This topic describes how to connect an iOS device to a VPN gateway by using the built-in VPN software of the iOS device. This allows mobile clients to access resources in a virtual private cloud (VPC) that is associated with the VPN gateway.

Prerequisites

  • An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create an Alibaba Cloud account.
  • A VPC is created in a region that supports IPsec-VPN servers. For more information, see Create an IPv4 VPC.
    Note

    IPsec-VPN servers are supported only in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Qingdao), China (Shenzhen), China (Hong Kong), Singapore (Singapore), US (Virginia), US (Silicon Valley), China (Zhangjiakou), China (Ulanqab), Japan (Tokyo), Malaysia (Kuala Lumpur), Indonesia (Jakarta), India (Mumbai), Australia (Sydney), Germany (Frankfurt), UK (London), and UAE (Dubai).

Scenarios

Scenarios

A company creates Elastic Compute Service (ECS) instances in the China (Qingdao) region and deploys enterprise applications on the ECS instances. Due to business growth, employees on business trips need to remotely access the enterprise applications deployed on Alibaba Cloud from iOS devices.

You can create a VPN gateway and then create an IPsec-VPN server on the gateway. This way, the employees can use the built-in VPN software of their iOS devices to connect to the VPN gateway. After a mobile client is connected to the VPN gateway, employees can remotely access the enterprise applications deployed on Alibaba Cloud.

Procedure

Procedure

Step 1: Create a VPN gateway

  1. Log on to the VPN Gateway console.
  2. On the VPN Gateways page, click Create VPN Gateway.
  3. On the buy page, set the following parameters, click Buy Now, and complete the payment:
    • Name: Enter a name for the VPN gateway.

      The name must be 2 to 128 characters in length, and can contain digits, hyphens (-), and underscores (_). It must start with a letter.

    • Region: Select the region where you want to deploy the VPN gateway.

      China (Qingdao) is selected in this example.

    • VPC: Select the VPC to be associated with the VPN gateway.
    • Specify VSwitch: Select whether to specify a vSwitch for the VPN gateway.
      • If you select No, you do not need to specify a vSwitch for the VPN gateway. The system connects the VPN gateway to a random vSwitch in the VPC.
      • If you select Yes, you must specify a vSwitch for the VPN gateway. The system connects the VPN gateway to the specified vSwitch.
    • Peak Bandwidth: Specify the public bandwidth limit of the VPN gateway.

      5 Mbps is selected in this example.

    • IPsec-VPN: Enable or disable the IPsec-VPN feature. After you enable this feature, you can establish connections between data centers and VPCs.

      Disable is selected in this example.

    • SSL-VPN: Enable or disable the SSL-VPN feature. The SSL-VPN feature allows you to connect to a VPC from a device anywhere.

      The SSL-VPN feature must be enabled before you can use the built-in VPN software of a mobile device to establish a connection with the VPN gateway. Enabled is selected in this example.

    • SSL connections: Select the maximum number of clients that can be connected to the VPN gateway at the same time.
      5 is selected in this example.
      Note The number of SSL connections specified in this parameter includes both SSL-VPN and IPsec-VPN connections. For example, if you set the maximum number of SSL connections to 5 and three SSL clients are connected through SSL-VPN connections, it indicates that you can connect only two mobile clients to the IPsec-VPN server.
    • Duration: Select a billing cycle.
  4. Go to the VPN Gateways page to view the created VPN gateway.
    After the VPN gateway is created, the system assigns a public IP address to the VPN gateway. The IP address is used to establish connections between mobile clients and the VPN gateway.
    Note The created VPN gateway is in the Preparing state. The VPN gateway changes to the Normal state after about two minutes. The Normal state indicates that the VPN gateway is initialized and ready for use.
    Create the VPN gateway

Step 2: Create an IPsec-VPN server

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec-VPN Server.
  3. In the top navigation bar, select the region where the IPsec-VPN server is deployed.
  4. On the IPsec-VPN Server page, click Create IPsec-VPN Server.
  5. On the Create IPsec-VPN Server page, set the required parameters.
    • Name: Enter a name for the IPsec-VPN server.

      The name must be 2 to 128 characters in length, and can contain digits, hyphens (-), and underscores (_). It must start with a letter.

    • VPN Gateway: Select the VPN gateway to which you want to connect by using the built-in VPN software of your mobile device.

      The VPN gateway created in Step 1 is selected in this example.

      Note If the system prompts that the current VPN gateway does not support IPsec-VPN servers, you can submit a ticket to upgrade the VPN gateway.
    • Local Network: Enter the CIDR block of the VPC to be accessed by the mobile device.

      192.168.0.0/16 is entered in this example.

    • Client Subnet: Enter the private CIDR block of the mobile client in the IPsec-VPN connection.
      The client subnet is not the private CIDR block of the mobile client but the private CIDR block assigned to the virtual network adapter of the mobile client. When the mobile client accesses the VPC, the VPN gateway assigns an IP address from the specified client subnet to the client.
      Note The CIDR block of the client must not overlap with that of the vSwitch in the VPC.

      10.0.0.0/16 is used in this example.

    • Pre-Shared Key: The pre-shared key is used for identity verification between the IPsec-VPN server and the mobile client. An IPsec-VPN connection can be established only when both ends have the same key. You can specify a key or use the default key that is randomly generated by the system.

      123456 is used in this example.

    • Effective Immediately: Select whether to immediately start connection negotiations.
      • Yes: starts negotiations immediately after you complete the configuration.
      • No: starts negotiations when data transfer is detected.

      In this example, Yes is selected.

    • Advanced Configuration: The default settings are used in this example.
    Create the IPsec-VPN server
  6. Click OK.
After the IPsec-VPN server is created, you can go to the IPsec-VPN Server page to view the created IPsec-VPN server. Create an IPsec-VPN server

Step 3: Connect to the VPN gateway by using the built-in VPN software of a mobile device

The following operations describe how to connect an iOS device to a NAT gateway by using the built-in VPN software. In this example, the device runs iOS 14.

  1. Go to Settings.
  2. Choose General > VPN > Add VPN Configuration.
  3. On the Add Configurations page, set the following parameters:
    • Type: Select a VPN type.

      IKEv2 is selected in this example.

    • Description: Enter a description for the VPN.
    • Server: Enter the public IP address of the VPN gateway to which you want to connect the mobile client.

      In this example, the public IP address of the VPN gateway in Step 1 is entered.

    • Remote ID: Enter the public IP address of the VPN gateway to which you want to connect the mobile client.

      In this example, the public IP address of the VPN gateway in Step 1 is entered.

    • Local ID: This parameter is not set in this example.
    • User Authentication: Select a user authentication type.

      None is selected in this example.

    • Use Certificate: The parameter is disabled in this example.
    • Secret: The secret is used for identity verification between the IPsec-VPN server and the mobile client. An IPsec-VPN connection can be established only when both ends use the same secret.

      123456 is used in this example.

  4. Click Complete.
  5. On the VPN page, select the VPN configuration and turn on Status.
The IPsec-VPN connection is established after the status changes to Connected. IPsec-VPN connection status

Step 4: Verify network connectivity

Complete the following steps to verify the connectivity between the mobile device and the VPC.

  1. Open a browser on the mobile device.
  2. Enter the private IP address of an ECS instance into the address bar of the browser.
    192.168.0.196 is entered in this example.
    The result indicates that the mobile client can access resources deployed in the VPC. Verify the connectivity