Creating a Multi-CIDR Block VPN with IKEv1 in a Multi-Network CEN in Alibaba Cloud


Alibaba Cloud provides VPN Gateway as a service that can be used to connect your on-premises data center office or personal devices to Alibaba Cloud VPC. To connect a data center/office network to Alibaba Cloud VPC, you can use IKEv1 or IKEv2 protocols and configure an IPSec connection. However, IKEv1 protocol by default does not support multiple CIDR block selection. The IKEv1 protocol only support a single CIDR block as local traffic selector and a single CIDR block for remote traffic selector. This is a limitation of the protocol itself.

Problem Description

Consider a scenario where you have two offices (or datacenters) in different parts of the world and you want to use CEN to connect to these offices. In that case, once you have created a VPN Gateway using IKEv1 protocol between local office and Alibaba Cloud VPC in local region, you need to add the remote VPC CIDR block from remote region to the VPN tunnel to make sure that all three networks are part of a larger private network. In Alibaba Cloud console, when you try to add more than one ‘Local Network’ or ‘Remote Network’ entry while using IKEv1 protocol, it gives you error “Use the IKEv2 protocol if the local network segment or remote network segment contains multiple subnets.”

Network Architecture

To solve the issue of allowing more than one network CIDR block pair as part of the same VPN tunnel, we need to create more than one IPSec connection as part of the same VPN Gateway and IKEv1 protocol. This would allow user to create only one VPN Gateway to connection local office to local VPC and remote network. This way everything would still be part of the same large network even when using IKEv1 protocol.

Example Implementation

In this example implementation, we will be using three different VPCs in Alibaba Cloud in three different regions and use one of them as an on-premises DC, one as local VPC and third one as remote VPC in a different region. All three networks would be part of CEN network to reflect the client requirements and also to show that the solution delivers the intended results.

Test the Connectivity

Once the above steps are performed, this all becomes part of a larger private network. To test the connectivity, you can create three VMs in each of the networks and ping these machines from one another.


Though IKEv2 is an advanced protocol, not many clients use it in internal their VPN tunnels. It may become a challenge some time for customers when they want to use multi-subnet pairs to create a larger network. Though IKEv1 protocol has the limitation to support multiple subnet (CIDR blocks) pairs as part of a VPN tunnel, it is possible to create many IPSec connections on IKEv1 protocol as part of the same VPN tunnel and create a larger private network without the hassle of using IKEv2 protocol and simple network architectural change.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website: