This topic provides answers to frequently asked questions (FAQ) about VPN gateways.
FAQ
FAQ about VPN Gateway
What are cross-border connections and intra-border connections?
Does the data transfer between VPCs flow through the Internet?
Can a VPN gateway forward traffic of ECS instances that are deployed in different zones of a VPC?
Can I use a VPN gateway to encrypt the traffic between a VPC and a public IP address?
FAQ about IPsec-VPN
How many IPsec-VPN connections can be created on a VPN gateway?
What are the prerequisites for connecting a data center to a VPC over IPsec-VPN?
Can I specify multiple peer CIDR blocks for an IPsec-VPN connection?
How do I increase the maximum bandwidth of IPsec-VPN connections?
How do I select an IKE version when I create an IPsec-VPN connection?
What do I do if the number of routes reaches the upper limit?
FAQ about SSL-VPN
What are cross-border connections and intra-border connections?
Alibaba Cloud VPN Gateway provides services in compliance with the state policies and regulations of China. You can use VPN Gateway to establish only intra-border connections.
Cross-border connections
When you create an IPsec-VPN connection, the connection is cross-border if the regions of the data center and the IPsec-VPN connection meet one of the following conditions:
The data center is located in the Chinese mainland and the IPsec-VPN connection is located outside the Chinese mainland.
The data center is located outside the Chinese mainland and the IPsec-VPN connection is located in the Chinese mainland.
When you create an SSL-VPN connection, the connection is cross-border if the regions of the client and the SSL server meet one of the following conditions:
The client is located in the Chinese mainland and the SSL server is located outside the Chinese mainland.
The client is located outside the Chinese mainland and the SSL server is located in the Chinese mainland.
If you want to create cross-border connections, we recommend that you use Cloud Enterprise Network (CEN). For more information, see What is CEN?
Intra-border connections
When you create an IPsec-VPN connection, the connection is intra-border if the regions of the data center and the IPsec-VPN connection meet one of the following conditions:
The data center is located in the Chinese mainland and the IPsec-VPN connection is located in the Chinese mainland.
The data center is located outside the Chinese mainland and the IPsec-VPN connection is located outside the Chinese mainland.
When you create an SSL-VPN connection, the connection is intra-border if the regions of the client and the SSL server meet one of the following conditions:
The client is located in the Chinese mainland and the SSL server is located in the Chinese mainland.
The client is located outside the Chinese mainland and the SSL server is located outside the Chinese mainland.
Which regions support VPN Gateway?
Region category | Region |
Regions in the Chinese mainland | China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), and China (Chengdu) |
Regions outside the Chinese mainland | China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Japan (Tokyo), Indonesia (Jakarta), India (Mumbai), Philippines (Manila), South Korea (Seoul), Thailand (Bangkok), Germany (Frankfurt), UK (London), Australia (Sydney), UAE (Dubai), US (Silicon Valley), and US (Virginia) |
How do I choose a region for an IPsec-VPN connection or an SSL server?
If the IPsec-VPN connection needs to be associated with a VPN gateway, the IPsec-VPN connection and the VPN gateway must be in the same region.
If the IPsec-VPN connection needs to be associated with a transit router, choose the region that is nearest to the data center.
The SSL server and the VPN gateway must be in the same region.
Can I use VPN gateways to access the Internet?
No, you cannot use VPN gateways to access the Internet.
You can use VPN gateways to access only virtual private clouds (VPCs) over private connections.
What are the prerequisites for connecting a data center to a VPC over IPsec-VPN?
The gateway device of the data center supports the Internet Key Exchange version 1 (IKEv1) or IKEv2 protocol.
IPsec-VPN supports the IKEv1 and IKEv2 protocols. All gateway devices that support the IKEv1 or IKEv2 protocol can connect to VPN gateways on Alibaba Cloud. For more information, see the How do I choose the IKE version when I configure an IPsec-VPN connection? section of this topic.
A static public IP address is assigned to the gateway device in the data center.
The CIDR blocks of the data center and the VPC do not overlap with each other.
