All Products
Search
Document Center

VPN Gateway:FAQ about VPN gateways

Last Updated:Jan 23, 2024

This topic provides answers to frequently asked questions (FAQ) about VPN gateways.

FAQ

FAQ about VPN Gateway

FAQ about IPsec-VPN

FAQ about SSL-VPN

What are cross-border connections and intra-border-border connections?

Alibaba Cloud VPN Gateway provides services in compliance with the state policies and regulations of China. You can use VPN Gateway to establish only intra-border connections.

Cross-border connections

  • When you create an IPsec-VPN connection, the connection is cross-border if the regions of the data center and the IPsec-VPN connection meet one of the following conditions:

    • The data center is located in the Chinese mainland and the IPsec-VPN connection is located outside the Chinese mainland.

    • The data center is located outside the Chinese mainland and the IPsec-VPN connection is located in the Chinese mainland.

  • The SSL server is located in the Chinese mainland, excluding the China (Hong Kong) region, and the client is located outside of the Chinese mainland.

    • The client is located in the Chinese mainland and the SSL server is located outside the Chinese mainland.

    • The client is located outside the Chinese mainland and the SSL server is located in the Chinese mainland.

If you want to create cross-border connections, we recommend that you use Cloud Enterprise Network (CEN). For more information, see What is CEN?

Intra-border connections

  • When you create an IPsec-VPN connection, the connection is intra-border if the regions of the data center and the IPsec-VPN connection meet one of the following conditions:

    • The data center is located in the Chinese mainland and the IPsec-VPN connection is located in the Chinese mainland.

    • The data center is located outside the Chinese mainland and the IPsec-VPN connection is located outside the Chinese mainland.

  • When you create an SSL-VPN connection, the connection is intra-border if the regions of the client and the SSL server meet one of the following conditions:

    • The client is located in the Chinese mainland and the SSL server is located in the Chinese mainland.

    • The client is located outside the Chinese mainland and the SSL server is located outside the Chinese mainland.

Which regions support VPN Gateway?

Region category

Region

Chinese mainland

China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), and China (Chengdu)

Outside Chinese mainland

China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Japan (Tokyo), Indonesia (Jakarta), India (Mumbai), Philippines (Manila), South Korea (Seoul), Thailand (Bangkok), Germany (Frankfurt), UK (London), Australia (Sydney), UAE (Dubai), US (Silicon Valley), and US (Virginia)

How do I choose a region for an IPsec-VPN connection or an SSL server?

  • If the IPsec-VPN connection needs to be associated with a VPN gateway, the IPsec-VPN connection and the VPN gateway must be in the same region.

  • If the IPsec-VPN connection needs to be associated with a transit router, choose a region that is nearest to the data center.

  • The SSL server and the VPN gateway must be in the same region.

Can I access the Internet over VPN gateways?

No, you cannot use VPN gateways to access the Internet.

You can use VPN gateways to access only virtual private clouds (VPCs) over private connections.

What are the prerequisites for connecting a data center to a VPC over IPsec-VPN?

  • The gateway device of the data center must support the Internet Key Exchange version 1 (IKEv2) and IKEv2 protocols.

    IPsec-VPN supports the IKEv1 and IKEv2 protocols. All gateway devices that support the two protocols can connect to VPN gateways on Alibaba Cloud. For more information, see the How do I choose the IKE version when I configure an IPsec-VPN connection? section of this topic.

  • A static public IP address is assigned to the gateway device in the data center.

  • The client CIDR block and the VPC CIDR block do not overlap with each other.

For more information about how to connect a data center to a VPN by using an IPsec-VPN connection, see Connect a VPC to a data center in single-tunnel mode.

What on-premises gateway devices can connect to Alibaba Cloud VPN gateways?

Alibaba Cloud VPN gateways support the standard IKEv1 and IKEv2 protocols. All gateway devices that support the IKEv1 and IKEv2 protocols can connect to Alibaba Cloud VPN gateways. For example, gateway devices provided by H3C, Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia can connect to Alibaba Cloud VPN gateways. For more information, see Configure local gateways.

