FAQs for site-to-site VPN gateways

When I create a VPN gateway, can I create VPN connections at the same time?

In the IBM Cloud console, you can create the gateway and a connection at the same time. If you use the API or CLI, VPN connections must be created after the VPN gateway is created.

If I delete a VPN gateway with attached VPN connections, what happens to the connections?

The VPN connections are deleted along with the VPN gateway.

Are IKE or IPsec policies deleted if I delete a VPN gateway or VPN connection?

No, IKE and IPsec policies can apply to multiple connections.

What happens to a VPN gateway if I try to delete the subnet that the gateway is on?

The subnet cannot be deleted if any virtual server instances are present, including the VPN gateway.

Are there default IKE and IPsec policies?

When you create a VPN connection without referencing a policy ID (IKE or IPsec), auto-negotiation is used.

Why do I need to choose a subnet during VPN gateway provisioning?

The VPN gateway must be deployed in the VPC to provide connectivity. A route-based VPN can be configured to provide connectivity to all zones. A VPN gateway needs four available private IP addresses in the subnet to provide high availability and automatic maintenance. It is best if you use a dedicated subnet for the VPN gateway of size 16, where the length of the subnet prefix is shorter or equal to 28.

What should I do if I am using ACLs on the subnet that is used to deploy the VPN gateway?

Make sure that ACL rules are in place to allow management traffic and VPN tunnel traffic. For more information, see Configuring ACLs and security groups for use with VPN.

What should I do if I am using ACLs on the subnets that must communicate with an on-premises private network?

Make sure that ACL rules are in place to allow traffic between virtual server instances in your VPC and your on-premises private network. For more information, see Configuring ACLs and security groups for use with VPN.

Does VPN for VPC support high-availability configurations?

Yes, VPN for VPC supports high availability in an Active-Standby configuration for policy-based VPNs, and Active-Active configuration for a static, route-based VPN.

Are there plans to support SSL VPN?

No, only IPsec site-to-site is supported.

Are there any caps on throughput for site-to-site VPNaaS?

Up to 650 Mbps of throughput is supported.

Is Pre-Shared Key (PSK) and certificate-based IKE authentication supported for VPNaaS?

Only PSK authentication is supported.

Can you use VPN for VPC as a VPN gateway for your IBM Cloud classic infrastructure?

No. To set up a VPN gateway in your classic environment, you must use an IPsec VPN.

What does rekey collision cause?

If you use IKEv1, rekey collision deletes the IKE/IPsec security association (SA). To re-create the IKE/IPsec SA, set the connection admin state to down and then up again. You can use IKEv2 to minimize rekey collisions.

Is it possible to view logs from the VPN gateway for debugging purposes?

Yes. You can find more information in Using IBM Log Analysis to view VPN logs.

How can I send all traffic from the VPC side to the on-premises side in a policy-based VPN?

To send all traffic from the VPC side to the on-premises side, set peer CIDRs to 0.0.0.0/0 when creating a connection.

When a connection is created successfully, the VPN service adds a 0.0.0.0/0 via <VPN gateway private IP> route into the default routing table of the VPC. However, this new route can cause routing issues, such as virtual servers in different subnets not being able to communicate with each other, and VPN gateways not communicating with on-premises VPN gateways.

To troubleshooting routing issues, see Why aren't my VPN gateways or virtual server instances communicating?.

Does IBM complete quarterly ASV scans of data-plane VPN appliances?

Approved Scanning Vendor (ASV) quarterly scanning is a requirement of the Payment Card Industry (PCI) Security Standards Council. ASV scanning of VPN data-plane appliances is solely a customer responsibility. IBM does not use ASVs to scan data-plane appliances because these scans can negatively impact customer workload functions and performance.

What metrics am I charged for if I am using VPN gateway for VPC?

The following metrics are collected for VPN gateway billing on a monthly basis:

• VPN Gateway Instance Hour: How much time your VPN gateway instance is up and running.
• VPN Connection Hour: How much time each of your VPN connections is established and maintained on the VPN gateway.
• Floating IP: The number of active floating IP addresses being used by the VPN gateway instance.

While using a VPN gateway, you are also charged for all outbound public internet traffic billed at VPC data rates.

Why doesn't the route-based VPN gateway route the traffic?

If you configured a VPC route and its next hop is a VPN connection, the following use cases block the traffic forwarded through the VPN connection.

• The security groups associated with the VPC instance do not permit the traffic; the network ACLs associated with the subnet of the VPC instance and VPN gateway blocked the traffic. For more information about configuring security groups and network ACLs, see Configuring ACLs and security groups for use with VPN.
• The traffic source IP is not in any subnet associated with the VPC routing table. For example, the VPC routing table is associated with subnet A and includes a route whose next hop is a VPN connection. However, when the traffic reaches the VPN gateway, the source IP is not in subnet A or any other subnets that are associated with the routing table. Therefore, the VPN gateway drops the traffic.