Updated on 2025-08-19 GMT+08:00

Configuration on the Alibaba Cloud Console

Prerequisites

A VPC and its subnets have been created on Alibaba Cloud.

Procedure

  1. Log in to the Alibaba Cloud console.
  2. Choose Products and Services > Network & CDN > Hybrid cloud-network > VPN Gateway.
  3. Configure a VPN gateway.

    1. Click Create VPN Gateway.
    2. Set parameters as prompted.

      Table 1 describes the parameters for configuring a VPN gateway. For other parameters, use their default settings.

      Table 1 Parameters for creating a VPN gateway

      Parameter

      Description

      Value

      InstanceName

      Name of a VPN gateway.

      vpngw-ali

      VPC

      Select VPC information.

      vpc-ali

      Bandwidth

      VPN forwarding bandwidth specification.

      5Mbps

      IPsec-VPN

      -

      Enabled

      SSL-VPN

      -

      Disabled

      Billing Cycle

      Specifies the required duration of the VPN gateway.

      1 Month

  4. Configure a customer gateway.

    1. Choose VPN > Customer gateway, and click Create Customer Gateway.
    2. Set parameters as prompted.

      Table 2 only describes the key parameters for configuring a customer gateway. For other parameters, use their default settings.

      Table 2 Parameters for creating a customer gateway

      Parameter

      Description

      Value

      Name

      Name of the Huawei VPN gateway.

      cgw-hw01

      IP address

      Active EIP of the Huawei Cloud VPN gateway.

      1.1.1.2

    3. Repeat the preceding steps to configure the customer gateway corresponding to active EIP 2 of the Huawei Cloud VPN gateway.

  5. Configure VPN connections.

    1. Choose VPN > IPsec Connections and click Create IPsec Connection.
    2. Set parameters as prompted.

      Table 3 describes the key parameters for configuring a VPN connection. For other parameters, use their default settings.

      Table 3 Description of key VPN connection parameters

      Module

      Parameter

      Description

      Value

      -

      Name

      VPN connection name.

      vpn-ali

      Bind Resource to VIP Subnet

      Selecting a VPN gateway

      VPN gateway

      VPN gateway

      Select Alibaba Cloud VPN gateway.

      vpngw-ali

      User gateway address

      Select the Huawei Cloud VPN gateway.

      cgw-hw01

      Routing Mode

      Select Destination Route Mode

      Destination routing mode

      Immediately effective

      -

      Yes

      Pre-shared key

      The value must be the same as the pre-shared key set in Table 3.

      Set this parameter based on the site requirements.

      Advanced Settings

      -

      Enabled

      IKE policy

      Version

      The settings must be the same as those of the IKE policy configured in Table 3.

      • Version: IKEv2
      • Negotiation mode: main
      • Encryption Algorithm: AES-128
      • Authentication algorithm: SHA2-256
      • DH group: Group 14
      • SA lifetime: 86400
      • LocalId: 1.1.1.1
      • RomoteId: 1.1.1.2

      Negotiation Mode

      Encryption Algorithm

      Authentication Algorithm

      DH group

      SA lifetime

      LocalId

      RomoteId

      IPsec policy

      Encryption Algorithm

      The settings must be the same as those of the IPsec policy configured in Table 3.

      NOTE:

      The NAT traversal function must be enabled.

      • Encryption Algorithm: AES-128
      • Authentication algorithm: SHA2-256
      • DH group: Group 14
      • SA lifetime: 3600
      • DPD: enabled
      • NAT traversal: enabled

      Authentication Algorithm

      DH group

      SA lifetime

      DPD

      Establishing an IPsec tunnel in a NAT traversal scenario

      Health Check

      Configuring a Health Check

      -

      • Health check: enabled
      • Destination IP address: 192.168.0.10
      • Source IP address: 172.16.0.10
      • Retry interval: 3
      • Retry counts: 3

      Target IP address.

      Private IP address of the server in the Huawei Cloud VPC subnet.

      The value is only an example.

      Specifies a source IP address.

      Alibaba Cloud Private IP address of the server in the VPC subnet.

      The value is only an example.

      Re-execution interval

      -

      Retry times.

      -

    3. Repeat the preceding steps to configure a VPN connection for the customer gateway (cgw-hw02) corresponding to active EIP 2 of the Huawei Cloud VPN gateway.

  6. Configure routes.

    You need to add a route to the Huawei Cloud VPC subnet on Alibaba Cloud.
    1. Choose VPN > VPN Gateway.
    2. Click the name of the target VPN gateway. On the Destination Routing Table tab page, click Add Route Entry.
    3. Set parameters as prompted.
      • Configure a route to the active EIP, as described in Table 4.
        Table 4 Parameters for configuring a route to the active EIP

        Parameter

        Description

        Value

        Destination network segment

        Local subnet of the Huawei Cloud VPN gateway.

        If there are multiple local subnets, create multiple routes.

        192.168.0.0/24

        Next-hop type.

        Select IPsec Connection.

        IPsec connection

        Next Hop

        Select Alibaba Cloud VPN gateway.

        vpn-ali/xxxxxxxxx

        Publish to VPC

        -

        Yes

        Weight Value

        -

        100

      • Configure a route to active EIP 2, as described in Table 5.
        Table 5 Parameters for configuring a route to active EIP 2

        Parameter

        Description

        Value

        Destination network segment

        Local subnet of the Huawei Cloud VPN gateway.

        If there are multiple local subnets, create multiple routes.

        192.168.0.0/24

        Next-hop type.

        Select IPsec Connection.

        IPsec connection

        Next Hop

        Select Alibaba Cloud VPN gateway.

        vpn-ali/xxxxxxxxx

        Publish to VPC

        -

        Yes

        Weight Value

        -

        0