Use IPsec-VPN to access a cloud computer from a WUYING client over a private network - WUYING Workspace

IPsec-VPN is a technology that you can use to implement network connectivity based on routes. After an IPsec-VPN connection is established, on-premises clients can connect to services that are deployed in virtual private clouds (VPCs) over virtual private networks (VPNs). This topic describes how to use IPsec-VPN to connect an on-premises client to the VPC of an office network in WUYING Workspace (Pro Edition).

Preparations

Before you begin, read the Access a cloud computer over a private network topic and complete the following preparations:

A Cloud Enterprise Network (CEN) instance is created. If you do not have a CEN instance, create a CEN instance before you proceed. For more information, see Create a CEN instance.
A virtual private cloud (VPC) is created. If you do not have a VPC, create a VPC and attach it to the CEN instance before you proceed. For more information, see Create a VPC and a vSwitch or Manage network instances.
An office network is created. If you do not have an office network, create a convenience office network or an Active Directory (AD) office network and attach the VPC of the office network to the CEN instance. For more information, see Create and manage a convenience office network or Create and manage an enterprise AD office network.
Important
- Before you create an office network, you must plan the IPv4 CIDR block of the office network that you want to create. This can prevent CIDR block conflicts between the office network and the CEN instance or between the office network and the on-premises data center. For more information, see Plan a CIDR block.
- If you already have a convenience office network, you must attach the convenience office network to the CEN instance.
- If you deploy your AD system on an Elastic Compute Service (ECS) instance, you must attach the VPC of the AD server to the CEN instance. If you deploy your AD system on an on-premises server, you must connect the on-premises network to the cloud. This way, WUYING Workspace can connect to your AD system. Before you configure an AD domain, you need to create an AD office network and connect the on-premises network to the cloud.

An end user and a cloud computer are created. The cloud computer is assigned to the end user.
If no end user or cloud computer exists, create an end user and a cloud computer based on the type of the office network, and assign the cloud computer to the end user.
- For information about how to create an end user, see Create a convenience user or Create and manage an enterprise AD office network.
- For information about how to create and assign a cloud computer, see Create cloud computers or Assign cloud computers to users.
A device is prepared to connect to a cloud computer.
Note
- The IPsec-VPN solution can be used on WUYING hardware terminals and Alibaba Cloud Workspace clients (hereinafter referred to as WUYING clients) for Windows and macOS.
- An Alibaba Cloud Workspace client such as the Windows client, macOS client, or web client is installed on your on-premises device. You can log on to the installed client and check whether you can access your cloud computer over the VPC.

CIDR block planning

You must plan CIDR blocks to prevent CIDR blocks from overlapping between the networks that are used by the device and cloud instances. In this section, the CIDR blocks that are described in the following table are used. The actual CIDR blocks shall prevail.

Configuration item	CIDR block/IP address	Description
Office network VPC	172.16.0.0/12	The CIDR block of the VPC that is used by the office network in which your cloud computer resides. Alibaba Cloud PrivateLink (endpoint service) uses the CIDR block.
User VPC	192.168.0.0/16	The CIDR block of the VPC that you create to establish a VPN connection.
Data center	192.10.0.0/16	The CIDR block of an on-premises network that a WUYING client uses. A VPN connection is initiated from the CIDR block.
Data center gateway	115.XX.XX.154	The public IP address of the gateway in the data center.

Note

The gateway in the data center must support standard IKEv1 and IKEv2 protocols to connect to VPN Gateway. IKEv2 and IKEv1 are the two IKE iterations. To check whether the gateway supports IKEv1 and IKEv2 protocols, contact your gateway manufacturer.

Step 1: Configure IPsec-VPN

To configure IPsec-VPN, you must configure a VPN gateway, a customer gateway, and an IPsec connection. Then, you must publish CIDR blocks to Cloud Enterprise Network (CEN). The following section describes how to configure these settings.

Create a VPN gateway and enable IPsec-VPN. For more information, see the "Create a VPN gateway" section of the Create and manage a VPN gateway topic.

The following table describes the required parameters.

