This topic describes how to connect an iOS device to a VPN gateway by using the built-in VPN software of the iOS device. This allows mobile clients to access resources in a virtual private cloud (VPC) that is associated with the VPN gateway.

Prerequisites

  • An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create one.
  • Your mobile client runs the iOS operating system.
  • A VPC is created in a region that supports IPsec-VPN servers. For more information, see Create an IPv4 VPC.
    Note
    • IPsec servers are supported only in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Hong Kong), Singapore (Singapore), Japan (Tokyo), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Australia (Sydney), South Korea (Seoul), US (Virginia), US (Silicon Valley), Germany (Frankfurt), UK (London), India (Mumbai), and UAE (Dubai).

    • Only iOS devices can connect to a VPN gateway by using the built-in VPN software.

Scenario

Scenario

A company has created Elastic Compute Service (ECS) instances in the China (Qingdao) region and deployed enterprise applications on the ECS instances. Due to business growth, employees on business trips need to remotely access the enterprise applications deployed on Alibaba Cloud from iOS devices.

You can create a VPN gateway and then create an IPsec-VPN server on the gateway. This way, the employees can use the built-in VPN software of their iOS devices to connect to the VPN gateway. After a mobile client is connected to the VPN gateway, employees can remotely access the enterprise applications deployed on Alibaba Cloud.

Procedure

Procedure

Step 1: Create a VPN gateway

  1. Log on to the VPN Gateway console.
  2. In the top navigation bar, select the region of the VPC to be associated with the VPN gateway. China (Qingdao) is selected in this example.
  3. On the VPN Gateways page, click Create VPN Gateway.
  4. On the buy page, set the following parameters, click Buy Now, and then complete the payment:
    • Name: Enter a name for the VPN gateway.

      The name must be 2 to 128 characters in length, and can contain digits, hyphens (-), and underscores (_). It must start with a letter.

    • Region: Select the region where you want to deploy the VPN gateway.

      China (Qingdao) is selected in this example.

    • VPC: Select the VPC to be associated with the VPN gateway.
    • Specify VSwitch: Select whether to specify a vSwitch for the VPN gateway.
      • If you select No, you do not need to specify a vSwitch for the VPN gateway. The system connects the VPN gateway to a random vSwitch in the VPC.
      • If you select Yes, you must specify a vSwitch for the VPN gateway. The system connects the VPN gateway to the specified vSwitch.
    • Peak Bandwidth: Specify the maximum bandwidth for the VPN gateway. The bandwidth is used for data transfer over the Internet.

      In this example, 10 M is selected.

    • Traffic: By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Pay-as-you-go.
    • IPsec-VPN: Enable or disable the IPsec-VPN feature. After you enable this feature, you can establish connections between data centers and VPCs.

      Disable is selected in this example.

    • SSL-VPN: Enable or disable the SSL-VPN feature. The SSL-VPN feature allows you to connect to a VPC from a device anywhere.

      The SSL-VPN feature must be enabled before you can use the built-in VPN software of a mobile device to establish a connection with the VPN gateway. Enabled is selected in this example.

    • SSL connections: Select the maximum number of clients that can be connected to the VPN gateway at the same time.
      5 is selected in this example.
      Note The number of SSL connections specified in this parameter includes both SSL-VPN and IPsec-VPN connections. For example, if you set the maximum number of SSL connections to 5 and three SSL clients are connected through SSL-VPN connections, it indicates that you can connect only two mobile clients to the IPsec-VPN server.
    • Duration: By default, the VPN gateway is billed on an hourly basis.
  5. Return to the VPN Gateways page to view the VPN gateway.
    The newly created VPN gateway is in the Preparing state. The VPN gateway enters the Normal state after about 2 minutes. The Normal state indicates that the VPN gateway is initialized and ready for use. The system assigns a public IP address to the VPN gateway. The IP address is used to establish connections between mobile clients and the VPN gateway.
    Note If you want to use an existing VPN gateway instead of a new VPN gateway, make sure that the VPN gateway is updated to the latest version. If the existing VPN gateway does not use the latest version, you cannot use the IPsec-VPN server.

