- 2 Minutes to read
Setting up site-to-site on Alibaba Cloud
- 2 Minutes to read
Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.
Log in to the VPC console
In the Management Platform on the left side, choose VPN > IPsec Connections
Select a region
On the IPsec Connections page, select Create IPsec Connection
On the Create IPsec Connection page, configure the IPsec-VPN connection with the following information, and select OK
- Name: Enter the name of the IPsec-VPN connection.
- VPN Gateway: Select the VPN Gateway to connect - If none exists, create a new one.
- Customer Gateway: Select the customer gateway to connect. If none exists, create a new one for the IP of your NordLayer dedicated server.
- Local Network: Enter the CIDR block of the VPC to be connected with the on-premises data center. This parameter is used for phase two negotiation.
- Remote Network: Enter the CIDR block of the on-premises data center to be connected with the VPC. This parameter is used for phase two negotiation - 10.6.0.0/20.
- Effective Immediately: Choose Yes.
- Advanced Configuration: IKE Configurations.
- Pre-Shared Key: Enter the pre-shared key used for the authentication between the VPN Gateway and your service. By default, it is an automatically generated value. But you can also specify a pre-shared key. Please note that we will need this value as well.
- Version: IKEv1
- Negotiation Mode: Main mode
- Encryption Algorithm: aes256
- Encryption Algorithm: sha1
- DH Group: group2
- SA Life Cycle (seconds): Set the SA lifecycle for phase one negotiation. Set it to 28800 seconds.
- LocalId: Local VPN Gateway public IP address
- RemoteId: the IP of your NordLayer dedicated server
Advanced Configuration: IPSec Configurations
- Encryption Algorithm: aes256
- Authentication Algorithm: sha1
- DH Group: group2
- SA Life Cycle (seconds): Set the SA lifecycle for phase two negotiation. Set it to 3600 seconds.
- Health Check - Optional
Setting access rules in Alibaba security groups
Go to your security group that is associated with your server
Add Allow rule with 10.6.0.0/16 object to the desired ports
Setting routes in Alibaba cloud
Go to your VPN
Select Route Tables
Add the following route under the System route table or on your custom route table: 10.6.0.0/20. The next hop should be the VPN Gateway you created for NordLayer
Ending note:
In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:
- Pre-shared key - you can generate it or we can provide it
- Encryption details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
- Remote gateway/router public IP (must be reachable while connected to the dedicated server)
- Remote subnet and mask (the subnet is used in your local network)
Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.