For more information about how to connect a data center to a VPN by using an IPsec-VPN connection, see Connect a VPC to a data center in single-tunnel mode.
What types of gateway devices can connect to VPN gateways?
Alibaba Cloud VPN gateways support the standard IKEv1 and IKEv2 protocols. All gateway devices that support the IKEv1 or IKEv2 protocol can connect to Alibaba Cloud VPN gateways. For example, gateway devices provided by H3C, Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia can connect to Alibaba Cloud VPN gateways. For more information, see Configure local gateways.
Do VPN gateways support the classic network?
No, VPN gateways do not support the classic network.
VPN gateways support only VPCs. If you want the resources in the classic network to use the VPN gateway of a VPC, you must enable ClassicLink for the VPC. For more information, see Connect a data center to a classic network by using IPsec-VPN and Establish SSL-VPN connections to access resources in classic networks.
Can I use VPN gateways to connect VPCs across regions?
Yes, you can use VPN gateways to connect VPCs across regions.
For more information, see Establish IPsec-VPN connections between two VPCs.
If you create an IPsec-VPN connection between VPCs in different regions, the connection quality is affected by the Internet quality. We recommend that you use CEN to connect VPCs in different regions. For more information, see Use Enterprise Edition transit routers to connect VPCs in different regions and accounts.
Does the data transfer between VPCs flow through the Internet?
In scenarios in which two VPCs are connected by using VPN gateways:
If the VPCs are deployed in the same region, the data transfer between the VPCs flows only through Alibaba Cloud networks and does not flow through the Internet.
If the VPCs are deployed in different regions, the data transfer flows through the Internet.
What are the differences between an IPsec server and an SSL server?
| Item | IPsec-VPN server | SSL-VPN server |
| Scenarios | Provides end-to-site connections. | Provides end-to-site connections. |
| Client mode | Allows mobile clients that run iOS to establish IPsec-VPN connections to Alibaba Cloud. | Allows mobile clients that run Android and computers to establish SSL-VPN connections to Alibaba Cloud. |
| Connection mode | Allows mobile clients that run iOS to establish IPsec-VPN connections to Alibaba Cloud by using the built-in VPN feature. | Allows mobile clients that run Android and computers to establish SSL-VPN connections to Alibaba Cloud by using OpenVPN. |
| Encryption method | IPsec protocol | SSL certificate |
Can I specify multiple peer CIDR blocks for an IPsec-VPN connection?
Yes, you can specify multiple peer CIDR blocks for an IPsec-VPN connection.
Before you configure multiple peer CIDR blocks, we recommend that you learn about the proposals for configuring multiple CIDR blocks. For more information, see Configuration suggestions and FAQ about enabling communication among CIDR blocks.
How many IPsec-VPN connections can be created on a VPN gateway?
By default, you can create at most 10 IPsec-VPN connections on a VPN gateway. You can adjust the quota in the Quota Center console. For more information, see Manage VPN Gateway quotas.
How do I configure ACL rules for a VPN gateway?
Type of VPN gateway | ACL rule |
IPsec-VPN | Configure outbound and inbound rules to allow the following CIDR block and IP addresses. This way, the VPN gateway can establish IPsec-VPN connections.
|
SSL-VPN | Configure outbound and inbound rules to allow the following CIDR block and IP addresses and open the port that can be used by SSL-VPN connections. This way, the VPN gateway can establish SSL-VPN connections.
|
Can I upgrade or downgrade a VPN gateway?
Yes, you can upgrade or downgrade a VPN gateway.
For more information about how to upgrade or downgrade the bandwidth of a VPN gateway, see Upgrade or downgrade a VPN gateway.
For more information about how to increase or decrease the quota on SSL-VPN connections, see Modify the maximum number of concurrent SSL connections.
For more information about how to enable IPsec-VPN or SSL-VPN for a VPN gateway, see Enable IPsec-VPN and SSL-VPN.
Can I view the connection information about the SSL clients on a VPN gateway?
