This topic provides answers to some frequently asked questions about VPN gateways.

Can I deploy a VPN gateway in a classic network?

No, you cannot deploy a VPN gateway in a classic network.

VPN gateways support only virtual private clouds (VPCs). If you want the resources in a classic network to use the VPN gateway of a VPC, you must enable ClassicLink for the VPC. For more information, see Connect a data center to a classic network by using IPsec-VPN.

What are the prerequisites for connecting a data center to a VPC through IPsec-VPN?

  • The gateway device of the data center must support the IKEv1 and IKEv2 protocols.

    IPsec-VPN supports both IKEv1 and IKEv2. All gateway devices that support the IKEv1 and IKEv2 protocols can connect to VPN gateways on Alibaba Cloud.

  • A static public IP address is assigned to the gateway device in the data center.
  • The client CIDR block and the VPC CIDR block do not overlap with each other.

For more information about how to connect a data center to a VPC through IPsec-VPN, see Connect a data center to a VPC.

Can I use VPN gateways to connect VPCs across regions?

Yes, you can use VPN gateways to connect VPCs across regions. For more information, see Establish IPsec-VPN connections between two VPCs.

What types of gateway devices can connect to VPN gateways?

Alibaba Cloud VPN gateways support the standard IKEv1 and IKEv2 protocols. All gateway devices that support the IKEv1 and IKEv2 protocols can connect to VPN gateways on Alibaba Cloud. For example, gateway devices manufactured by H3C, Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia can connect to VPN gateways on Alibaba Cloud. For more information, see Configure a gateway device in a data center.

How many IPsec-VPN connections can be established to a VPN gateway?

By default, you can establish at most 10 IPsec-VPN connections to a VPN gateway. To create more IPsec-VPN connections, request a quota increase. For more information, see Manage quotas.

Can I use VPN gateways to access the Internet?

No, you cannot use VPN gateways to access the Internet.

You can use VPN gateways to access only VPCs through private connections.

Does network traffic between VPCs traverse the Internet?

No, network traffic between VPCs does not traverse the Internet.

When you use VPN gateways to connect VPCs across regions, network traffic is transmitted only within Alibaba Cloud.

Can I specify more than one client CIDR block for an IPsec-VPN connection?

Yes, you can specify more than one client CIDR block for an IPsec-VPN connection.

We recommend that you specify IKEv2 when you create the connection.

Can I downgrade a VPN gateway?

Yes, you can downgrade a VPN gateway.

To downgrade a VPN gateway,submit a ticket.

Can I enable SSL-VPN for VPN gateways that are created before the release date of SSL-VPN?

No, you cannot enable SSL-VPN for VPN gateways that are created before the release date of SSL-VPN.

If you want to enable SSL-VPN for VPN gateways that are created before the release date, submit a ticket.

How can I configure network access control list (ACL) rules on a VPN gateway?

Type of VPN gateway Rule Configuration
IPsec-VPN Configure outbound and inbound rules to allow the following CIDR block and IP addresses. This way the VPN gateway can establish IPsec-VPN connections.
  • 100.104.0.0/16
  • The IP address of the customer gateway
  • The IP address of the VPN gateway
SSL-VPN Configure inbound and outbound rules to allow the following IP addresses and CIDR block and open the following port. This way, the VPN gateway can establish SSL-VPN connections.
  • 100.104.0.0/16
  • The public IP address of the client
  • The IP address of the VPN gateway
  • The port that can be used by SSL-VPN connections.

    For example, you can specify port 1194.

Why am I unable to connect to an AWS VPN gateway through IPsec-VPN?

  • Cause

    When you use an AWS VPN gateway to create an IPsec-VPN connection, each tunnel of the IPsec-VPN connection supports only one security association (SA). If the routing mode of the IPsec-VPN connection on the Alibaba Cloud side is set to Protected Data Flows and multiple VPC CIDR blocks or client CIDR blocks are specified for the IPsec-VPN connection, the AWS VPN gateway cannot forward traffic.

  • Solution
    • If the routing mode of the IPsec-VPN connection on Alibaba Cloud is set to Protected Data Flows, you must specify only one VPC CIDR block and one client CIDR block.
    • Change the routing mode of the IPsec-VPN connection on Alibaba Cloud to Destination Routing Mode.