All Products
Search
Document Center

VPN Gateway:FAQ about VPN gateways

Last Updated:Oct 15, 2024

This topic provides answers to frequently asked questions (FAQ) about VPN gateways.

FAQ

FAQ about VPN Gateway

FAQ about IPsec-VPN

FAQ about SSL-VPN

Can I use VPN gateways to access the Internet?

No, you cannot use VPN gateways to access the Internet.

You can use VPN gateways to access only virtual private clouds (VPCs) over private connections.

What are the prerequisites for connecting a data center to a VPC over IPsec-VPN?

  • The gateway device of the data center supports the Internet Key Exchange version 1 (IKEv1) or IKEv2 protocol.

    IPsec-VPN supports the IKEv1 and IKEv2 protocols. All gateway devices that support the IKEv1 or IKEv2 protocol can connect to VPN gateways on Alibaba Cloud. For more information, see the How do I choose the IKE version when I configure an IPsec-VPN connection? section of this topic. in which the RDS instance resides.

  • A static public IP address is assigned to the gateway device in the data center.

  • The CIDR blocks of the data center and the VPC do not overlap with each other.

For more information about how to connect a data center to a VPN by using an IPsec-VPN connection, see Connect a VPC to a data center in dual-tunnel mode.

What types of gateway devices can connect to VPN gateways?

Alibaba Cloud VPN gateways support the standard IKEv1 and IKEv2 protocols. All gateway devices that support the IKEv1 or IKEv2 protocol can connect to Alibaba Cloud VPN gateways. For example, gateway devices provided by H3C, Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia can connect to Alibaba Cloud VPN gateways. For more information, see Configure local gateways.

Can I use VPN gateways to connect VPCs across regions?

Yes, you can use VPN gateways to connect VPCs across regions.

For more information, see Enable communication between two VPCs by using an IPsec-VPN connection in dual-tunnel mode.

Note

If you create an IPsec-VPN connection between VPCs in different regions, the connection quality is affected by the Internet quality. We recommend that you use CEN to connect VPCs in different regions. For more information, see Use Enterprise Edition transit routers to connect VPCs in different regions and accounts.

Does the data transfer between VPCs flow through the Internet?

In scenarios in which two VPCs are connected by using VPN gateways:

  • If the VPCs are deployed in the same region, the data transfer between the VPCs flows only through Alibaba Cloud networks and does not flow through the Internet.

  • If the VPCs are deployed in different regions, the data transfer flows through the Internet.

What are the differences between an IPsec server and an SSL server?

Item

IPsec-VPN server

SSL-VPN server

Scenarios

Provides end-to-site connections.

Provides end-to-site connections.

Client mode

Allows mobile clients that run iOS to establish IPsec-VPN connections to Alibaba Cloud.

Allows mobile clients that run Android and computers to establish SSL-VPN connections to Alibaba Cloud.

Connection mode

Allows mobile clients that run iOS to establish IPsec-VPN connections to Alibaba Cloud by using the built-in VPN feature.

Allows mobile clients that run Android and computers to establish SSL-VPN connections to Alibaba Cloud by using OpenVPN.

Encryption method

IPsec protocol

SSL certificate

Can I specify multiple peer CIDR blocks for an IPsec-VPN connection?

Yes, you can specify multiple peer CIDR blocks for an IPsec-VPN connection.

Before you configure multiple peer CIDR blocks, we recommend that you learn about the proposals for configuring multiple CIDR blocks. For more information, see Configuration suggestions and FAQ about enabling communication among CIDR blocks.

How many IPsec-VPN connections can be created on a VPN gateway?

By default, you can create at most 10 IPsec-VPN connections on a VPN gateway. You can adjust the quota in the Quota Center console. For more information, see Manage VPN Gateway quotas.

How do I configure ACL rules for a VPN gateway?

Type of VPN gateway

ACL rule

IPsec-VPN

Configure outbound and inbound rules to allow the following CIDR block and IP addresses. This way, the VPN gateway can establish IPsec-VPN connections.

  • 100.64.0.0/10

    Note

    Alibaba Cloud uses 100.64.0.0/10 to provide services. You must allow the 100.64.0.0/10 CIDR block so that the VPN gateway can work as expected.

  • The IP address of the customer gateway

  • The IP address of the VPN gateway

SSL-VPN

Configure outbound and inbound rules to allow the following CIDR block and IP addresses and open the port that can be used by SSL-VPN connections. This way, the VPN gateway can establish SSL-VPN connections.

