This topic describes the frequently asked questions about VPN Gateway.

Can I create a VPN gateway for a classic network?

VPN gateways do not support classic networks. You can create VPN gateways for only Virtual Private Cloud (VPC) networks. If you want a classic network to use VPN gateways, you must first use ClassicLink to connect the classic network to a VPC network. For more information, see Use IPsec-VPN in the classic network.

What are the prerequisites for connecting a VPC network to an on-premises data center through an IPsec-VPN connection?

Make sure that the on-premises data center is assigned a static public IP address and a gateway device that supports IKEv1 and IKEv2 is deployed for the data center. The CIDR block of the on-premises data center must not overlap with that of the VPC network. For more information, see Establish a connection between a VPC and an on-premises data center.

Can I use VPN gateways to connect two VPC networks in different regions?

Yes. For more information, see Establish a connection between two VPCs.

What types of gateway devices can be connected to Alibaba Cloud VPN gateways?

Alibaba Cloud VPN gateways support the standard IKEv1 and IKEv2 protocols. Any gateway device that supports these two protocols can connect to Alibaba Cloud VPN gateways, such as gateway devices manufactured by Huawei, H3C, Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia. For more information, see Configure H3C firewall.

How many IPsec-VPN connections can be created on each VPN gateway?

You can create up to 10 IPsec-VPN connections by default. To increase the quota, submit a ticket on the Quota Management page in the console. For more information, see Manage quotas.

Can I access the Internet through a VPN gateway?

No. VPN gateways do not provide Internet access. You can access only VPC networks through VPN gateways.

Do VPC networks communicate with each other over the Internet?

No. When you use VPN gateways to connect VPC networks deployed in different regions, packets are forwarded only within the Alibaba Cloud networks.

Can I add more than one client CIDR block for an IPsec-VPN connection?

Yes. You can add more than one client CIDR block for an IPsec-VPN connection. We recommend that you use IKEv2 when you create such a connection.

Can I downgrade a VPN gateway?

Yes. To downgrade a VPN gateway, submit a ticket.

Can I enable SSL-VPN for VPN gateways that are created before the release date of the SSL-VPN feature?

No. To enable SSL-VPN for these VPN gateways, submit a ticket.

How can I make full use of the bandwidth of a VPN gateway?

The maximum bandwidth of an IPsec-VPN connection is 200 Mbit/s. If the maximum bandwidth of your VPN gateway is higher than 200 Mbit/s, you can create multiple IPsec-VPN connections to avoid wasting the bandwidth of the gateway.

For example, if the maximum bandwidth of your VPN gateway is 800 Mbit/s, the CIDR block of the VPC network is 10.0.0.0/8, and the CIDR block of the on-premises data center is 192.168.0.0/24, you can create the following IPsec-VPN connections.
  • IPsec-VPN connection 1

    VPC CIDR block: 10.0.0.0/10. Client CIDR block: 192.168.0.0/24.

  • IPsec-VPN connection 2

    VPC CIDR block: 10.64.0.0/10. Client CIDR block: 192.168.0.0/24.

  • IPsec-VPN connection 3

    VPC CIDR block: 10.128.0.0/10. Client CIDR block: 192.168.0.0/24.

  • IPsec-VPN connection 4

    VPC CIDR block: 10.192.0.0/10. Client CIDR block: 192.168.0.0/24.

For more information about other parameters, see Establish a connection between a VPC and an on-premises data center.