All Products
Search
Document Center

VPN Gateway:Connect an iOS device to a VPN gateway by using the built-in VPN software

Last Updated:Nov 06, 2023

This topic describes how to connect an iOS device to a VPN gateway by using the built-in VPN software of the iOS device. This allows mobile clients to access resources in a virtual private cloud (VPC) that is associated with the VPN gateway.

Prerequisites

  • An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create one.

  • Your mobile client runs the iOS operating system.

  • A VPC is created in a region that supports IPsec-VPN servers. For more information, see Create a VPC with an IPv4 CIDR block.

    Note
    • IPsec servers are supported only in the following regions: China (Hangzhou), China (Shanghai), China (Nanjing-Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), India (Mumbai), Germany (Frankfurt), UK (London), US (Virginia), US (Silicon Valley), and UAE (Dubai).

    • Only iOS devices can connect to a VPN gateway by using the built-in VPN software.

Use scenarios

配置场景

A company has created Elastic Compute Service (ECS) instances in the China (Qingdao) region and deployed enterprise applications on the ECS instances. Due to business growth, employees on business trips need to remotely access the enterprise applications deployed on Alibaba Cloud from iOS devices.

You can create a VPN gateway and then create an IPsec-VPN server on the gateway. This way, the employees can use the built-in VPN software of their iOS devices to connect to the VPN gateway. After a mobile client is connected to the VPN gateway, employees can remotely access the enterprise applications deployed on Alibaba Cloud.

Procedure

配置步骤

Step 1: Create a VPN gateway

  1. Log on to the VPN Gateway console.

  2. In the top navigation bar, select the region of the VPC to be associated with the VPN gateway. China (Qingdao) is selected in this example.

  3. On the VPN Gateways page, click Create VPN Gateway.

  4. On the buy page, set the following parameters, click Buy Now, and then complete the payment:

    • Name: Enter a name for the VPN gateway.

    • Region: Select the region where you want to deploy the VPN gateway.

      China (Qingdao) is selected in this example.

    • Gateway Type: Select the type of NAT gateway that you want to create. In this example, Standard is selected.

    • Network Type: Select the network type of the VPN gateway. Public is selected in this example.

    • Tunnels: The system displays the tunnel mode supported in this region.

    • VPC: Select the VPC to be associated with the VPN gateway.

    • vSwitch: Select a vSwitch from the VPC.

      • If you select Single-tunnel, you need to specify one vSwitch.
      • If you select Dual-tunnel, you need to specify two vSwitches.
      Note
      • The system selects a vSwitch by default. You can change or use the default vSwitch.
      • After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.
    • vSwitch 2: Select another vSwitch from the VPC.

      Ignore this parameter if you select Single-tunnel.

    • Maximum Bandwidth: Specify the maximum bandwidth for the VPN gateway. The bandwidth is used for data transfer over the Internet.

      10 Mbit/s is selected in this example.

    • Traffic: By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Billing.

    • IPsec-VPN: Enable or disable the IPsec-VPN feature. After you enable this feature, you can establish connections between data centers and VPCs.

      Disable is selected in this example.

    • SSL-VPN: Enable or disable the SSL-VPN feature. The SSL-VPN feature allows you to connect to a VPC from a device anywhere.

      The SSL-VPN feature must be enabled before you can use the built-in VPN software of a mobile device to establish a connection with the VPN gateway. Enable is selected in this example.

    • SSL Connections: Select the maximum number of clients that can be connected to the VPN gateway at the same time.

      5 is selected in this example.

      Note

      The number of SSL-VPN connections specified in this parameter includes both SSL-VPN and IPsec-VPN connections. For example, if you set the maximum number of SSL connections to 5 and three SSL clients are connected through SSL-VPN connections, it indicates that you can connect only two mobile clients to the IPsec-VPN server.

    • Duration: By default, the VPN gateway is billed on an hourly basis.

    • Service-linked Role: Click Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn. VPN Gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.

      If Created is displayed, it indicates that the service-linked role is created and you do not need to create it again.