  • 100.64.0.0/10

    Note

    Alibaba Cloud uses 100.64.0.0/10 to provide services. You must allow the 100.64.0.0/10 CIDR block so that the VPN gateway can work as expected.

  • The public IP address of the client

  • The IP address of the VPN gateway

  • The port that can be used by SSL-VPN connections

    For example, you can open port 1194.

Can I upgrade or downgrade a VPN gateway?

Yes, you can upgrade or downgrade a VPN gateway.

Can I view the connection information about the SSL clients on a VPN gateway?

Yes, you can view the connection information about the SSL clients on a VPN gateway.

For more information, see View the information about an SSL client.

Note
  • If your VPN gateway was created after December 10, 2022, you can view the connection information about SSL clients by default.

  • If your VPN gateway associated with an SSL server was created before December 10, 2022, you must upgrade the VPN gateway to the latest version before you can view the connection information about SSL clients. For more information, see Upgrade a VPN gateway.

Can I enable SSL-VPN for VPN gateways that are created before the release date of SSL-VPN?

No, you cannot enable SSL-VPN for VPN gateways that are created before the release date of SSL-VPN.

To enable SSL-VPN, upgrade the VPN gateways to the latest version. For more information, see Upgrade a VPN gateway.

How do I select an IKE version when I create an IPsec-VPN connection?

When you create an IPsec-VPN connection, you can select an IKE version based on the IKE versions supported by the peer gateway device and whether communication among multiple CIDR blocks is required.

Note

Communication among multiple CIDR blocks is established if you specify multiple local CIDR blocks or peer CIDR blocks when you create an IPsec-VPN connection.

Supported IKE version

Whether communication among multiple CIDR blocks is required

Configuration

IKEv1 only

Yes

  • Both the IPsec-VPN connection and the peer gateway device use IKEv1.

  • If the IPsec-VPN connection uses IKEv1, communication among multiple CIDR blocks is not supported by default. For more information, see the Recommended solutions section of the "Configuration suggestions and FAQ about enabling communication among CIDR blocks" topic.

No

Both the IPsec-VPN connection and the peer gateway device use IKEv1.

IKEv2 only

Yes

  • Both the IPsec-VPN connection and the peer gateway device use IKEv2.

  • If the IPsec-VPN connection uses IKEv2, communication among multiple CIDR blocks is supported.

No

Both the IPsec-VPN connection and the peer gateway device use IKEv2.

IKEv1 and IKEv2

Yes

  • Both the IPsec-VPN connection and the peer gateway device use IKEv2.

  • If the IPsec-VPN connection uses IKEv2, communication among multiple CIDR blocks is supported.

No

We recommend that both the IPsec-VPN connection and the peer gateway device use IKEv2.

Compared with IKEv1, IKEv2 simplifies the SA negotiation process and provides better support for scenarios in which multiple CIDR blocks are used. Therefore, we recommend that you use IKEv2.

After the IP address of a data center is translated by NAT, how does the data center establish an IPsec-VPN connection with a VPN gateway?

For example, a data center plans to use 42.XX.XX.1 to establish an IPsec-VPN connection with an Alibaba Cloud VPN gateway. The data center has SNAT enabled. SNAT translates 42.XX.XX.1 to 47.XX.XX.21. When you create a customer gateway in the VPN Gateway console, you must enter 47.XX.XX.21 as the IP address of the customer gateway. Otherwise, the data center cannot establish an IPsec-VPN connection with an Alibaba Cloud VPN gateway.

We recommend that you use the default IPsec port (port 500 or port 4500) to establish IPsec-VPN connections with VPN gateways.

If both the public VPN gateway and the VPC that is associated with the VPN gateway have NAT enabled, the IP address of the public VPN gateway remains unchanged and will not be translated by NAT.

How do I increase the maximum bandwidth of IPsec-VPN connections?

If an IPsec connection is associated with a VPN gateway, the maximum bandwidth of the IPsec-VPN connection is 1,000 Mbit/s. In specific regions, the maximum bandwidth is 500 Mbit/s. To increase the maximum bandwidth, we recommend that you associate the IPsec connection with a transit router to connect a data center to a VPC.

After an IPsec connection is associated with a transit router, the maximum bandwidth of the IPsec-VPN connection is 1,000 Mbit/s. To increase the maximum bandwidth, you can establish multiple IPsec-VPN connections between the transit router and your data center. This way, network traffic is transmitted between your data center and Alibaba Cloud over multiple IPsec-VPN connections. The following figure shows an example. For more information, see Create multiple IPsec-VPN connections over the Internet for load balancing and Create multiple private IPsec-VPN connections to implement load balancing.