Yes, you can view the connection information about the SSL clients on a VPN gateway.
For more information, see View the information about an SSL client.
If your VPN gateway was created after December 10, 2022, you can view the connection information about SSL clients by default.
If your VPN gateway associated with an SSL server was created before December 10, 2022, you must upgrade the VPN gateway to the latest version before you can view the connection information about SSL clients. For more information, see Upgrade a VPN gateway.
Can I enable SSL-VPN for VPN gateways that are created before the release date of SSL-VPN?
No, you cannot enable SSL-VPN for VPN gateways that are created before the release date of SSL-VPN.
To enable SSL-VPN, upgrade the VPN gateways to the latest version. For more information, see Upgrade a VPN gateway.
How do I select an IKE version when I create an IPsec-VPN connection?
When you create an IPsec-VPN connection, you can select an IKE version based on the IKE versions supported by the peer gateway device and whether communication among multiple CIDR blocks is required.
Communication among multiple CIDR blocks is established if you specify multiple local CIDR blocks or remote CIDR blocks when you create an IPsec-VPN connection.
Supported IKE version | Whether communication among multiple CIDR blocks is required | Configuration |
IKEv1 only | Yes |
|
No | Both the IPsec-VPN connection and the peer gateway device use IKEv1. | |
IKEv2 only | Yes |
|
No | Both the IPsec-VPN connection and the peer gateway device use IKEv2. | |
IKEv1 and IKEv2 | Yes |
|
No | We recommend that both the IPsec-VPN connection and the peer gateway device use IKEv2. Compared with IKEv1, IKEv2 simplifies the SA negotiation process and provides better support for scenarios in which multiple CIDR blocks are used. Therefore, we recommend that you use IKEv2. |
After the IP address of a data center is translated by NAT, how does the data center establish an IPsec-VPN connection with a VPN gateway?
For example, a data center plans to use 42.XX.XX.1 to establish an IPsec-VPN connection with an Alibaba Cloud VPN gateway. The data center has SNAT enabled. SNAT translates 42.XX.XX.1 to 47.XX.XX.21. When you create a customer gateway in the VPN Gateway console, you must enter 47.XX.XX.21 as the IP address of the customer gateway. Otherwise, the data center cannot establish an IPsec-VPN connection with an Alibaba Cloud VPN gateway.
We recommend that you use the default IPsec port (port 500 or port 4500) to establish IPsec-VPN connections with VPN gateways.
If both the public VPN gateway and the VPC that is associated with the VPN gateway have NAT enabled, the IP address of the public VPN gateway remains unchanged and will not be translated by NAT.
How do I increase the maximum bandwidth of IPsec-VPN connections?
Use scenarios of IPsec-VPN connections associated with VPN gateways
If an IPsec connection is associated with a VPN gateway, the maximum bandwidth of the IPsec-VPN connection is 1,000 Mbit/s. In specific regions, the maximum bandwidth is 200 Mbit/s. If you want to increase the maximum bandwidth, you can deploy multiple VPN gateways to allow your data center to connect to VPN gateways over multiple IPsec-VPN connections. The following figure shows an example. For more information, see Use multiple VPN gateways to balance the loads of IPsec-VPN connections for high availability.
Use scenarios of IPsec-VPN connections associated with transit routers
After an IPsec connection is associated with a transit router, the maximum bandwidth of the IPsec connection is 1 Gbit/s. If you want to increase the maximum bandwidth, you can establish multiple IPsec-VPN connections between the transit router and your data center. This way, network traffic is transmitted between your data center and Alibaba Cloud over multiple IPsec-VPN connections. The following figure shows an example. For more information, see Create multiple IPsec-VPN connections over the Internet for load balancing and Create multiple private IPsec-VPN connections to implement load balancing.
IPsec-VPN connections established over the Internet:
IPsec-VPN connections established over private networks:
Can a VPN gateway forward traffic of ECS instances that are deployed in different zones of a VPC?
Yes, a VPN gateway can forward traffic of Elastic Compute Service (ECS) instances that are deployed in different zones of a VPC.
