This topic provides answers to some frequently asked questions about VPN gateways.

Can I deploy a VPN gateway in a classic network?

No, you cannot deploy a VPN gateway in a classic network.

VPN gateways support only virtual private clouds (VPCs). If you want the resources in a classic network to use the VPN gateway of a VPC, you must enable ClassicLink for the VPC. For more information, see Connect a data center to a classic network by using IPsec-VPN.

What are the prerequisites for connecting a data center to a VPC through IPsec-VPN?

  • The gateway device of the data center must support the IKEv1 and IKEv2 protocols.

    IPsec-VPN supports both IKEv1 and IKEv2. All gateway devices that support the IKEv1 and IKEv2 protocols can connect to VPN gateways on Alibaba Cloud.

  • A static public IP address is assigned to the gateway device in the data center.
  • The client CIDR block and the VPC CIDR block do not overlap with each other.

For more information about how to connect a data center to a VPC through IPsec-VPN, see Connect a data center to a VPC.

Can I use VPN gateways to connect VPCs across regions?

Yes, you can use VPN gateways to connect VPCs across regions. For more information, see Establish IPsec-VPN connections between two VPCs.

What types of gateway devices can connect to VPN gateways?

Alibaba Cloud VPN gateways support the standard IKEv1 and IKEv2 protocols. All gateway devices that support the IKEv1 and IKEv2 protocols can connect to VPN gateways on Alibaba Cloud. For example, gateway devices manufactured by H3C, Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia can connect to VPN gateways on Alibaba Cloud. For more information, see Configure a gateway device in a data center.

How many IPsec-VPN connections can be established to a VPN gateway?

By default, you can establish at most 10 IPsec-VPN connections to a VPN gateway. You cannot adjust the limit.

Can I use VPN gateways to access the Internet?

No, you cannot use VPN gateways to access the Internet.

You can use VPN gateways to access only VPCs through private connections.

Does network traffic between VPCs traverse the Internet?

No, network traffic between VPCs does not traverse the Internet.

When you use VPN gateways to connect VPCs across regions, network traffic is transmitted only within Alibaba Cloud.

Can I specify more than one client CIDR block for an IPsec-VPN connection?

Yes, you can specify more than one client CIDR block for an IPsec-VPN connection.

We recommend that you specify IKEv2 when you create the connection.

Can I downgrade a VPN gateway?

Yes, you can downgrade a VPN gateway.

To downgrade a VPN gateway, submit a ticket.

Can I enable SSL-VPN for VPN gateways that are created before the release date of SSL-VPN?

No, you cannot enable SSL-VPN for VPN gateways that are created before the release date of SSL-VPN.

If you must enable SSL-VPN for VPN gateways that are created before the release date of SSL-VPN, submit a ticket.

How can I configure network access control list (ACL) rules on a VPN gateway?

Type of VPN gateway Rule Configuration
IPsec-VPN Configure outbound and inbound rules to allow the following CIDR block and IP addresses. This way the VPN gateway can establish IPsec-VPN connections.
  • 100.64.0.0/10
    Note Alibaba Cloud uses 100.64.0.0/10 to provide services. You must allow the 100.64.0.0/10 CIDR block so that the VPN gateway can work as expected.
  • The IP address of the customer gateway
  • The IP address of the VPN gateway
SSL-VPN Configure inbound and outbound rules to allow the following IP addresses and CIDR block and open the following port. This way, the VPN gateway can establish SSL-VPN connections.
  • 100.64.0.0/10
    Note Alibaba Cloud uses 100.64.0.0/10 to provide services. You must allow the 100.64.0.0/10 CIDR block so that the VPN gateway can work as expected.
  • The public IP address of the client
  • The IP address of the VPN gateway
  • The port that can be used by SSL-VPN connections.

    For example, you can specify port 1194.

Why am I unable to connect to an AWS VPN through Alibaba Cloud IPsec-VPN?