Do VPN gateways support classic networks?

No, VPN gateways do not support classic networks.

VPN gateways support only VPCs. If you want the resources in a classic network to use the VPN gateway of a VPC, you must enable the ClassicLink feature for the VPC. For more information, see Connect a data center to a classic network by using IPsec-VPN and Establish SSL-VPN connections to access resources in classic networks.

Can I use VPN gateways to connect VPCs across regions?

Yes, you can use VPN gateways to connect VPCs across regions.

For more information, see Establish IPsec-VPN connections between two VPCs.

Note

If you create an IPsec-VPN connection between VPCs in different regions, the connection quality is affected by the Internet quality. We recommend that you use CEN to connect VPCs in different regions. For more information, see Use Enterprise Edition transit routers to connect VPCs across regions and accounts.

Do VPCs communicate with each other over the Internet?

In scenarios in which two VPCs are connected by using a VPN gateway:

  • If the VPCs are deployed in the same region, the data transfer between the VPC flows only through Alibaba Cloud networks and does not flow through the Internet.

  • If the VPCs are deployed in different regions, the data transfer flows through the Internet.

What are the differences between an IPsec server and an SSL server?

ItemIPsec-VPN serverSSL-VPN server
ScenariosProvides end-to-site connections. Provides end-to-site connections.
Client modeAllows mobile clients that run iOS to establish IPsec-VPN connections to Alibaba Cloud. Allows mobile clients that run Android and computers to establish SSL-VPN connections to Alibaba Cloud.
Connection modeAllows mobile clients that run iOS to establish IPsec-VPN connections to Alibaba Cloud by using the built-in VPN feature. Allows mobile clients that run Android and computers to establish SSL-VPN connections to Alibaba Cloud by using OpenVPN.
Encryption methodIPsec protocolSSL certificate

Can I specify multiple peer CIDR blocks for an IPsec-VPN connection?

Yes, you can specify multiple peer CIDR blocks for an IPsec-VPN connection.

Before you configure multiple peer CIDR blocks, we recommend that you understand the suggestions on configuring multiple CIDR blocks. For more information, see FAQ about IPsec-VPN connections.

How many IPsec-VPN connections can be created on a VPN gateway?

By default, you can create up to 10 IPsec-VPN connections to a VPN gateway. You can adjust the quota in the Quota Center console. For more information, see Manage VPN Gateway quotas.

How do I configure ACL rules for a VPN gateway?

Type of VPN gateway

ACL

IPsec-VPN

Configure outbound and inbound rules to allow the following CIDR block and IP addresses. This way, the VPN gateway can establish IPsec-VPN connections.

  • 100.64.0.0/10

    Note

    Alibaba Cloud uses 100.64.0.0/10 to provide services. You must allow the 100.64.0.0/10 CIDR block so that the VPN gateway can work as expected.

  • The IP address of the customer gateway

  • The IP address of the VPN gateway

SSL-VPN

Configure inbound and outbound rules to allow the following IP addresses and CIDR block and open the following port. This way, the VPN gateway can establish SSL-VPN connections.

  • 100.64.0.0/10

    Note

    Alibaba Cloud uses 100.64.0.0/10 to provide services. You must allow the 100.64.0.0/10 CIDR block so that the VPN gateway can work as expected.

  • The public IP address of the client

  • The IP address of the VPN gateway

  • The port that can be used by SSL-VPN connections.

    For example, you can specify port 1194.

Can I upgrade or downgrade a VPN gateway?

Yes, you can upgrade or downgrade a VPN gateway.

Can I view the connection information about the SSL clients on a VPN gateway?

Yes, you can view the connection information about the SSL clients on a VPN gateway.

For more information, see View the information about an SSL client.

