This topic provides answers to some frequently asked questions about VPN gateways.

Can I deploy a VPN gateway in a classic network?

No, you cannot deploy a VPN gateway in a classic network.

VPN gateways support only virtual private clouds (VPCs). If you want the resources in a classic network to use the VPN gateway of a VPC, you must enable ClassicLink for the VPC. For more information, see Establish IPsec-VPN connections in a classic network.

What are the prerequisites to connect a data center to a VPC through IPsec-VPN?

  • The gateway device of the data center must support the IKEv1 and IKEv2 protocols.

    IPsec-VPN supports both IKEv1 and IKEv2. All gateway devices that support the IKEv1 and IKEv2 protocols can connect to VPN gateways on Alibaba Cloud.

  • A static public IP address is assigned to the gateway device in the data center.
  • The client CIDR block and the VPC CIDR block do not overlap with each other.

For more information about how to connect a data center to a VPC through IPsec-VPN, see Connect on-premises data centers to VPC networks.

Can I use VPN gateways to connect VPCs across regions?

Yes, you can use VPN gateways to connect VPCs across regions. For more information, see Establish IPsec-VPN connections between two VPCs.

What types of gateway devices can connect to VPN gateways?

VPN gateways support the standard IKEv1 and IKEv2 protocols. Therefore, all gateway devices that support the IKEv1 and IKEv2 protocols can connect to VPN gateways on Alibaba Cloud. For example, gateway devices manufactured by H3C, Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia can connect to VPN gateways on Alibaba Cloud. For more information, see Configure a gateway device in a data center.

How many IPsec-VPN connections can be established to a VPN gateway?

By default, you can establish at most 10 IPsec-VPN connections to a VPN gateway. To create more IPsec-VPN connections, request a quota increase. For more information, see Manage quotas.

Can I use VPN gateways to access the Internet?

No, you cannot use VPN gateways to access the Internet.

You can use VPN gateways to access only VPCs through private connections.

Does network traffic between VPCs traverse the Internet?

No, network traffic between VPCs does not traverse the Internet.

When you use VPN gateways to connect VPCs across regions, network traffic is transmitted only within Alibaba Cloud.

Can I specify more than one client CIDR block for an IPsec-VPN connection?

Yes, you can specify more than one client CIDR block for an IPsec-VPN connection.

We recommend that you specify IKEv2 when you create the connection.

Can I downgrade a VPN gateway?

Yes, you can downgrade a VPN gateway.

To downgrade a VPN gateway,submit a ticket.

Can I enable SSL-VPN for VPN gateways that are created before the release date of SSL-VPN?

No, you cannot enable SSL-VPN for VPN gateways that are created before the release date of SSL-VPN.

If you want to enable SSL-VPN for VPN gateways that are created before the release date,submit a ticket.

How can I optimize the bandwidth usage of a VPN gateway?

The bandwidth limit of an IPsec-VPN connection is 200 Mbit/s. If the bandwidth limit of your VPN gateway is higher than 200 Mbit/s, you can create multiple IPsec-VPN connections to avoid waste of bandwidth.

For example, if the bandwidth limit of your VPN gateway is 800 Mbit/s, the CIDR block of the VPC is 10.0.0.0/8, and the CIDR block of the data center is 192.168.0.0/24, you can create the following IPsec-VPN connections:
  • IPsec-VPN Connection 1

    VPC CIDR block: 10.0.0.0/10. Client CIDR block: 192.168.0.0/24.

  • IPsec-VPN Connection 2

    VPC CIDR block: 10.64.0.0/10. Client CIDR block: 192.168.0.0/24.

  • IPsec-VPN Connection 3

    VPC CIDR block: 10.128.0.0/10. Client CIDR block: 192.168.0.0/24.

  • IPsec-VPN Connection 4

    VPC CIDR block: 10.192.0.0/10. Client CIDR block: 192.168.0.0/24.

For more information about other parameters, see Connect on-premises data centers to VPC networks.

How can I configure network access control list (ACL) rules on a VPN gateway?

  • If a network ACL is configured for the subnet of a VPN gateway, you must add rules to the network ACL to allow network traffic from and to the CIDR block 100.104.0.0/16.
  • If a network ACL is configured for the subnet of an SSL-VPN connection, you must add rules to the network ACL to open port 1194.

Why am I unable to connect to an AWS VPN gateway through IPsec-VPN?

  • Cause

    When you use an AWS VPN gateway to create an IPsec-VPN connection, each tunnel of the IPsec-VPN connection supports only one security association (SA). If the routing mode of the IPsec-VPN connection on the Alibaba Cloud side is set to Protected Data Flows and multiple VPC CIDR blocks or client CIDR blocks are specified for the IPsec-VPN connection, the AWS VPN gateway cannot forward traffic.

  • Solution

    You can use one of the following methods to resolve the issue:

    • If the routing mode of the IPsec-VPN connection on Alibaba Cloud is set to Protected Data Flows, you must specify only one VPC CIDR block and one client CIDR block.
    • Change the routing mode of the IPsec-VPN connection on Alibaba Cloud to Destination Routing Mode.