This topic describes how to connect an iOS device to a VPN gateway by using the built-in VPN software of the iOS device. This allows mobile clients to access resources in a virtual private cloud (VPC) that is associated with the VPN gateway.

Prerequisites

  • An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, click Create an Alibaba Cloud account.
  • Your mobile client runs the iOS operating system.
  • A VPC is created in a region that supports IPsec-VPN servers. For more information, see Create a VPC with an IPv4 CIDR block.
    Note

    • IPsec servers are supported only in the following regions: China (Hangzhou), China (Shanghai), China (Nanjing-Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), India (Mumbai), Germany (Frankfurt), UK (London), US (Virginia), US (Silicon Valley), and UAE (Dubai).

    • Only iOS devices can connect to a VPN gateway by using the built-in VPN software.

Scenarios

Scenario

A company has created Elastic Compute Service (ECS) instances in the China (Qingdao) region and deployed enterprise applications on the ECS instances. Due to business growth, employees on business trips need to remotely access the enterprise applications deployed on Alibaba Cloud from iOS devices.

You can create a VPN gateway and then create an IPsec-VPN server on the gateway. This way, the employees can use the built-in VPN software of their iOS devices to connect to the VPN gateway. After a mobile client is connected to the VPN gateway, employees can remotely access the enterprise applications deployed on Alibaba Cloud.

Procedure

Procedure

Step 1: Create a VPN gateway

  1. Log on to the VPN Gateway console.
  2. In the top navigation bar, select the region of the VPC to be associated with the VPN gateway. China (Qingdao) is selected in this example.
  3. On the VPN Gateways page, click Create VPN Gateway.
  4. On the buy page, configure the following parameters, click Buy Now, and then complete the payment.
    • Instance Name: Enter a name for the VPN gateway.
    • Region: Select the region where you want to deploy the VPN gateway.

      China (Qingdao) is selected in this example.

    • VPC: Select the VPC to be associated with the VPN gateway.
    • Specify vSwitch: Select whether to specify a vSwitch for the VPN gateway.
      • If you select No, you do not need to specify a vSwitch for the VPN gateway. The system connects the VPN gateway to a random vSwitch in the VPC.
      • If you select Yes, you must specify a vSwitch for the VPN gateway. The system connects the VPN gateway to the specified vSwitch.
    • Peak Bandwidth: Specify the maximum bandwidth for the VPN gateway. The bandwidth is used for data transfer over the Internet.

      10 Mbit/s is selected in this example.

    • Traffic: By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Billing.
    • IPsec-VPN: Enable or disable the IPsec-VPN feature. After you enable this feature, you can establish connections between data centers and VPCs.

      Disable is selected in this example.

    • SSL-VPN: Enable or disable the SSL-VPN feature. The SSL-VPN feature allows you to connect to a VPC from a device anywhere.

      The SSL-VPN feature must be enabled before you can use the built-in VPN software of a mobile device to establish a connection with the VPN gateway. Enabled is selected in this example.

    • SSL connections: Select the maximum number of clients that can be connected to the VPN gateway at the same time.
      5 is selected in this example.
      Note The number of SSL connections specified in this parameter includes both SSL-VPN and IPsec-VPN connections. For example, if you set the maximum number of SSL connections to 5 and three SSL clients are connected through SSL-VPN connections, it indicates that you can connect only two mobile clients to the IPsec-VPN server.
    • Duration: By default, the VPN gateway is billed on an hourly basis.
  5. Return to the VPN Gateways page to view the VPN gateway.
    The newly created VPN gateway is in the Preparing state. The VPN gateway enters the Normal state after about 2 minutes. The Normal state indicates that the VPN gateway is initialized and ready for use. The system assigns a public IP address to the VPN gateway. The IP address is used to establish connections between mobile clients and the VPN gateway.
    Note If you want to use an existing VPN gateway, make sure that it is updated to the latest version. If the existing VPN gateway does not use the latest version, you cannot use the IPsec-VPN server.