  • IPsec-VPN connections established over the Internet:

    IPsec连接绑定TR最佳实践-公网-场景图

  • IPsec-VPN connections established over private networks:

    IPsec连接绑定TR最佳实践-私网-场景图

Can a VPN gateway forward traffic of ECS instances that are deployed in different zones of a VPC?

Yes, a VPN gateway can forward traffic of Elastic Compute Service (ECS) instances that are deployed in different zones of a VPC.

When you create a VPN gateway, you must specify a vSwitch. The VPN gateway is deployed in the zone to which the vSwitch belongs. The VPN gateway can forward network traffic for all ECS instances in all zones of the VPC.

You may need to add routes to specify how ECS network traffic is forwarded based on the actual scenario. For example, if a vSwitch in a zone is associated with a custom route table, you need to add a route that points to the VPN gateway to the custom route table.

How do I troubleshoot the overlapping route error that is reported when I add a route to a VPN gateway?

The possible causes of this error include:

  • The destination CIDR block of the route that you want to add is the same as the destination CIDR block of an existing route of the VPC. Check the routes in the VPC route table and avoid overlapping routes.

  • The route that you want to add overlaps with an existing route of the VPN gateway. Check the routes in the policy-based route table and destination-based route table of the VPN gateway.

    • If you add a destination-based route that has the same destination CIDR block and next hop as those of an existing destination-based route of the VPN gateway, the route overlapping error is reported.

    • If you add a policy-based route that has the same source CIDR block, destination CIDR block, and next hop as those of an existing policy-based route of the VPC gateway, the route overlapping error is reported.

Why does the bandwidth of a VPN connection fail to meet the bandwidth specifications that I purchase?

After you purchase a VPN gateway, the VPN gateway provides the bandwidth of the specifications that you purchase. However, your bandwidth may be affected due to the following causes when your VPN gateway transfers data:

  • The features of the device associated with the customer gateway, the number of concurrent connections, the average size of packets, and the used protocol, such as TCP or UDP.

  • The network latency between the device associated with the customer gateway and the VPN Gateway.

    Note

    If you purchase a public VPN gateway or use an IPsec-VPN connection established over the Internet, the public bandwidth and Internet latency may affect your bandwidth.

If you want to test the bandwidth of your VPN gateway, we recommend that you use iPerf3. The rate of transferring files by running commands such as scp commands, ftp commands, and cp commands cannot reflect the actual bandwidth due to the impact of disk read and write speeds. For more information about how to use iPerf3, see the Use iPerf3 to test the bandwidth of Express Connect circuit section of the "Test the performance of an Express Connect circuit" topic.

If you require higher transmission quality, we recommend that you use CEN. For more information, see What is CEN?

Can I use a VPN gateway to encrypt the traffic between a VPC and a public IP address?

Yes, you can use a VPN gateway to encrypt the traffic between a VPC and a public IP address.

If your client or data center is connected to a VPC by using a VPN gateway and needs to access the resources in the VPC by using a public IP address, you must perform the following operations:

  1. Add the public CIDR block to which the public IP address belongs to the VPN gateway.

    • If you use an IPsec-VPN connection, add the public CIDR block to the peer CIDR block of the IPsec-VPN connection.Remote Network

    • If you use an SSL-VPN connection, add the public CIDR block to the client CIDR block of the SSL server.Client CIDR Block

  2. Set the public CIDR block to which the public IP address belongs as the user CIDR block of the VPC. This ensures that the VPC can access the public CIDR block. For more information, see What is a user CIDR block? and How do I configure a user CIDR block?.

What do I do if the number of routes reaches the upper limit?

If the number of policy-based routes, destination-based routes, or Border Gateway Protocol (BGP) routes reaches the upper limit, and you cannot add routes or the IPsec-VPN connection cannot learn routes from BGP, you can resolve this issue by performing the following operations:

  • Increase the quota of routes.

    You can increase the quota of policy-based routes, destination-based routes, or BGP routes. For more information, see IPsec-VPN quotas.

  • Configure an aggregated route.

    You can aggregate multiple routes into one route without affecting your business.

    For example, you have configured three destination-based routes whose destination CIDR blocks are respectively 10.10.1.0/24, 10.10.2.0/24, and 10.10.3.0/24, and whose next hops point to IPsec-VPN connection 1. In this case, you can add a destination-based route whose destination CIDR block is 10.10.0.0/22 and next hop points to IPsec-VPN connection 1. Then, you can delete the three destination-based routes.