When I create a VPN gateway, can I create VPN connections at the same time?

In the IBM Cloud console, you can create the gateway and a connection at the same time. If you use the API or CLI, VPN connections must be created after the VPN gateway is created.

If I delete a VPN gateway with attached VPN connections, what happens to the connections?

The VPN connections are deleted along with the VPN gateway.

Are IKE or IPsec policies deleted if I delete a VPN gateway or VPN connection?

No, IKE and IPsec policies can apply to multiple connections.

What happens to a VPN gateway if I try to delete the subnet that the gateway is on?

The subnet cannot be deleted if any virtual server instances are present, including the VPN gateway.

Are there default IKE and IPsec policies?

When you create a VPN connection without referencing a policy ID (IKE or IPsec), auto-negotiation is used.

Why do I need to choose a subnet during VPN gateway provisioning?

The VPN gateway must be deployed in the VPC to provide connectivity. A route-based VPN can be configured to provide connectivity to all zones. A VPN gateway needs four available private IP addresses in the subnet to provide high availability and automatic maintenance. It is best if you use a dedicated subnet for the VPN gateway of size 16, where the length of the subnet prefix is shorter or equal to 28.

What should I do if I am using ACLs on the subnet that is used to deploy the VPN gateway?

Make sure that ACL rules are in place to allow management traffic and VPN tunnel traffic. For more information, see Configuring network ACLs for use with VPN.

What should I do if I am using ACLs on the subnets that must communicate with an on-premises private network?

Make sure that ACL rules are in place to allow traffic between virtual server instances in your VPC and your on-premises private network. For more information, see Configuring ACLs for use with VPN.

Does VPN for VPC support high-availability configurations?

Yes, VPN for VPC supports high availability in an Active-Standby configuration for policy-based VPNs, and Active-Active configuration for a static, route-based VPN.

Are there plans to support SSL VPN?

No, only IPsec site-to-site is supported.

Are there any caps on throughput for site-to-site VPNaaS?

Up to 650 Mbps of throughput is supported.

Is Pre-Shared Key (PSK) and certificate-based IKE authentication supported for VPNaaS?

Only PSK authentication is supported.

Can you use VPN for VPC as a VPN gateway for your IBM Cloud classic infrastructure?

No. To set up a VPN gateway in your classic environment, you must use an IPsec VPN.

What does a rekey collision cause?

If you use IKEv1, rekey collision deletes the IKE/IPsec security association (SA). To re-create the IKE/IPsec SA, set the connection admin state to down and then up again. You can use IKEv2 to minimize rekey collisions.

How can I send all traffic from the VPC side to the on-premises side in a policy-based VPN?

To send all traffic from the VPC side to the on-premises side, set peer CIDRs to 0.0.0.0/0 when you create a connection.

When a connection is created successfully, the VPN service adds a 0.0.0.0/0 via <VPN gateway private IP> route into the default routing table of the VPC. However, this new route can cause routing issues, such as virtual servers in different subnets not being able to communicate with each other, and VPN gateways not communicating with on-premises VPN gateways.

To troubleshoot routing issues, see Why aren't my VPN gateways or virtual server instances communicating?.

Does IBM complete quarterly ASV scans of data-plane VPN appliances?

Approved Scanning Vendor (ASV) quarterly scanning is a requirement of the Payment Card Industry (PCI) Security Standards Council. ASV scanning of VPN data-plane appliances is solely a customer responsibility. IBM does not use ASVs to scan data-plane appliances because these scans can negatively impact customer workload functions and performance.

What metrics am I charged for if I am using VPN gateway for VPC?

The following metrics are collected for VPN gateway billing on a monthly basis:

• VPN Gateway Instance Hour: How much time your VPN gateway instance is up and running.
• VPN Connection Hour: How much time each of your VPN connections is established and maintained on the VPN gateway.
• Floating IP: The number of active floating IP addresses used by the VPN gateway instance.

When you use a VPN gateway, you are also charged for all outbound public internet traffic billed at VPC data rates.

When isn't traffic routed through a route-based VPN gateway?

If you configured a VPC route with a VPN connection as the next hop, traffic might not be routed as expected due to the following conditions:

• The security groups that are associated with the VPC instance don't permit the traffic, or the network ACLs associated with the instance's subnet or the VPN gateway blocked the traffic. Make sure that your security groups and ACLs allow the intended traffic. For more information, see Configuring network ACLs for use with VPN.
• If the traffic's source IP isn't in a subnet that is associated with the routing table containing the VPN route, the VPN gateway drops the traffic. For example, suppose that there is a VPC routing table that is associated only with subnet A and includes a route whose next hop is a VPN connection. When the traffic reaches the VPN gateway, the source IP isn't in subnet A or any other subnets that are associated with the routing table. As a result, the VPN gateway doesn't forward the traffic.