VPN Gateway:Create an SSL server

This topic describes how to create an SSL server. Before you can create an SSL-VPN connection, you must create an SSL server.

1. Log on to the VPN Gateway console.
2. In the left-side navigation pane, choose Interconnections > VPN > SSL Servers.
3. In the top navigation bar, select the region of the SSL server.
4. On the SSL Servers page, click Create SSL Server.
5. In the Create SSL Server panel, set the following parameters and click OK.

   Parameter	Description
   Name	Enter a name for the SSL server. The name must be 2 to 128 characters in length and can contain digits, hyphens (-), and underscores (_). It must start with a letter.
   VPN Gateway	Select the VPN gateway that you want to associate with the SSL server. Make sure that SSL-VPN is enabled for the VPN gateway.
   Local Network	Enter the CIDR block that the client needs to access through the SSL-VPN connection. The CIDR block can be the CIDR block of a virtual private cloud (VPC), a vSwitch, a cloud service such as Object Storage Service (OSS) or a database service, or a data center that is connected to a VPC through an Express Connect circuit. Click Add Local Network to add more CIDR blocks. Note The subnet mask of the specified CIDR block must be 8 to 32 bits in length.
   Client Subnet	Enter the CIDR block from which an IP address is allocated to the virtual network interface controller (NIC) of the client. Do not enter the private CIDR block of the client. When the client accesses the destination network through an SSL-VPN connection, the VPN gateway allocates an IP address from the client CIDR block to the client. Make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections supported by the VPN gateway. Click to view the reason. For example, if you specify 192.168.0.0/24 as the client CIDR block, the system first divides a subnet CIDR block with a subnet mask of 30 from 192.168.0.0/24. 192.168.0.4/30, which provides up to four IP addresses, is used as the subnet CIDR block in this example. Then, the system allocates an IP address from 192.168.0.4/30 to the client and uses the other three IP addresses to ensure network communication. In this case, one client consumes four IP addresses. Therefore, to ensure that an IP address can be allocated to your client, you must make sure that the number of IP addresses that the client CIDR block provides is at least four times the number of SSL-VPN connections. Click to view the client CIDR block recommended for different numbers of SSL-VPN connections SSL-VPN connections Recommended client CIDR block 5 A CIDR block with a subnet mask that is less than or equal to 27 bits in length. Examples: 10.0.0.0/27 and 10.0.0.0/26. 10 A CIDR block with a subnet mask that is less than or equal to 26 bits in length. Examples: 10.0.0.0/26 and 10.0.0.0/25. 20 A CIDR block with a subnet mask that is less than or equal to 25 bits in length. Examples: 10.0.0.0/25 and 10.0.0.0/24. 50 A CIDR block with a subnet mask that is less than or equal to 24 bits in length. Examples: 10.0.0.0/24 and 10.0.0.0/23. 100 A CIDR block with a subnet mask that is less than or equal to 23 bits in length. Examples: 10.0.0.0/23 and 10.0.0.0/22. 200 A CIDR block with a subnet mask that is less than or equal to 22 bits in length. Examples: 10.0.0.0/22 and 10.0.0.0/21. 500 A CIDR block with a subnet mask that is less than or equal to 21 bits in length. Examples: 10.0.0.0/21 and 10.0.0.0/20. 1000 A CIDR block with a subnet mask that is less than or equal to 20 bits in length. Examples: 10.0.0.0/20 and 10.0.0.0/19. Notice The subnet mask of the client CIDR block must be 16 to 29 bits in length. Make sure that the local CIDR block and the client CIDR block do not overlap with each other. We recommend that you use the 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or one of their subnets as the client CIDR block. If you want to specify a public CIDR block as the client CIDR block, you must specify the public CIDR block as the user CIDR block of the VPC. This way, the VPC can access the public CIDR block. For more information about user CIDR blocks, see What is a user CIDR block? and How do I configure a user CIDR block?.
   Advanced Configuration
   Protocol	Specify the protocol that is used by the SSL-VPN connection. Valid values: UDP (default) TCP
   Port	Specify the port that is used by the SSL-VPN connection. Default value: 1194.
   Encryption Algorithm	Specify the encryption algorithm that is used by the SSL-VPN connection. Valid values: AES-128-CBC (default) AES-192-CBC AES-256-CBC none This value specifies that no encryption algorithm is used.
   Enable Compression	Specify whether to compress the data that is transmitted over the SSL-VPN connection. Valid values: Yes No (default)
   Two-factor Authentication	Specify whether to enable two-factor authentication for the VPN gateway. By default, two-factor authentication is disabled. If you want to enable two-factor authentication, you must specify an Identity as a Service (IDaaS) instance. Two-factor authentication uses the username and password of the specified IDaaS instance to authenticate the SSL client. For more information, see Two-factor authentication. Note Only VPN gateways that were created after 00:00:00 (UTC+8), March 5, 2020 support two-factor authentication. If your VPN gateway was created before March 5, 2020, you can upgrade your VPN gateway to enable two-factor authentication. For more information, see Upgrade a VPN gateway. If this is your first time using two-factor authentication, you must authorize the VPN gateway to access the IDaaS instance before you create the SSL server.