This topic describes how to create an SSL server. Before you can create an SSL-VPN connection, you must create an SSL server.


A VPN gateway is created and SSL-VPN is enabled for the VPN gateway. For more information, see Create a VPN gateway.


  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > SSL Servers.
  3. In the top navigation bar, select the region where you want to create the SSL server.
  4. On the SSL Servers page, click Create SSL Server.
  5. In the Create SSL Server panel, set the following parameters and click OK.
    Parameter Description
    Name Enter a name for the SSL server.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    VPN Gateway Select the VPN gateway that you want to associate with the SSL server.

    Make sure that SSL-VPN is enabled for the VPN gateway.

    Local Network Enter the CIDR block that the client needs to access through the SSL-VPN connection. It can be the CIDR block of a VPC, a vSwitch, a data center connected to a VPC through an Express Connect circuit, or a cloud service such as ApsaraDB RDS or Object Storage Service (OSS).

    Click Add Local Network to add more CIDR blocks.

    Note The subnet mask of the specified CIDR block must be 8 to 32 bits in length.
    Client Subnet Enter the CIDR block from which an IP address is allocated to the virtual network interface controller (NIC) of the client. Do not enter the private CIDR block of the client. When the client accesses the destination network through an SSL-VPN connection, the VPN gateway allocates an IP address from the client CIDR block to the client.
    • Make sure that the CIDR block of the destination network and the client CIDR block do not overlap with each other.
    • Make sure that the number of IP addresses that the client CIDR block provides is at least four times the number of SSL-VPN connections.

      For example, if you specify as the client CIDR block, the system first divides a subnet CIDR block with a subnet mask of 30 from, which provides up to four IP addresses, is used as the subnet CIDR block in this example. Then, the system allocates an IP address from to the client and uses the other three IP addresses to ensure network communication. In this case, one client consumes four IP addresses. Therefore, to ensure that an IP address can be allocated to your client, you must make sure that the number of IP addresses that the client CIDR block provides is at least four times the number of SSL-VPN connections.

    Advanced Configuration
    Protocol Select the protocol that is used by the SSL-VPN connection. Valid values: UDP and TCP.
    Port Specify the port that is used by the SSL-VPN connection. Default value: 1194.
    Encryption Algorithm Specify the encryption algorithm used by the SSL-VPN connection. Valid values: AES-128-CBC, AES-192-CBC, and AES-256-CBC.
    Enable Compression Specify whether to compress the data that is transmitted over the SSL-VPN connection.
    Two-factor Authentication Specify whether to enable two-factor authentication. You must select an Identity as a Service (IDaaS) instance after you enable two-factor authentication.

    By default, you can use the username and password of IDaaS for two-factor authentication. You can also use Active Directory (AD) authentication. After you configure AD authentication, SSL-VPN can use AD authentication to authenticate users. For more information, see Establish an SSL-VPN connection by using LDAP authentication.

    • Only VPN gateways that are created after 00:00 (UTC+8), March 5, 2020 support two-factor authentication.
    • If this is your first time using two-factor authentication, you must authorize the VPN gateway to access the IDaaS instance before you create the SSL server.