Setting up site-to-site on Alibaba Cloud

Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

1. Log in to the VPC console

2. In the Management Platform on the left side, choose VPN > IPsec Connections

3. Select a region

4. On the IPsec Connections page, select Create IPsec Connection

5. On the Create IPsec Connection page, configure the IPsec-VPN connection with the following information, and select OK

• Name: Enter the name of the IPsec-VPN connection.
• VPN Gateway: Select the VPN Gateway to connect - If none exists, create a new one.
• Customer Gateway: Select the customer gateway to connect. If none exists, create a new one for the IP of your NordLayer dedicated server.
• Local Network: Enter the CIDR block of the VPC to be connected with the on-premises data center. This parameter is used for phase two negotiation.
• Remote Network: Enter the CIDR block of the on-premises data center to be connected with the VPC. This parameter is used for phase two negotiation - 10.6.0.0/20.
• Effective Immediately: Choose Yes.
• Advanced Configuration: IKE Configurations.
• Pre-Shared Key: Enter the pre-shared key used for the authentication between the VPN Gateway and your service. By default, it is an automatically generated value. But you can also specify a pre-shared key. Please note that we will need this value as well.
• Version: IKEv1
• Negotiation Mode: Main mode
• Encryption Algorithm: aes256
• Encryption Algorithm: sha1
• DH Group: group2
• SA Life Cycle (seconds): Set the SA lifecycle for phase one negotiation. Set it to 28800 seconds.
• LocalId: Local VPN Gateway public IP address
• RemoteId: the IP of your NordLayer dedicated server

Advanced Configuration: IPSec Configurations

• Encryption Algorithm: aes256
• Authentication Algorithm: sha1
• DH Group: group2
• SA Life Cycle (seconds): Set the SA lifecycle for phase two negotiation. Set it to 3600 seconds.
• Health Check - Optional

Setting access rules in Alibaba security groups

1. Go to your security group that is associated with your server

2. Add Allow rule with 10.6.0.0/16 object to the desired ports

Setting routes in Alibaba cloud

1. Go to your VPN

2. Select Route Tables

3. Add the following route under the System route table or on your custom route table: 10.6.0.0/20. The next hop should be the VPN Gateway you created for NordLayer

Ending note:

In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:

• Pre-shared key - you can generate it or we can provide it
• Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
• Remote gateway/router public IP (must be reachable while connected to the dedicated server)
• Remote subnet and mask (the subnet is used in your local network)

Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.