloud Console

Prerequisites

A VPC and its subnets have been created on Alibaba Cloud.

Procedure

1. Log in to the Alibaba Cloud console.
2. Choose Products and Services > Network & CDN > Hybrid cloud-network > VPN Gateway.
3. Configure a VPN gateway.
   1. Click Create VPN Gateway.
   2. Set parameters as prompted.

      Table 1 describes the parameters for configuring a VPN gateway. For other parameters, use their default settings.

      Table 1 Parameters for creating a VPN gateway

      Parameter	Description	Value
      InstanceName	Name of a VPN gateway.	vpngw-ali
      VPC	Select VPC information.	vpc-ali
      Bandwidth	VPN forwarding bandwidth specification.	5Mbps
      IPsec-VPN	-	Enabled
      SSL-VPN	-	Disabled
      Billing Cycle	Specifies the required duration of the VPN gateway.	1 Month

4. Configure a customer gateway.
   1. Choose VPN > Customer gateway, and click Create Customer Gateway.
   2. Set parameters as prompted.

      Table 2 only describes the key parameters for configuring a customer gateway. For other parameters, use their default settings.

      Table 2 Parameters for creating a customer gateway

      Parameter	Description	Value
      Name	Name of the Huawei VPN gateway.	cgw-hw01
      IP address	Active EIP of the Huawei Cloud VPN gateway.	1.1.1.2

   3. Repeat the preceding steps to configure the customer gateway corresponding to active EIP 2 of the Huawei Cloud VPN gateway.

5. Configure VPN connections.
   1. Choose VPN > IPsec Connections and click Create IPsec Connection.
   2. Set parameters as prompted.

      Table 3 describes the key parameters for configuring a VPN connection. For other parameters, use their default settings.

      Table 3 Description of key VPN connection parameters

      Module	Parameter	Description	Value
      -	Name	VPN connection name.	vpn-ali
      	Bind Resource to VIP Subnet	Selecting a VPN gateway	VPN gateway
      	VPN gateway	Select Alibaba Cloud VPN gateway.	vpngw-ali
      	User gateway address	Select the Huawei Cloud VPN gateway.	cgw-hw01
      	Routing Mode	Select Destination Route Mode	Destination routing mode
      	Immediately effective	-	Yes
      	Pre-shared key	The value must be the same as the pre-shared key set in Table 3.	Set this parameter based on the site requirements.
      	Advanced Settings	-	Enabled
      IKE policy	Version	The settings must be the same as those of the IKE policy configured in Table 3.	Version: IKEv2 Negotiation mode: main Encryption Algorithm: AES-128 Authentication algorithm: SHA2-256 DH group: Group 14 SA lifetime: 86400 LocalId: 1.1.1.1 RomoteId: 1.1.1.2
      	Negotiation Mode
      	Encryption Algorithm
      	Authentication Algorithm
      	DH group
      	SA lifetime
      	LocalId
      	RomoteId
      IPsec policy	Encryption Algorithm	The settings must be the same as those of the IPsec policy configured in Table 3. NOTE: The NAT traversal function must be enabled.	Encryption Algorithm: AES-128 Authentication algorithm: SHA2-256 DH group: Group 14 SA lifetime: 3600 DPD: enabled NAT traversal: enabled
      	Authentication Algorithm
      	DH group
      	SA lifetime
      	DPD
      	Establishing an IPsec tunnel in a NAT traversal scenario
      Health Check	Configuring a Health Check	-	Health check: enabled Destination IP address: 192.168.0.10 Source IP address: 172.16.0.10 Retry interval: 3 Retry counts: 3
      	Target IP address.	Private IP address of the server in the Huawei Cloud VPC subnet. The value is only an example.
      	Specifies a source IP address.	Alibaba Cloud Private IP address of the server in the VPC subnet. The value is only an example.
      	Re-execution interval	-
      	Retry times.	-

   3. Repeat the preceding steps to configure a VPN connection for the customer gateway (cgw-hw02) corresponding to active EIP 2 of the Huawei Cloud VPN gateway.

6. Configure routes.
   You need to add a route to the Huawei Cloud VPC subnet on Alibaba Cloud.

   1. Choose VPN > VPN Gateway.
   2. Click the name of the target VPN gateway. On the Destination Routing Table tab page, click Add Route Entry.
   3. Set parameters as prompted.
      • Configure a route to the active EIP, as described in Table 4.

        Table 4 Parameters for configuring a route to the active EIP

        Parameter	Description	Value
        Destination network segment	Local subnet of the Huawei Cloud VPN gateway. If there are multiple local subnets, create multiple routes.	192.168.0.0/24
        Next-hop type.	Select IPsec Connection.	IPsec connection
        Next Hop	Select Alibaba Cloud VPN gateway.	vpn-ali/xxxxxxxxx
        Publish to VPC	-	Yes
        Weight Value	-	100

      • Configure a route to active EIP 2, as described in Table 5.

        Table 5 Parameters for configuring a route to active EIP 2

        Parameter	Description	Value
        Destination network segment	Local subnet of the Huawei Cloud VPN gateway. If there are multiple local subnets, create multiple routes.	192.168.0.0/24
        Next-hop type.	Select IPsec Connection.	IPsec connection
        Next Hop	Select Alibaba Cloud VPN gateway.	vpn-ali/xxxxxxxxx
        Publish to VPC	-	Yes
        Weight Value	-	0