  5. Return to the VPN Gateways page to view the VPN gateway that you created.

    A newly created VPN gateway is in the Preparing state. After about 2 minutes, the state changes to Normal. The Normal state indicates that the VPN gateway is initialized and ready for use. The system assigns a public IP address to the VPN gateway. The IP address is used to establish connections between mobile clients and the VPN gateway.

    Note

    If you want to use an existing VPN gateway, make sure that it is updated to the latest version. If the existing VPN gateway does not use the latest version, you cannot use the IPsec-VPN server.

    You can check whether your VPN gateway uses the latest version based on the status of the Upgrade button. If your VPN gateway does not use the latest version, you can click upgrade to update your VPN gateway. For more information, see Upgrade a VPN gateway.

Step 2: Create an IPsec server

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec-VPN Server.

  3. In the top navigation bar, select the region of the IPsec-VPN server.

  4. On the IPsec-VPN Server page, click Create IPsec-VPN Server.

  5. On the Create IPsec-VPN Server page, set the following parameters:

    • Name: Enter a name for the IPsec-VPN server.

    • VPN Gateway: Select the VPN gateway to which you want to connect by using the built-in VPN software of your mobile device.

      The VPN gateway created in Step 1 is selected in this example.

    • Local Network: Enter the CIDR block of the VPC to be accessed by the mobile device.

      192.168.0.0/16 is used in this example.

    • Client CIDR Block: Enter the private CIDR block of the mobile client in the IPsec-VPN connection.

      The client subnet is not the private CIDR block of the mobile client but the private CIDR block assigned to the virtual network adapter of the mobile client. When the mobile client accesses the VPC, the VPN gateway assigns an IP address from the specified client subnet to the client.

      Note

      The CIDR block of the client must not overlap with that of the vSwitch in the VPC.

      10.0.0.0/16 is used in this example.

    • Pre-Shared Key: The pre-shared key is used for identity verification between the IPsec-VPN server and the mobile client. An IPsec-VPN connection can be established only when both ends have the same key. You can specify a key or use the default key that is randomly generated by the system.

      123456 is used in this example.

    • Effective Immediately: Select whether to immediately start negotiations.

      • Yes: starts negotiations after the configuration is completed.

      • No: starts negotiations when inbound traffic is detected.

      Yes is selected in this example.

    • Advanced Configuration: The default settings are used in this example.

    创建IPsec服务端
  6. Click OK.

After the IPsec server is created, you can view it on the IPsec-VPN Server page.创建IPsec服务端

Step 3: Connect to the VPN gateway by using the built-in VPN software of a mobile device

The following operations describe how to connect an iOS device to a NAT gateway by using the built-in VPN software. In this example, the device runs on iOS 14.

  1. Open Settings on your mobile device.

  2. Choose General > VPN > Add VPN Configuration.

  3. On the Add Configurations page, set the following parameters:

    • Type: Select a VPN type.

      IKEv2 is selected in this example.

    • Description: Enter a description for the VPN.

    • Server: Enter the public IP address of the VPN gateway to which you want to connect the mobile client.

      In this example, the public IP address of the VPN gateway in Step 1 is entered.

    • Remote ID: Enter the public IP address of the VPN gateway to which you want to connect the mobile client.

      In this example, the public IP address of the VPN gateway in Step 1 is entered.

    • Local ID: This parameter is not set in this example.

    • User Authentication: Select a user authentication type.

      None is selected in this example.

    • Use Certificate: The parameter is disabled in this example.

    • Secret: The secret is used for identity verification between the IPsec-VPN server and the mobile client. An IPsec-VPN connection can be established only when both ends use the same secret.

      123456 is used in this example.

  4. Click Done.

  5. On the VPN page, select the VPN configuration and turn on Status.

The IPsec-VPN connection is established after the status changes to Connected.

Step 4: Test network connectivity

Perform the following steps to test the connectivity between the mobile device and the VPC.

Before you run a test, make sure that the ECS security group rules allow requests from mobile clients. For more information, see View security group rules and Add a security group rule.

  1. Open a browser on the mobile device.

  2. Enter the private IP address of an ECS instance into the address bar of the browser.

    192.168.0.196 is used in this example.

    The result shows that the mobile client can access resources deployed in the VPC.访问测试