Note
  • If your VPN gateway was created after December 10, 2022, you can view the connection information about SSL clients by default.

  • If your VPN gateway associated with an SSL server was created before December 10, 2022, you must upgrade the VPN gateway to the latest version before you can view the connection information about SSL clients. For more information, see Upgrade a VPN gateway.

Can I enable SSL-VPN for VPN gateways that are created before the release date of SSL-VPN?

No, you cannot enable SSL-VPN for VPN gateways that are created before the release date of SSL-VPN.

To enable SSL-VPN, upgrade the VPN gateways to the latest version. For more information, see Upgrade a VPN gateway.

How do I select an IKE version when I create an IPsec-VPN connection?

When you create an IPsec-VPN connection, you can select an IKE version based on the IKE versions supported by the peer gateway device and whether communication among multiple CIDR blocks is required.

Note

Communication among multiple CIDR blocks is established if you specify multiple Local Network or Remote Network when you create an IPsec-VPN connection.

Supported IKE version

Whether communication among multiple CIDR blocks is required

Configuration

IKEv1only

Yes

  • Both the IPsec-VPN connection and the peer gateway device use IKEv1.

  • If the IPsec-VPN connection uses IKEv1, communication among multiple CIDR blocks is not supported by default. For more information, see the Recommended solutions section of the "Configuration suggestions and FAQ about enabling communication among CIDR blocks" topic.

No

Both the IPsec-VPN connection and the peer gateway device use IKEv1.

IKEv2 only

Yes

  • Both the IPsec-VPN connection and the peer gateway device use IKEv2.

  • If the IPsec-VPN connection uses IKEv2, communication among multiple CIDR blocks is supported.

No

Both the IPsec-VPN connection and the peer gateway device use IKEv2.

IKEv1 and IKEv2

Yes

  • Both the IPsec-VPN connection and the peer gateway device use IKEv2.

  • If the IPsec-VPN connection uses IKEv2, communication among multiple CIDR blocks is supported.

No

We recommend that both the IPsec-VPN connection and the peer gateway device use IKEv2.

Compared with IKEv1, IKEv2 simplifies the SA negotiation process and provides better support for scenarios in which multiple CIDR blocks are used. Therefore, we recommend that you use IKEv2.

After the IP address of a data center is translated by NAT, how does the data center establish an IPsec-VPN connection with a VPN gateway?

For example, a data center plans to use 42.XX.XX.1 to establish an IPsec-VPN connection with an Alibaba Cloud VPN gateway. The data center has SNAT enabled. SNAT translates 42.XX.XX.1 to 47.XX.XX.21. When you create a customer gateway in the VPN Gateway console, you must specify 47.XX.XX.21 as the IP address of the customer gateway. Otherwise, the data center cannot establish an IPsec-VPN connection with an Alibaba Cloud VPN gateway.

We recommend that you use the default IPsec port such as port 500 or port 4500 to establish IPsec-VPN connections with VPN gateways.

If both the public VPN gateway and the VPC that is associated with the VPN gateway have NAT enabled, the IP address of the public VPN gateway remains unchanged and is not translated by NAT.

How do I increase the maximum bandwidth of IPsec-VPN connections?

Use scenarios of IPsec-VPN connections attached to VPN gateways

After an IPsec connection is attached to a VPN gateway, the maximum bandwidth of the IPsec-VPN connection is 1,000 Mbit/s. In specific regions, the maximum bandwidth is 200 Mbit/s. If you want to increase the maximum bandwidth, you can deploy multiple VPN gateways to allow your data center to connect to VPN gateways over multiple IPsec-VPN connections. The following figure shows an example. For more information, see Use multiple VPN gateways to balance the loads of IPsec-VPN connections for high availability.IPsec连接高可用-多VPN网关

Use scenarios of IPsec connections attached to transit routers

After an IPsec connection is attached to a transit router, the maximum bandwidth of the IPsec connection is 1 Gbit/s. If you want to increase the maximum bandwidth, you can establish multiple IPsec connections between the transit router and your data center. This way, network traffic is transmitted between your data center and Alibaba Cloud over multiple IPsec connections. The following figure shows an example. For more information, see Create multiple IPsec-VPN connections over the Internet for load balancing and Create multiple private IPsec-VPN connections to implement load balancing.

