This topic provides answers to some frequently asked questions about VPN gateways.
- What are inter-border connections and intra-border connections?
- Can I use VPN gateways to access the Internet?
- What are the prerequisites for connecting a data center to a VPC through IPsec-VPN?
- What types of gateway devices can connect to VPN gateways?
- Do VPN gateways support classic networks?
- Can I use VPN gateways to connect VPCs across regions?
- Does the data transfer between VPCs flow through the Internet?
- What are the differences between an IPsec server and an SSL server?
- Can I specify more than one peer CIDR block for an IPsec-VPN connection?
- How many IPsec-VPN connections can be established to a VPN gateway?
- How can I configure network access control list (ACL) rules on a VPN gateway?
- Can I enable SSL-VPN for VPN gateways that are created before the release date of SSL-VPN?
What are inter-border connections and intra-border connections?
Alibaba Cloud VPN Gateway provides services in compliance with the state policies and regulations of China. You can use VPN Gateway to establish only intra-border connections.Inter-border connections
- When you create an IPsec-VPN connection, the connection is inter-border if the regions of the data center and the IPsec-VPN connection meet one of the following conditions:
- The data center is located in China, excluding China (Hong Kong), and the IPsec-VPN connection is located outside of the Chinese mainland.
- The data center is located outside China or in China (Hong Kong), and the IPsec-VPN connection is located in the Chinese mainland.
- When you create an SSL-VPN connection, the connection is inter-border if the regions of the client and the SSL server meet one of the following conditions:
- The SSL server is located in China, excluding China (Hong Kong), and the client is located outside of the Chinese mainland.
- The client is located outside China or in China (Hong Kong), and the SSL server is located in the Chinese mainland.
If you need to create inter-border connections, we recommend that you use the Cloud Enterprise Network (CEN) service. For more information, see What is CEN?
Intra-border connections
- When you create an IPsec-VPN connection, the connection is intra-border if the regions of the data center and the IPsec-VPN connection meet one of the following conditions:
- The data center is located in China, excluding China (Hong Kong), and the IPsec-VPN connection is located in the Chinese mainland.
- The data center is located outside China or in China (Hong Kong), and the IPsec-VPN connection is located outside the Chinese mainland.
- When you create an SSL-VPN connection, the connection is intra-border if the regions of the client and the SSL server meet one of the following conditions:
- The client is located in China, excluding China (Hong Kong), and the SSL server is located in the Chinese mainland.
- The client is located outside China or in China (Hong Kong), and the SSL server is located outside the Chinese mainland.
How do I choose a region for an IPsec-VPN connection or an SSL server?
- If the IPsec-VPN connection needs to be attached to a VPN gateway, the IPsec-VPN connection and the VPN gateway must be in the same region.
- If the IPsec-VPN connection needs to be attached to a transit router, choose the region that is nearest to the data center.
- The SSL server and the VPN gateway must be in the same region.
Which regions are in the Chinese mainland and which regions are outside the Chinese mainland?
The following table lists the regions that are in the Chinese mainland or outside the Chinese mainland.
| Area | Region |
|---|---|
| Chinese mainland | China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Fuzhou - Local Region), and China (Chengdu) |
| Outside Chinese mainland | China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Japan (Tokyo), Indonesia (Jakarta), India (Mumbai), Philippines (Manila), South Korea (Seoul), Thailand (Bangkok), Germany (Frankfurt), UK (London), Australia (Sydney), UAE (Dubai), US (Silicon Valley), and US (Virginia) |
Can I use VPN gateways to access the Internet?
No, you cannot use VPN gateways to access the Internet.
You can use VPN gateways to access only VPCs through private connections.
What are the prerequisites for connecting a data center to a VPC through IPsec-VPN?
- The gateway device of the data center must support the IKEv1 and IKEv2 protocols.
IPsec-VPN supports both IKEv1 and IKEv2. All gateway devices that support the IKEv1 and IKEv2 protocols can connect to VPN gateways on Alibaba Cloud.
- A static public IP address is assigned to the gateway device in the data center.
- The client CIDR block and the VPC CIDR block do not overlap with each other.
For more information about how to connect a data center to a VPC through IPsec-VPN, see Connect a data center to a VPC.
What types of gateway devices can connect to VPN gateways?
Alibaba Cloud VPN gateways support the standard IKEv1 and IKEv2 protocols. All gateway devices that support the IKEv1 and IKEv2 protocols can connect to VPN gateways on Alibaba Cloud. H3C, Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia can connect to VPN gateways on Alibaba Cloud. For more information, see Configure a gateway device in a data center.
Do VPN gateways support classic networks?
No, VPN gateways do not support classic networks.
VPN gateways support only VPCs. If you want the resources in a classic network to use the VPN gateway of a VPC, you must enable ClassicLink for the VPC. For more information, see Connect a data center to a classic network by using IPsec-VPN and Establish SSL-VPN connections to access resources in classic networks.
Can I use VPN gateways to connect VPCs across regions?
Yes, you can use VPN gateways to connect VPCs across regions.
For more information, see Establish IPsec-VPN connections between two VPCs.
Does the data transfer between VPCs flow through the Internet?
In scenarios in which two VPCs are connected by using a VPN gateway:- If the VPCs are deployed in the same region, the data transfer between the VPC flows only through Alibaba Cloud networks and does not flow through the Internet.
- If the VPCs are deployed in different regions, the data transfer flows through the Internet.
What are the differences between an IPsec server and an SSL server?
| Item | IPsec-VPN server | SSL-VPN server |
|---|---|---|
| Scenarios | Provides end-to-site connections. | Provides end-to-site connections. |
| Client mode | Allows mobile clients that run iOS to establish IPsec-VPN connections to Alibaba Cloud. | Allows mobile clients that run Android and computers to establish SSL-VPN connections to Alibaba Cloud. |
| Connection mode | Allows mobile clients that run iOS to establish IPsec-VPN connections to Alibaba Cloud by using the built-in VPN feature. | Allows mobile clients that run Android and computers to establish SSL-VPN connections to Alibaba Cloud by using OpenVPN. |
| Encryption method | IPsec protocol | SSL certificate |
Can I specify more than one peer CIDR block for an IPsec-VPN connection?
Yes, you can specify more than one peer CIDR block for an IPsec-VPN connection.
Before you configure multiple peer CIDR blocks, we recommend that you learn about the proposals for configuring multiple CIDR blocks. For more information, see FAQ about IPsec-VPN connections.
How many IPsec-VPN connections can be established to a VPN gateway?
By default, you can create at most 10 IPsec-VPN connections to a VPN gateway. You can adjust the quota in the Quota Center console. For more information, see Manage VPN Gateway quotas.
How can I configure network access control list (ACL) rules on a VPN gateway?
| Type | Rule configuration |
|---|---|
| IPsec-VPN | Configure outbound and inbound rules to allow the following CIDR block and IP addresses. This way the VPN gateway can establish IPsec-VPN connections.
|
| SSL-VPN | Configure inbound and outbound rules to allow the following IP addresses and CIDR block and open the following port. This way, the VPN gateway can establish SSL-VPN connections.
|
Can I enable SSL-VPN for VPN gateways that are created before the release date of SSL-VPN?
No, you cannot enable SSL-VPN for VPN gateways that are created before the release date of SSL-VPN.
To enable SSL-VPN, upgrade the VPN gateways to the latest version. For more information, see Upgrade a VPN gateway.