You can establish an IPsec-VPN connection between an IPsec server and Alibaba Cloud by using the built-in VPN feature of your mobile phone that runs iOS. This topic describes how to create, modify, and delete an IPsec server.

Prerequisites

  • You understand the limits of and prerequisites for IPsec servers. For more information, see Limits and Prerequisites.
  • A VPN gateway is created and the SSL-VPN feature is enabled for the VPN gateway. For more information, see Create and manage a VPN gateway.

Create an IPsec server

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec-VPN Server.
  3. In the top navigation bar, select the region where you want to create the IPsec server.
    Regions that support IPsec servers

    China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), India (Mumbai), Germany (Frankfurt), UK (London), US (Virginia), US (Silicon Valley), and UAE (Dubai)

  4. On the IPsec-VPN Server page, click Create IPsec-VPN Server.
  5. On the Create IPsec-VPN Server page, set the following parameters and click OK.
    Parameter Description
    Name Enter a name for the IPsec server.

    The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.

    VPN Gateway Select the VPN gateway with which you want to associate the IPsec server.
    Note After you create an IPsec server, you cannot change the associated VPN gateway.
    Local Network Enter the CIDR block that the client needs to access over the IPsec-VPN connection.

    The CIDR block can be the CIDR block of a virtual private cloud (VPC), a vSwitch, or a data center that is connected to a VPC through an Express Connect circuit.

    Click Add Local Network to add more CIDR blocks.

    Client Subnet Enter the CIDR block from which an IP address is allocated to the virtual network interface controller (NIC) of the client. Do not enter the private CIDR block of the client. When the client accesses the destination network through an IPsec-VPN connection, the VPN gateway allocates an IP address from the client CIDR block to the client.
    Notice
    • Make sure that the client CIDR block does not overlap with the destination CIDR block or the CIDR blocks of vSwitches in the VPC.
    • Make sure that the number of IP addresses that the client CIDR block provides is at least four times the number of SSL-VPN connections to the VPN gateway.

      For example, if you specify 192.168.0.0/24 as the client CIDR block, the system first divides a subnet CIDR block with a subnet mask of 30 from 192.168.0.0/24. 192.168.0.4/30, which provides up to four IP addresses, is used as the subnet CIDR block in this example. Then, the system allocates an IP address from 192.168.0.4/30 to the client and uses the other three IP addresses to ensure network communication. In this case, one client consumes four IP addresses. Therefore, make sure that the number of IP addresses that the client CIDR block provides is at least four times the number of SSL-VPN connections to the VPN gateway.

    Pre-Shared Key Enter the pre-shared key of the IPsec server. The key is used for authentication between the IPsec server and the client. The key must be 1 to 100 characters in length.

    If you do not specify a pre-shared key, the system generates a random 16-bit string as the pre-shared key. After you create an IPsec server, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec server.

    Notice The authentication key of the client must be the same as the pre-shared key of the IPsec server. Otherwise, you cannot establish a connection between the client and the IPsec server.
    Effective Immediately Specify whether to immediately start negotiations.
    • Yes: starts negotiations after the configuration is completed.
    • No: starts negotiations when inbound traffic is detected.
    Advanced Configuration: IKE Configurations
    Version Select the version of the IKE protocol.
    • ikev1
    • ikev2

    IKEv1 and IKEv2 are supported. Compared with IKEv1, IKEv2 simplifies the negotiation process and provides better support for scenarios where multiple subnets are used. We recommend that you select IKEv2.

    LocalId Enter the identifier of the IPsec server. You can enter an IP address or a value that is in Fully Qualified Domain Name (FQDN) format. The default value is the public IP address of the VPN gateway.
    RemoteId Enter the identifier of the client. You can enter an IP address or a value that is in FQDN format. This parameter is left empty by default.

Modify an IPsec server

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec-VPN Server.
  3. In the top navigation bar, select the region of the IPsec-VPN server.
  4. On the IPsec-VPN Server page, find the IPsec server that you want to manage, and click Edit in the Actions column.
  5. On the Edit IPsec-VPN Server page, modify the configurations of the IPsec server and click OK.
    For more information about the parameters, see Create an IPsec server.

Delete an IPsec server

When you delete an IPsec server, the IPsec server is automatically disconnected from clients.

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec-VPN Server.
  3. In the top navigation bar, select the region of the IPsec-VPN server.
  4. On the IPsec-VPN Server page, find the IPsec server that you want to delete and click Delete in the Actions column.
  5. In the Delete IPsec-VPN Server message, confirm the information and click OK.

References