VPN Connections
Note the following when using a VPN connection:
After configuring VPN parameters, you need to add routing policies for your VPN gateway in the route table associated with the subnet, so that network requests from CVMs in the subnet to access the peer IP range can reach the customer gateway through the VPN tunnel.
For a VPN gateway v1.0, after configuring the route table, you need to ping an IP address in the peer IP range from a CVM in the VPC to activate the VPN tunnel.
The stability of VPN connections depends on the quality of the operator's public network.
The VPN connection only supports the PSK authentication method rather than CA authentication.
SPD or route IP ranges of the VPN connection cannot be specified as the following IP ranges:
Multicast addresses that are all 0, all 225, or start with 224.
Loopback addresses: 127.x.x.x/8.
IPv6 IP ranges.
VPN Gateway
VPN Connections is a region-level service, but you can also connect to your VPN gateway in any region over the internet.
You cannot specify a public IP or the ISP of the public IP for the VPN gateway. IPv6 and anycast IP addresses are also not supported.
The inbound and outbound bandwidth assigned by Tencent Cloud is equal to the bandwidth purchased by the user.
Currently, only 200 Mbps, 500 Mbps, 1000 Mbps, and 3000 Mbps 4.0 VPN gateways support dynamic BGP.
Routing priority: Static Routing > Dynamic BGP Routing.
Private VPN: Only VPC-type version 4.0 IPSec VPN supports it. If you need to use a private type of VPN, please submit a ticket for consultation.
Customer Gateway
You must specify the IP address of the customer gateway. The public IP of the customer gateway cannot be the following IP addresses:
Multicast addresses that are all 0, all 225, or start with 224.
Loopback addresses: 127.x.x.x/8.
IP Addresses with host bits being all 0 or all 1, for example:
For example, class A starts with 1-126, such as
1-126.0.0.0, 1-126.255.255.255.For example, class B starts with 128-191, such as
128-191.x.0.0, 128-191.x.255.255.For example, class C starts with 192-223, such as
192-223.x.x.0, 192-223.x.x.255.Internal Service Address:
169.254.xx/16.IPv6 addresses.
If you use an IPsec VPN connection to interconnect resources in two VPCs, the VPCs are each other's customer gateway, and their IP ranges cannot overlap.
SSL VPN Server
The server supports only UDP but not TCP.
To modify information such as port, authentication method, and encryption algorithm, you need to download the client configuration again.
The client and local IP ranges cannot overlap.
SSO Authentication
Version 3.1 VPN: Identity verification relies on the EIAM application and cannot be directly interconnected with other identity providers (IdPs) for verification. You can use EIAM to interconnect with the verification source of your enterprise. You can also choose a verification method supported by EIAM, such as SMS, WeCom, AD. Currently, identity verification is in beta test. If you need to use it, please submit a ticket.
Version 4.0 VPN: Identity verification relies on CAM Identity Role configuration and supports mainstream third-party IdPs based on SAML 2.0.
When identity authentication is enabled, you can use access control.
SSL Client
You need to prepare the client on your own. An SSL VPN connection supports the open-source OpenVPN client or other compatible commercial clients.
Each client can use only one SSL client configuration certificate. You cannot use the same certificate for multiple clients.
Supported OpenVPN versions: 2.4.8–3.x.
Identity verification is supported only by OpenVPN 3.x or other compatible clients.
In a Windows system, if your OpenVPN client is version 3.4.0 or above, you need to configure encryption and authentication algorithms for the SSL server configuration, with the authentication algorithm supporting only SHA1.
You can create up to 100 SSL clients in a single batch operation.
Resource Limitations
Limits on IPsec VPN
Note:
Private Network VPN gateways do not currently support dynamic BGP routing.
Resources | VPN Limitations |
VPC IPsec VPN gateways per region per account | 10 |
CCN IPsec VPN gateways per region per account | 10 |
Number of customer gateways in the same region | 20 |
Number of VPN channels supported by the same customer gateway | 20 Note: The number of VPN tunnels supported by a customer gateway is the quota for the account. Only one VPN tunnel can be established between a pair of customer gateway and VPN gateway. |
Number of VPN channels that can be created on the same VPN gateway | 20 |
Number of SPDs per VPN channel | 10 |
Number of peer IP ranges supported by each SPD | 50 |
Routes supported by each VPN gateway route table | 1000 |
Maximum routing entries that can be added on the new routing page in a single operation | 10 |
Dynamic BGP learned routes per VPN gateway | 500 |
Dynamic BGP announced routes per VPN tunnel | 10000 |
BGP ASN | Default is 64551, with a value range from 1 to 4294967295. Values 139341, 45090, and 58835 are not available. |
Limits on SSL VPN
Resources | Limit (pcs) |
VPC SSL VPN Gateways per Region per Account | 10 |
SSL VPN servers that can be created for an SSL VPN gateway | 1 |
Local Network Segments that can be added on an SSL server | 5 |
Client IP ranges that can be added on an SSL VPN server | 1 Note: To ensure that all your clients can be assigned an IP address, we recommend you specify a client IP range containing IP addresses more than the SSL VPN connections. |
Validity period of the SSL VPN client certificate | 3 years |
Limit on the Number of SSL Connections | A [5,100] Mbps SSL VPN gateway can sustain up to 100 SSL VPN connections. A 200/500 Mbps SSL VPN gateway can sustain up to 500 SSL VPN connections. A 1,000 Mbps SSL VPN gateway can sustain up to 1,000 SSL VPN connections. Note: The maximum number of SSL VPN connections is the number of connections to the client. Once it is configured, it cannot be modified. Therefore, plan an appropriate value before configuration. The number of clients that an SSL VPN gateway can connect to also depends on the SSL connection count configured during creation. For example, if you set the connection count to 5 during creation, then the gateway can connect to a maximum of 5 clients. |