VPN Gateway allows you to configure IPsec-VPN servers. Then, you can establish an IPsec-VPN connection to Alibaba Cloud by using the built-in VPN feature of your mobile client. After you establish an IPsec-VPN connection, you can use your mobile client to communicate with the resources on Alibaba Cloud.

Scenarios

IPsec-VPN servers allow you to establish end-to-site IPsec connections by using the built-in VPN feature of your mobile client. After you establish an IPsec-VPN connection, you can use your mobile client to communicate with resources on Alibaba Cloud through a secure VPN tunnel.

Overview

Limits

  • IPsec-VPN servers are supported only in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Qingdao), China (Shenzhen), China (Hong Kong), Singapore (Singapore), US (Virginia), US (Silicon Valley), China (Zhangjiakou), China (Ulanqab), Japan (Tokyo), Malaysia (Kuala Lumpur), Indonesia (Jakarta), India (Mumbai), Australia (Sydney), Germany (Frankfurt), UK (London), and UAE (Dubai).
  • IPsec-VPN servers support only mobile clients that run the iOS operating system.
  • You can create only one IPsec-VPN server for each VPN gateway.
  • If you create an IPsec-VPN server and an SSL-VPN server for the same VPN gateway, both the IPsec-VPN server and SSL-VPN server consume the SSL connection quota of the VPN gateway.

    For example, the SSL connection quota that you purchase for a VPN gateway is 20, and the SSL-VPN server is connected to 5 clients. In this case, the IPsec-VPN server can be connected to at most 15 clients.

Prerequisites

Before you use an IPsec-VPN server, make sure that the following prerequisites are met:
  • A virtual private cloud (VPC) is created in the region where you want to create the IPsec-VPN server. For more information, see Create an IPv4 VPC.
  • Your mobile client can access the Internet.
  • Your mobile client runs the iOS operating system.
  • The security group rules of your Elastic Compute Service (ECS) instances allow requests from the mobile client. For more information, see Query security group rules and Add security group rules.

Procedure

Procedure
  1. Create a VPN gateway

    Create a VPN gateway and enable the SSL-VPN feature.

  2. Create an IPsec-VPN server

    On the IPsec-VPN server, specify the CIDR block that the mobile client wants to access and the CIDR block of the mobile client.

  3. Set the IPsec-VPN connection on the mobile client

    Specify the VPN gateway information on the mobile client and establish an IPsec-VPN connection.

  4. Verify network connectivity

    After you establish an IPsec-VPN connection between the mobile client and VPN gateway, you can verify the connectivity by connecting to a cloud resource from the mobile client.

For more information about how to use an IPsec-VPN server, see Connect an iOS device to a VPN gateway.

References

What is the difference between an IPsec-VPN server and an SSL-VPN server?

Item IPsec-VPN server SSL-VPN server
Scenarios Provides end-to-site connections. Provides end-to-site connections.
Client mode Allows mobile clients to establish IPsec-VPN connections to Alibaba Cloud. Allows computers to establish SSL-VPN connections to Alibaba Cloud.
Connection mode Allows mobile clients to establish IPsec-VPN connections to Alibaba Cloud by using the built-in VPN feature. Allows computers to establish SSL-VPN connections to Alibaba Cloud by using OpenVPN.
Encryption method IPsec protocol SSL certificate