When you create a VPN gateway, you must specify a vSwitch. The VPN gateway is deployed in the zone to which the vSwitch belongs. The VPN gateway can forward network traffic for all ECS instances in all zones of the VPC.
You may need to add routes to specify how ECS network traffic is forwarded based on the actual scenario. For example, if a vSwitch in a zone is associated with a custom route table, you need to add a route that points to the VPN gateway to the custom route table.
How do I troubleshoot the overlapping route error that is reported when I add a route to a VPN gateway?
The possible causes of this error include:
The destination CIDR block of the route that you want to add is the same as the destination CIDR block of an existing route of the VPC. Check the routes in the VPC route table and avoid overlapping routes.
The route that you want to add overlaps with an existing route of the VPN gateway. Check the routes in the policy-based route table and destination-based route table of the VPN gateway.
If you add a destination-based route that has the same destination CIDR block and next hop as those of an existing destination-based route of the VPN gateway, the route overlapping error is reported.
If you add a policy-based route that has the same source CIDR block, destination CIDR block, and next hop as those of an existing policy-based route of the VPC gateway, the route overlapping error is reported.
Why does the bandwidth of a VPN connection fail to meet the bandwidth specifications that I purchase?
After you purchase a VPN gateway, the VPN gateway provides the bandwidth of the specifications that you purchase. However, your bandwidth may be affected due to the following causes when your VPN gateway transfers data:
The features of the device associated with the customer gateway, the number of concurrent connections, the average size of packets, and the used protocol, such as TCP or UDP.
The network latency between the device associated with the customer gateway and the VPN Gateway.
NoteIf you purchase a public VPN gateway or use an IPsec-VPN connection established over the Internet, the public bandwidth and Internet latency may affect your bandwidth.
If you want to test the bandwidth of your VPN gateway, we recommend that you use iPerf3. The rate of transferring files by running commands such as scp commands, ftp commands, and cp commands cannot reflect the actual bandwidth due to the impact of disk read and write speeds. For more information about how to use iPerf3, see the Use iPerf3 to test the bandwidth of Express Connect circuit section of the "Test the performance of an Express Connect circuit" topic.
If you require higher transmission quality, we recommend that you use CEN. For more information, see What is CEN?
Can I use a VPN gateway to encrypt the traffic between a VPC and a public IP address?
Yes, you can use a VPN gateway to encrypt the traffic between a VPC and a public IP address.
If your client or data center is connected to a VPC by using a VPN gateway and needs to access the resources in the VPC by using a public IP address, you must perform the following operations:
Add the public CIDR block to which the public IP address belongs to the VPN gateway.
If you use an IPsec-VPN connection, add the public CIDR block to the Remote Network of the IPsec-VPN connection.
If you use an SSL-VPN connection, add the public CIDR block to the Client CIDR Block of the SSL server.
Set the public CIDR block to which the public IP address belongs as the user CIDR block of the VPC. This ensures that the VPC can access the public CIDR block. For more information, see the What is a user CIDR block? and the How do I configure a user CIDR block? sections of the "VPC FAQ" topic.
What do I do if the number of routes reaches the upper limit?
If the number of policy-based routes, destination-based routes, or Border Gateway Protocol (BGP) routes reaches the upper limit, and you cannot add routes or the IPsec-VPN connection cannot learn routes from BGP, you can resolve this issue by performing the following operations:
Increase the quota of routes.
You can increase the quota of policy-based routes, destination-based routes, or BGP routes. For more information, see Quotas.
Configure an aggregated route.
You can aggregate multiple routes into one route without affecting your business.
For example, you have configured three destination-based routes whose destination CIDR blocks are respectively 10.10.1.0/24, 10.10.2.0/24, and 10.10.3.0/24, and whose next hops point to IPsec-VPN connection 1. In this case, you can add a destination-based route whose destination CIDR block is 10.10.0.0/22 and next hop points to IPsec-VPN connection 1. Then, you can delete the three destination-based routes.