  • IPsec-VPN connections with Internet access:

    IPsec连接绑定TR最佳实践-公网-场景图

  • IPsec-VPN connections with private access:

    IPsec连接绑定TR最佳实践-私网-场景图

Can a VPN gateway forward traffic of ECS instances that are deployed in different zones of a VPC?

Yes, the VPN gateway can forward network traffic for Elastic Compute Service (ECS) instances that are deployed in different zones of the VPC.

When you create a VPN gateway, you must specify a vSwitch. The VPN gateway is deployed in the zone to which the vSwitch belongs. The VPN gateway can forward network traffic for all ECS instances in all zones of the VPC.

You may need to add routes to specify how ECS network traffic is forwarded based on the scenario. For example, if the vSwitch in a zone is associated with a custom route table, you need to add a route that points to the VPN gateway to the custom route table.

How do I troubleshoot the overlapping route error that is reported when I add a route to a VPN gateway?

Possible causes:

  • The destination CIDR block of the route that you want to add is the same as the destination CIDR block of an existing route of the VPC. Check the routes in the VPC route table and prevent overlapping routes.

  • The route that you want to add overlaps with an existing route of the VPN gateway. Check the routes in the policy-based route table and destination-based route table of the VPN gateway.

    • If you add a destination-based route, and the destination CIDR block and next hop are the same as those of an existing destination-based route of the VPN gateway, the route overlapping error is reported.

    • If you add a policy-based route that has the same source CIDR block, destination CIDR block, and next hop as an existing policy-based route of the VPC gateway, the route overlapping error is reported.

Why does the bandwidth of a VPN connection fail to meet the bandwidth specifications that I purchase?

After you purchase VPN Gateway, VPN Gateway provides the bandwidth of the specifications that you purchase. However, your bandwidth may be affected due to the following causes when your VPN gateway transfers data:

  • The features of the device associated with the customer gateway, the number of concurrent connections, the average size of packets, and the used protocol, such as TCP or UDP.

  • The network latency between the device associated with the customer gateway and the VPN Gateway.

    Note

    If you purchase a public VPN gateway or use a public IPsec-VPN connection, the public bandwidth and Internet latency may affect your bandwidth.

If you want to test the bandwidth of your VPN gateway, we recommend that you use iPerf3. The rate of transferring files by running commands such as scp commands, ftp commands, and cp commands cannot reflect the actual bandwidth due to the impact of reading data from and writing data to the disk. For more information about how to use iPerf3, see the Use iPerf3 to test the bandwidth of Express Connect circuit section of the "Test the performance of an Express Connect circuit" topic.

If you require higher transmission quality, we recommend that you use CEN. For more information, see What is CEN?

Can I use a VPN gateway to encrypt the traffic between a VPC and a public IP address?

Yes, you can use a VPN gateway to encrypt the traffic between a VPC and a public IP address.

If you use a VPN gateway to encrypt the access to resources in a VPC and your client or data center needs to use the public IP addresses to access the resources in the VPC, make sure that the following conditions are met:

  1. The CIDR block to which the public IP addresses belong is added to the VPN gateway.

    • If you use IPsec-VPN, make sure that the public CIDR block is added to the Remote Network of the IPsec-VPN connection.

    • If you use SSL-VPN, make sure that the public CIDR block is added to the Client CIDR Block of the SSL server.

  2. The public CIDR block is specified as the user CIDR block of the VPC. This ensures that the VPC can access the public CIDR block. For more information about user CIDR blocks, see the What is a user CIDR block? and the How do I configure a user CIDR block? sections of the "FAQ" topic.