    You can check whether your VPN gateway uses the latest version based on the status of the Upgrade button. If your VPN gateway does not use the latest version, you can click upgrade to update your VPN gateway. For more information, see Upgrade a VPN gateway.

Step 2: Create an IPsec-VPN server

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec-VPN Server.
  3. In the top navigation bar, select the region of the IPsec-VPN server.
  4. On the IPsec-VPN Server page, click Create IPsec-VPN Server.
  5. On the Create IPsec-VPN Server page, set the required parameters.
    • Name: Enter a name for the IPsec-VPN server.
    • VPN Gateway: Select the VPN gateway to which you want to connect by using the built-in VPN software of your mobile device.

      The VPN gateway created in Step 1 is selected in this example.

    • Local Network: Enter the CIDR block of the VPC to be accessed by the mobile device.

      192.168.0.0/16 is used in this example.

    • Client Subnet: Enter the private CIDR block of the mobile client in the IPsec-VPN connection.
      The client subnet is not the private CIDR block of the mobile client but the private CIDR block assigned to the virtual network adapter of the mobile client. When the mobile client accesses the VPC, the VPN gateway assigns an IP address from the specified client subnet to the client.
      Note The CIDR block of the client must not overlap with that of the vSwitch in the VPC.

      10.0.0.0/16 is used in this example.

    • Pre-Shared Key: The pre-shared key is used for identity verification between the IPsec-VPN server and the mobile client. An IPsec-VPN connection can be established only when both ends have the same key. You can specify a key or use the default key that is randomly generated by the system.

      123456 is used in this example.

    • Effective Immediately: Select whether to immediately start negotiations.
      • Yes: starts negotiations after the configuration is completed.
      • No: starts negotiations when inbound traffic is detected.

      Yes

    • Advanced Configuration: The default settings are used in this example.
    Create the IPsec-VPN server
  6. Click OK.
After the IPsec-VPN server is created, you can go to the IPsec-VPN Server page to view the created IPsec-VPN server. Create the IPsec-VPN server

Step 3: Connect to the VPN gateway by using the built-in VPN software of a mobile device

The following operations describe how to connect an iOS device to a NAT gateway by using the built-in VPN software. In this example, the device runs in iOS 14.

  1. Go to Settings.
  2. Choose General > VPN > Add VPN Configuration.
  3. On the Add Configurations page, set the following parameters:
    • Type: Select a VPN type.

      IKEv2 is selected in this example.

    • Description: Enter a description for the VPN.
    • Server: Enter the public IP address of the VPN gateway to which you want to connect the mobile client.

      In this example, the public IP address of the VPN gateway in Step 1 is entered.

    • Remote ID: Enter the public IP address of the VPN gateway to which you want to connect the mobile client.

      In this example, the public IP address of the VPN gateway in Step 1 is entered.

    • Local ID: This parameter is not set in this example.
    • User Authentication: Select a user authentication type.

      None is selected in this example.

    • Use Certificate: The parameter is disabled in this example.
    • Secret: The secret is used for identity verification between the IPsec-VPN server and the mobile client. An IPsec-VPN connection can be established only when both ends use the same secret.

      123456 is used in this example.

  4. Click OK.
  5. On the VPN page, select the VPN configuration and turn on Status.
The IPsec-VPN connection is established after the status changes to Connected. IPsec-VPN connection status

Step 4: Test network connectivity

Perform the following steps to test the connectivity between the mobile device and the VPC.

Before you run a test, make sure that the ECS security group rules allow requests from mobile clients. For more information, see Query security group rules and Add a security group rule.

  1. Open a browser on the mobile device.
  2. Enter the private IP address of an ECS instance into the address bar of the browser.
    192.168.0.196 is used in this example.
    The result shows that the mobile client can access resources deployed in the VPC. Test the connectivity