You can establish IPsec-VPN connections between an IPsec-VPN server and Alibaba Cloud by using the built-in VPN feature of your mobile phones.

Prerequisites

A VPN gateway is created and SSL-VPN is enabled for the VPN gateway. For more information, see Create a VPN gateway.

Create an IPsec-VPN server

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > SSL Servers.
  3. In the top navigation bar, select the region where you want to create the IPsec-VPN server.
  4. On the IPsec-VPN Server page, click Create IPsec-VPN Server.
  5. On the Create IPsec-VPN Server page, set the following parameters and click OK.
    Configuration item Description
    Name Enter a name for the IPsec-VPN server.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    VPN Gateway Select the VPN gateway with which you want to associate the IPsec-VPN server.
    Note After you create an IPsec-VPN server, you cannot change the associated VPN gateway.
    Local Network Enter the CIDR block that the client wants to access over the IPsec-VPN connection.

    You can enter the CIDR block of a VPC, a vSwitch, or a data center that is connected to a VPC over an Express Connect circuit.

    Click Add Local Network to add more CIDR blocks.

    Client Subnet Enter the CIDR block from which an IP address is allocated to the virtual network interface controller (NIC) of the client. Do not enter the private CIDR block of the client. When the client accesses the destination network through an IPsec-VPN connection, the VPN gateway allocates an IP address from the client CIDR block to the client.
    Notice
    • Make sure that the client CIDR block does not overlap with the local CIDR block or CIDR blocks of VPC vSwitches.
    • Make sure that the number of IP addresses that the client CIDR block provides is at least four times the number of SSL-VPN connections for the VPN gateway.

      For example, if you specify 192.168.0.0/24 as the client CIDR block, the system first divides a subnet CIDR block with a subnet mask of 30 from 192.168.0.0/24. 192.168.0.4/30, which provides up to four IP addresses, is used as the subnet CIDR block in this example. Then, the system allocates an IP address from 192.168.0.4/30 to the client and uses the other three IP addresses to ensure network communication. In this case, one client consumes four IP addresses. Therefore, make sure that the number of IP addresses that the client CIDR block provides is at least four times the number of SSL-VPN connections for the VPN gateway.

    Pre-Shared Key Enter the pre-shared key that is used for identity verification between the IPsec-VPN server and the client. By default, the system generates a random string that is 16 bits in length. You can also specify a custom pre-shared key.
    Effective Immediately Specify whether to start connection negotiations immediately.
    • Yes: starts connection negotiations after the configuration is completed.
    • No: starts negotiations when traffic is detected.
    Advanced Configuration: IKE Configurations
    Version Select the version of the IKE protocol.
    • ikev1
    • ikev2

    IKEv1 and IKEv2 are supported. Compared with IKEv1, IKEv2 simplifies the negotiation process and provides better support for scenarios where multiple subnets are used. We recommend that you select IKEv2.

    LocalId Enter the identifier of the IPsec-VPN server. You can enter an IP address or a value that is in Fully Qualified Domain Name (FQDN) format. The default value is the public IP address of the VPN gateway.
    RemoteId Enter the identifier of the client. You can enter an IP address or a value that is in FQDN format. By default, this parameter is left empty.

Modify an IPsec-VPN server

After you create an IPsec-VPN server, you can modify its configurations.

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > SSL Servers.
  3. In the top navigation bar, select the region where the IPsec-VPN server is deployed.
  4. On the IPsec-VPN Server page, find the IPsec-VPN server that you want to manage, and click Edit in the Actions column.
  5. On the Edit IPsec-VPN Server page, modify the configurations of the IPsec-VPN server and click OK.
    For more information about the parameters, see Create an IPsec-VPN server.

Delete an IPsec-VPN server

You can delete an IPsec-VPN server that is no longer needed. When you delete an IPsec-VPN server, the IPsec-VPN server is automatically disconnected from the connected client.

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > SSL Servers.
  3. In the top navigation bar, select the region where the IPsec-VPN server is deployed.
  4. On the IPsec-VPN Server page, find the IPsec-VPN server that you want to delete and click Delete in the Actions column.
  5. In the Delete IPsec-VPN Server message, confirm the information and click OK.