    You can check whether your VPN gateway uses the latest version based on the status of the Upgrade button. If your VPN gateway does not use the latest version, you can click upgrade to update your VPN gateway. For more information, see Update a VPN gateway.

Step 2: Create an IPsec-VPN server

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec-VPN Server.
  3. In the top navigation bar, select the region of the IPsec-VPN server.
  4. On the IPsec-VPN Server page, click Create IPsec-VPN Server.
  5. On the Create IPsec-VPN Server page, set the required parameters.
    • Name: Enter a name for the IPsec-VPN server.

      The name must be 2 to 128 characters in length, and can contain digits, hyphens (-), and underscores (_). It must start with a letter.

    • VPN Gateway: Select the VPN gateway to which you want to connect by using the built-in VPN software of your mobile device.

      The VPN gateway created in Step 1 is selected in this example.

    • Local Network: Enter the CIDR block of the VPC to be accessed by the mobile device.

      192.168.0.0/16 is used in this example.

    • Client Subnet: Enter the private CIDR block of the mobile client in the IPsec-VPN connection.
      The client subnet is not the private CIDR block of the mobile client but the private CIDR block assigned to the virtual network adapter of the mobile client. When the mobile client accesses the VPC, the VPN gateway assigns an IP address from the specified client subnet to the client.
      Note The CIDR block of the client must not overlap with that of the vSwitch in the VPC.

      10.0.0.0/16 is used in this example.

    • Pre-Shared Key: The pre-shared key is used for identity verification between the IPsec-VPN server and the mobile client. An IPsec-VPN connection can be established only when both ends have the same key. You can specify a key or use the default key that is randomly generated by the system.

      123456 is used in this example.

    • Effective Immediately: Select whether to immediately start connection negotiations.
      • Yes: starts negotiations immediately after you complete the configuration.
      • No: starts negotiations when data transfer is detected.

      In this example, Yes is selected.

    • Advanced Configuration: The default settings are used in this example.
    Create the IPsec-VPN server
  6. Click OK.
After the IPsec-VPN server is created, you can go to the IPsec-VPN Server page to view the created IPsec-VPN server. Create an IPsec-VPN server

Step 3: Connect to the VPN gateway by using the built-in VPN software of a mobile device

The following operations describe how to connect an iOS device to a NAT gateway by using the built-in VPN software. In this example, the device runs in iOS 14.

  1. Go to Settings.
  2. Choose General > VPN > Add VPN Configuration.
  3. On the Add Configurations page, set the following parameters:
    • Type: Select a VPN type.

      IKEv2 is selected in this example.

    • Description: Enter a description for the VPN.
    • Server: Enter the public IP address of the VPN gateway to which you want to connect the mobile client.

      In this example, the public IP address of the VPN gateway in Step 1 is entered.

    • Remote ID: Enter the public IP address of the VPN gateway to which you want to connect the mobile client.

      In this example, the public IP address of the VPN gateway in Step 1 is entered.

    • Local ID: This parameter is not set in this example.
    • User Authentication: Select a user authentication type.

      None is selected in this example.

    • Use Certificate: The parameter is disabled in this example.
    • Secret: The secret is used for identity verification between the IPsec-VPN server and the mobile client. An IPsec-VPN connection can be established only when both ends use the same secret.

      123456 is used in this example.

  4. Click Complete.
  5. On the VPN page, select the VPN configuration and turn on Status.

The IPsec-VPN connection is established after the status changes to Connected.

Step 4: Test network connectivity

Complete the following steps to test the connectivity between the mobile device and the VPC.

  1. Open a browser on the mobile device.
  2. Enter the private IP address of an ECS instance into the address bar of the browser.
    192.168.0.196 is used in this example.
    The result shows that the mobile client can access resources deployed in the VPC. Test the connectivity