WUYING Workspace:Use IPsec-VPN to access a cloud computer from a WUYING client over a private network

Preparations

Before you begin, read the Access a cloud computer over a private network topic and complete the following preparations:

• A Cloud Enterprise Network (CEN) instance is created. If you do not have a CEN instance, create a CEN instance before you proceed. For more information, see Create a CEN instance.

• A virtual private cloud (VPC) is created. If you do not have a VPC, create a VPC and attach it to the CEN instance before you proceed. For more information, see Create a VPC and a vSwitch or Manage network instances.

• An office network is created. If you do not have an office network, create a convenience office network or an Active Directory (AD) office network and attach the VPC of the office network to the CEN instance. For more information, see Create or delete a convenience office network or Create and configure an AD office network.

  Important

  • Before you create an office network, you must plan the IPv4 CIDR block of the office network that you want to create. This can prevent CIDR block conflicts between the office network and the CEN instance or between the office network and the on-premises data center. For more information, see Plan a CIDR block.

  • If you already have a convenience office network, you must attach the convenience office network to the CEN instance.

  • If you deploy your AD system on an Elastic Compute Service (ECS) instance, you must attach the VPC of the AD server to the CEN instance. If you deploy your AD system on an on-premises server, you must connect the on-premises network to the cloud. This way, WUYING Workspace can connect to your AD system. Before you configure an AD domain, you need to create an AD office network and connect the on-premises network to the cloud.

• An end user and a cloud computer are created. The cloud computer is assigned to the end user.

  If no end user or cloud computer exists, create an end user and a cloud computer based on the type of the office network, and assign the cloud computer to the end user.

  • For information about how to create an end user, see Create a convenience user or Create and configure an AD office network.

  • For information about how to create and assign a cloud computer, see Create cloud computers or Assign cloud computers to end users.

• A device is prepared to connect to a cloud computer.

  Note

  • The IPsec-VPN solution can be used on a Windows client, a macOS client of Alibaba Cloud Workspace, and a hardware client.

  • An Alibaba Cloud Workspace client such as the Windows client, macOS client, or web client is installed on your on-premises device. You can log on to the installed client and check whether you can access your cloud computer over the VPC.

CIDR block planning

Step 1: Configure IPsec-VPN

To configure IPsec-VPN, you must configure a VPN gateway, a customer gateway, and an IPsec connection. Then, you must publish CIDR blocks to Cloud Enterprise Network (CEN). The following section describes how to configure these settings.

1. When you purchase a VPN gateway, enable IPsec-VPN. For more information, see the "Create a VPN gateway" section of the Create and manage a VPN gateway topic.

   The following table describes the parameters when you create a customer gateway.

   Parameter	Description	Example
   Instance Name	Enter a name for the VPN gateway.	test-vpn
   Region	Select the region where you want to deploy the VPN gateway. The VPN gateway must be deployed in the same region as the VPC with which you want to associate the VPN gateway.	China (Hangzhou)
   Network Type	Select the network type of the VPN gateway. Public: The VPN gateway can be used to establish VPN connections over the Internet. Private: The VPN gateway can be used to establish VPN connections over private networks.	Public
   VPC	Select the VPC with which you want to associate the VPN gateway.	test-vpc
   Specify VSwitch	Specify whether you want to associate the VPN gateway with a specified vSwitch. No: does not associate the VPN gateway with the specified vSwitch. If you select No, the VPN gateway is associated with a random vSwitch that uses the VPC. Yes: associates the VPN gateway with the specified vSwitch. If you select Yes, the VPN gateway is associated with the specified vSwitch.	No
   Peak Bandwidth	Specify the peak bandwidth for the VPN gateway. Unit: Mbit/s.	200 Mbit/s
   Traffic	Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.	Pay-by-data-transfer
   IPsec-VPN	Specify whether to enable IPsec-VPN for the VPN gateway. Default value: Enable. You can use IPsec-VPN to establish a secure connection between a data center and a VPC or between VPCs.	Enable
   SSL-VPN	Specify whether to enable SSL-VPN for the VPN gateway. Default value: Disable. SSL-VPN allows you to establish secure connections between clients and servers without the need to configure customer gateways. For example, you can establish SSL-VPN connections between Linux clients and VPCs.	Disable
   Duration	Specify the billing cycle for the VPN gateway. Default value: By Hour.	1 Month
   Service-linked Role	Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn. The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn. If Created is displayed, the service-linked role is created. You no longer need to create a service-linked role.	/

2. Create a customer gateway. For more information, see Create a customer gateway.

   The following table describes the parameters when you create a customer gateway.

   Parameter	Description	Example
   Name	Enter a name for the gateway.	test-gw
   IP Address	Enter the static public IP address of the gateway in the data center to which you want to connect.	115.x.x.154
   ASN	Enter the autonomous system number (ASN) of the gateway in the data center. Valid values: 1 to 4294967295. You can enter the ASN in two segments. Separate the first 16 bits of the ASN from the remaining 16 bits with a period (.). Enter the number in each segment in decimal format. For example, if you enter 123.456, the ASN can be calculated based on the following formula: 123 × 65536 + 456 = 8061384. Note If Border Gateway Protocol (BGP) dynamic routing is enabled for the VPN gateway, you must configure this parameter. We recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. Refer to the relevant documentation to query the private ASN range.	123.456
   Description	Enter a description for the customer gateway.	The customer gateway is created to allow access from a WUYING client to a cloud computer over a private network based on IPsec-VPN.