Cause

An AWS VPN encrypted tunnel does not support multi-SA negotiation. If you set Routing Mode to Protected Data Flow and set multiple values for Local CIDR Block or Peer CIDR Block on the Alibaba Cloud side, packets cannot be sent from the AWS VPN side due to limits.

Solution

  • If you set Routing Mode to Protected Data Flow, set one of the Local CIDR Block and Peer CIDR Block parameters.
  • Change the Routing Mode of the IPsec-VPN connection on Alibaba Cloud to Destination Routing Mode.

What is the difference between an IPsec server and an SSL server?

Item IPsec-VPN server SSL-VPN server
Scenarios Provides end-to-site connections. Provides end-to-site connections.
Client mode Allows mobile clients that run iOS to establish IPsec-VPN connections to Alibaba Cloud. Allows mobile clients that run Android and computers to establish SSL-VPN connections to Alibaba Cloud.
Connection mode Allows mobile clients that run iOS to establish IPsec-VPN connections to Alibaba Cloud by using the built-in VPN feature. Allows mobile clients that run Android and computers to establish SSL-VPN connections to Alibaba Cloud by using OpenVPN.
Encryption method IPsec protocol SSL certificate

What are inter-border connections and intra-border connections?

Alibaba Cloud VPN Gateway provides services in compliance with the state policies and regulations of China. You can use VPN Gateway to establish only intra-border connections.

Inter-border connections

  • When you create an IPsec-VPN connection, the connection is inter-border if the regions of the data center and the IPsec-VPN connection meet one of the following conditions:
    • The data center is located in China, excluding China (Hong Kong), and the IPsec-VPN connection is located outside of the Chinese mainland.
    • The data center is located outside China or in China (Hong Kong), and the IPsec-VPN connection is located in the Chinese mainland.
  • When you create an SSL-VPN connection, the connection is inter-border if the regions of the client and the SSL server meet one of the following conditions:
    • The SSL server is located in China, excluding China (Hong Kong), and the client is located outside of the Chinese mainland.
    • The client is located outside China or in China (Hong Kong), and the SSL server is located in the Chinese mainland.

If you need to create inter-border connections, we recommend that you use the Cloud Enterprise Network (CEN) service. For more information, see What is CEN?

Intra-border connections

  • When you create an IPsec-VPN connection, the connection is intra-border if the regions of the data center and the IPsec-VPN connection meet one of the following conditions:
    • The data center is located in China, excluding China (Hong Kong), and the IPsec-VPN connection is located in the Chinese mainland.
    • The data center is located outside China or in China (Hong Kong), and the IPsec-VPN connection is located outside the Chinese mainland.
  • When you create an SSL-VPN connection, the connection is intra-border if the regions of the client and the SSL server meet one of the following conditions:
    • The client is located in China, excluding China (Hong Kong), and the SSL server is located in the Chinese mainland.
    • The client is located outside China or in China (Hong Kong), and the SSL server is located outside the Chinese mainland.

How do I choose a region for an IPsec-VPN connection or an SSL server?

  • If the IPsec-VPN connection needs to be attached to a VPN gateway, the IPsec-VPN connection and the VPN gateway must be in the same region.
  • If the IPsec-VPN connection needs to be attached to a transit router, choose the region that is nearest to the data center.
  • The SSL server and the VPN gateway must be in the same region.

Which regions are in the Chinese mainland and which regions are outside the Chinese mainland?

The following table lists the regions that are in the Chinese mainland or outside the Chinese mainland.

Area Region
Chinese mainland China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Fuzhou - Local Region), and China (Chengdu)
Outside Chinese mainland China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Japan (Tokyo), Indonesia (Jakarta), India (Mumbai), Philippines (Manila), South Korea (Seoul), Thailand (Bangkok), Germany (Frankfurt), UK (London), Australia (Sydney), UAE (Dubai), US (Silicon Valley), and US (Virginia)