Advanced configurations (original) (raw)

This page describes advanced configuration details for the following scenarios:

To learn about the basic concepts of Cloud VPN, see theCloud VPN overview.

Order of routes

You can create a VPN tunnel that has the same IP range as another tunnel, a subset of the other tunnel's range, or a superset of the other tunnel's range.

For details, seeOrder of routes.

Configure IKE, including multiple subnet support

In Supported IKE ciphers, you can find details about how Cloud VPN supports multiple IKE ciphers.

In Networks and tunnel routing, you can find information about supported Virtual Private Cloud (VPC) networks and routing options, including traffic selectors.

UDP encapsulation

Cloud VPN only supports one-to-one NAT by using UDP encapsulation for NAT-Traversal (NAT-T). NAT-T is required so that IPsec traffic can reach destinations without external (public) IP addresses behind the NAT.One-to-many NAT and port-based address translation are not supported. In other words, Cloud VPN cannot connect to multiple peer VPN gatewaysthat share a single external IP address.

For more details about VPN gateways behind one-to-one NAT, seeOn-premises gateways behind NATon the Troubleshooting page.

Maximum transmission unit (MTU) considerations

The Cloud VPN MTU size is 1460 bytes. For a description of how to configure your peer VPN gateway to support this MTU size if required, seeMTU considerations.

High-availability VPNs, high-throughput VPNs, and failover

HA VPN is the recommended method of implementing high-availability VPNs and high-throughput VPNs. If your peer VPN gateway supports BGP, you can configure anHA VPN gateway with a 99.99% uptime SLAby using anactive/active or active/passivetunnel configuration.

For Classic VPN gateways, you can provide VPN redundancy and failover by using thesethroughput and load balancing options. However, with this configuration, you receive a 99.9% availability SLA.

What's next