3. Create an IPsec-VPN connection. For more information, see Create and manage IPsec-VPN connections.

   The following table describes the parameters when you create an IPsec-VPN connection.

   Parameter	Description	Example
   Name	Specify a name for the IPsec connection based on the on-screen naming conventions.	test-ipsec
   Associate Resource	Select the type of resource that you want to associate with the IPsec-VPN connection.	VPN Gateway
   VPN Gateway	Select the VPN gateway that you want to associate with the IPsec-VPN connection.	test-vpn
   Customer Gateway	Select the customer gateway that you want to associate with the IPsec-VPN connection.	test-gw
   Routing Mode	Select the routing mode of the IPsec-VPN connection. Destination Routing Mode (default): routes and forwards traffic based on the destination IP address. Protected Data Flows: routes and forwards traffic based on source and destination IP addresses. After you select Protected Data Flows, you must set Local Network and Remote Network. After you configure the IPsec-VPN connection: If the IPsec-VPN connection is associated with a VPN gateway, the system automatically adds policy-based routes to the route table of the VPN gateway. The policy-based routes are not advertised by default. You can determine whether to advertise the routes to the VPC route table based on your requirements. For more information, see Advertise a policy-based route. If the IPsec-VPN connection is associated with a transit router, the system automatically adds destination-based routes to the route table of the IPsec-VPN connection. The destination-based routes are automatically advertised to the route table of the associated transit router.	Protected Data Flows
   Local Network	Enter a CIDR block on the VPC side to establish a connection to the data center. The CIDR block is used in phase 2 negotiations. Click the icon on the right side of the text box to add CIDR blocks. You can add multiple CIDR blocks. Note If you specify multiple CIDR blocks, you must set the IKE version to ikev2.	You must specify the following CIDR blocks: CIDR block of the office network VPC: 172.16.0.0/12 CIDR block of the user VPC: 192.168.0.0/16 The CIDR block of the Alibaba Cloud OpenAPI that can be accessed from internal networks. The value of the CIDR block is fixed as 100.64.0.0/10.
   Remote Network	Enter the CIDR block on the data center side to establish a connection to VPCs. The CIDR block is used in phase 2 negotiations. Click the icon on the right side of the text box to add CIDR blocks. You can add multiple CIDR blocks. Note If you specify multiple CIDR blocks, you must set the IKE version to ikev2.	192.10.0.0/16
   Effective Immediately	Specify whether to immediately start IPsec negotiations. Yes: immediately starts IPsec negotiations after the configuration is complete. No: starts IPsec negotiation only when traffic is received. This is the default value.	Yes

4. Publish the peer CIDR block to CEN.

   1. In the left-side navigation pane, click Route Tables.

   2. On the Route Tables page, find the route table of the user VPC and click the ID of the route table.

   3. On the page that appears, choose Route Entry List > Custom Route.

   4. Find the peer CIDR block (the CIDR block of the private network used by the data center) that you configured and click Publish in the Actions column.

      If the value in the Status column of the CIDR block is Published, the CIDR block is published.

Step 2: Load the VPN configurations to the data center gateway

The following section describes the operations that you must perform to load the VPN configurations to the data center gateway.

1. Log on to the VPN gateway console VPN gateway console.
2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

3. On the IPsec Connections page, find the destination IPsec-VPN connection, click in the Actions column, and then select Download Configuration.

4. Load the IPsec connection configurations to the data center gateway. For more information, see Configure an H3C firewall device to configure a gateway in a data center.

Step 3: Configure routing and DNS for cloud services

1. Configure routing for cloud services.

   The CIDR block of the cloud services in Alibaba Cloud that can be accessed over a VPC is 100.64.0.0/10. This CIDR block is a reserved CIDR block that is defined in RFC 6598. To ensure that you can call the WUYING Workspace API from an Alibaba Cloud Workspace client as expected, configure a route for the CIDR block 100.64.0.0/10 in the on-premises data center network to forward requests that are destined for the CIDR block to the user VPC in the cloud.

2. Before you configure Domain Name System (DNS), run the following command to test whether the domain name can be resolved:

   nslookup ecd-vpc.cn-hangzhou.aliyuncs.com

   If an IP address is returned, the domain name can be resolved. In this case, you can skip the next step. If no IP address is returned, perform the following step to configure DNS.

3. (Optional) Configure DNS.

   DNS addresses are required to resolve the domain names involved in the WUYING Workspace API and streaming gateways that reside in the VPC. In this example, set the DNS addresses to the following values:

   • 100.100.2.136

   • 100.100.2.138

   You can use one of the following methods to configure the DNS addresses:

   • Add the preceding DNS addresses to the Dynamic Host Configuration Protocol (DHCP) service of the on-premises data center.

   • Configure transit routers on the DNS server of the on-premises data center to route domain name resolution requests that end with aliyuncs.com to 100.100.2.136 or 100.100.2.138.

Step 4: Check whether the cloud computer can be connected over the private network

The IPsec-VPN solution can be used on a Windows client, a macOS client of Alibaba Cloud Workspace, and a hardware client.