DocsAPI Explorer
ZHEN
DocumentationZCFZStack CloudUser GuideZCF

VPN

What is VPN?

VPN is an abbreviation for Virtual Private Network. As the name suggests it is a virtual network created over the internet/public network between two or more physical networks (or devices) to create an extended private network. This helps users/devices send and receive data as if the users are in one directly connected private network. This means that applications in a VPN can get the same functionalities and be managed in the same manner as in a private network.
Note: The CIDRs from the local vRouter to Alibaba Cloud which use the IPsec VPN to realize an intercommunication cannot overlap with each other.

Scenario

Figure 1. IPsec VPN Scenario


Main Procedures

To use ZStack Cloud an IPsec VPN to realize an intercommunication between the local VPC and Alibaba Cloud VPC, follow these steps:
  1. In ZStack Cloud Hybrid Cloud Management, add a region, zone, VPC, and vSwitch associated with the VPC in order.
  2. Purchase a VPN gateway on Alibaba Cloud Console.
  3. Create a Private Cloud VM instance on the VPC netwrok.
  4. Create an ECS instance.
  5. Follow Quick Start Wizard to establish a VPN connection.
    1. Select the purchased VPN gateway. The system can figure out the region, zone, VPC, and vSwitch corresponding to the VPN gateway.
    2. Finish the connection configuration: Select the VPC vRouter automatically created when you create the local VM instance. Select the public network and VPC network the VPC vRouter attached to and enter the pre-shared key. Advanced parameters are automatically configured. We recommend that you do not change these default values.
    3. After the connection configuration, ZStack Cloud automatically finish the following actions:
      1. Selects an available VIP on the public network corresponding to the VPC vRouter.
      2. Uses this VIP to create a VPN customer gateway.
      3. Establishes a VPN connection on Alibaba Cloud.
      4. Configures routes for the Alibaba Cloud VPC virtual router. The destination CIDR is the CIDR of the VPC network the local VPC vRouter attached to. The next hop is VPN Gateway.
      5. Establishes an IPsec connection on ZStack CloudPrivate Cloud.
  6. Check whether the local VM instance and the ECS instance can ping each other. If so, the IPsec VPN is created successfully.

Manage a VPN Gateway

On the main menu of ZStack Cloud Hybrid Cloud Management, choose VPN > VPN Gateway. Then, the VPN Gateway page is displayed.

The following lists the actions you can perform on a VPN gateway:
Action Description
Edit VPN Gateway Edit the name and description of a VPN gateway.
Delete VPN Gateway Delete a VPN gateway.
Note: By default, only the local record of the VPN gateway is deleted. You cannot delete the VPN gateway on Alibaba Cloud.

Create a VPN Customer Gateway

On the main menu of ZStack Cloud Hybrid Cloud Management, choose VPN > VPN Customer Gateway. On the VPN Customer Gateway page, click Create VPN Customer Gateway. Then, the Create VPN Customer Gateway page is displayed.

On the displayed page, set the following parameters:
  • Name: Enter a name for the VPN customer gateway.
  • Description: Optional. Enter a description for the VPN customer gateway.
  • ZStack IP: Enter a VIP on the public network corresponding to local VPV vRouter. You need to create the VIP on ZStack CloudPrivate Cloud in advance.
  • Region: Select the region the VPN gateway resides on.
Figure 1. Create a VPN Customer Gateway


Manage a VPN Customer Gateway

On the main menu of ZStack Cloud Hybrid Cloud Management, choose VPN > VPN Customer Gateway. Then, the VPN Customer Gateway page is displayed.

The following lists the actions you can perform on a VPN customer gateway.
Action Description
Edit VPN Customer Gateway Edit the name and description of a VPN customer gateway.
Create VPN Customer Gateway Create a VPN customer gateway.
Delete VPN Customer Gateway Delete a VPN customer gateway.
Note: By default, only the local record of the VPN customer gateway is deleted. If you want to delete the VPN customer gateway on Alibaba Cloud, select the checkbox of Delete Resources on Alibaba Cloud.

Establish a VPN Connection

On the main menu of ZStack Cloud Hybrid Cloud Management, choose VPN > VPN Connection. On the VPN Connection page, click Establish VPN Connection. Then, the Establish VPN Connection is displayed.

On the displayed page, set the following parameters:
  • Name: Enter a name for the VPN connection.
  • Description: Optional. Enter a description for the VPN connection.
  • VPC vRouter: Select a VPC vRouter for the VPN connection. You can select multiple L3 network attached to the VPC vRouter to establish the VPN connection.
    Note: If you select multiple L3 networks to establish the VPN connection. An IPsec tunnel attached with multiple sub nets is created on local and multiple VPN connections are created on Alibaba Cloud.
  • Private Network (ZStack): Select L3 networks attached to the VPC vRouter. You can select multiple L3 networks.
  • VPN Gateway (Alibaba Cloud): Select a purchased Alibaba Cloud VPN gateway.
  • Customer Gateway (Alibaba Cloud): Select an Alibaba Cloud Customer Gateway.
  • Pre-Shared Key: We recommend that you set a strong key.
  • Advanced: We recommend that you do not change default values of advanced parameters for they ensure the intercommunication between the local VPC network and Alibaba Cloud VPC.
    • IPSec SA Lifetime: 86400 (Default). Unit: second.
    • IPsec Encoding Algorithm: 3des (Default).
    • IPsec Authentication Algorithm: sha1 (Default).
    • IPsec DH Group: group2 (Default).
    • IKE SA Lifetime: 86400 (Default). Unit: second.
    • IKE IP of Alibaba Cloud: The Alibaba Cloud VPN gateway IP is automatically entered here.
    • IKE IP of ZStack: The Alibaba Cloud customer gateway IP is automatically entered here.
    • IKE Version: ikev1 (Default).
    • IKE Negotiation Mode: main (Default).
    • IKE Encoding Algorithm: 3des (Default).
    • IKE Authentication Algorithm: sha1 (Default).
    • IKE DH Group: group2 (Default).
Figure 1. Create a VPN Connection


Manage a VPN Connection

On the main menu of ZStack Cloud Hybrid Cloud Management, choose VPN > VPN Connection. Then, the VPN Connection page is displayed.

The following lists the actions you can perform on a VPN connection.
Action Description
Edit VPN Connection Edit the name and description of a VPN connection.
Establish VPN Connection Establish a VPN connection.
Delete a VPN Connection Delete a VPN Connection
Note:
  • By default, only the local record of the VPN connection is deleted. If you want to delete the VPN connection on Alibaba Cloud, select the checkbox of Delete Resources on Alibaba Cloud.
  • If you fail to establish an IPsec VPN or the IPsec VPN cannot enable the intercommunication between the local VPC and Alibaba Cloud VPC and you want to reconfigure it, delete this VPC connection and check the following points:
    • Check whether the local VIP used to create the IPsec connection is occupied. If it is occupied, delete this VIP.
    • Check whether the Alibaba Cloud VPN connection exists. If so, delete the VPN connection both from local and from Alibaba Cloud.
    • Check whether the Alibaba Cloud VPN customer gateway is allocated with a duplicated IP address. If so, delete the IP address both from local and from Alibaba Cloud.
    • Check whether the Alibaba Cloud VPC virtual router is configured with a route rule corresponding to the VPC network of ZStack CloudPrivate Cloud. If so, delete the route rule.
PreviousEIPNextExpress Connect