Parameter	Description	Example
Name	Enter a name for the VPN gateway.	test-vpn
Region	Select the region where you want to deploy the VPN gateway. The VPN gateway must be deployed in the same region as the VPC with which you want to associate the VPN gateway.	China (Hangzhou)
Network Type	Select a network type for the VPN gateway. Public: The VPN gateway can be used to establish VPN connections over the Internet. Private: The VPN gateway can be used to establish VPN connections over a private network.	Public
VPC	Select the VPC with which you want to associate the VPN gateway.	test-vpc
VSwitch	Specify whether you want to associate the VPN gateway with the specified vSwitch. No: does not associate the VPN gateway with the specified vSwitch. If you select No, the VPN gateway is randomly associated with a vSwitch that uses the VPC. Yes: associates the VPN gateway with the specified vSwitch. If you select Yes, the VPN gateway is associated with the specified vSwitch.	No
Maximum Bandwidth	Specify the peak bandwidth for the VPN gateway. Unit: Mbit/s.	200 Mbit/s
Traffic	Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.	Pay-by-data-transfer
IPsec-VPN	Specify whether to enable IPsec-VPN for the VPN gateway. Default value: Enable. You can use IPsec-VPN to establish a secure connection between a data center and a VPC or between VPCs.	Enable
SSL-VPN	Specify whether to enable SSL-VPN for the VPN gateway. Default value: Disable. SSL-VPN allows you to establish secure connections between clients and office networks without the need to deploy customer gateways. For example, you can establish SSL-VPN connections between Linux clients and VPCs.	Disable
Duration	Specify the billing cycle for the VPN gateway. Default value: By Hour.	1 Month
Service-linked Role	Click Create Service-linked Role. The system automatically creates the service-linked role AliyunServiceRoleForVpn. VPN Gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn. If Created is displayed, the service-linked role is created. No other operations are required.	/

Create a customer gateway. For more information, see Create a customer gateway.

The following table describes the required parameters.

Parameter	Description	Example
Name	Enter a name for the customer gateway.	test-gw
IP Address	Enter the static public IP address of the gateway in the data center to which you want to connect.	115.x.x.154
ASN	Enter an autonomous system number (ASN) of the gateway in the data center. Valid values: 1 to 4294967295. You can enter the ASN in two segments and separate the first 16 bits from the following 16 bits with a period (.). Enter the number in each segment in the decimal format. For example, if you enter 123.456, the ASN can be calculated based on the following formula: 123 × 65536 + 456 = 8061384. Note If Border Gateway Protocol (BGP) dynamic routing is enabled for the VPN gateway, you must configure this parameter. We recommend that you use a private ASN to establish a connection to Alibaba Cloud over BGP. Refer to the relevant documentation to query the private ASN range.	123.456
Description	Enter a description for the customer gateway.	The customer gateway is created to allow access from a WUYING client to a cloud computer over a private network based on IPsec-VPN.

Create an IPsec-VPN connection. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.

The following table describes the required parameters.

Parameter	Description	Example
Name	Specify a name for the IPsec-VPN connection based on the on-screen naming conventions.	test-ipsec
Associate Resource	Select the type of resource that you want to associate with the IPsec-VPN connection.	VPN Gateway
VPN Gateway	Select the VPN gateway that you want to associate with the IPsec-VPN connection.	test-vpn
Customer Gateway	Select the customer gateway that you want to associate with the IPsec-VPN connection.	test-gw
Routing Mode	Select the routing mode of the IPsec-VPN connection. Destination Routing Mode (default): routes and forwards traffic based on the destination IP address. Protected Data Flows: routes and forwards traffic based on the source and destination IP addresses. After you select Protected Data Flows, you must configure the Local Network and Remote Network parameters. After the IPsec-VPN connection is configured, the system automatically adds policy-based routes to the route table of the VPN gateway. By default, the policy-based routes are not advertised. You can determine whether to advertise the routes to the route table of the VPC based on your requirements. For more information, see the Advertise a policy-based route section of the "Configure policy-based routes" topic.	Protected Data Flows
Local Network	Enter a CIDR block of the VPC to be connected to your data center. This CIDR block is used in Phase 2 negotiations. Click the icon on the right side of the text box to add CIDR blocks. You can add multiple CIDR blocks. Note If you specify multiple CIDR blocks, you must set the IKE version to ikev2.	You must specify the following CIDR blocks: CIDR block of the office network VPC: 172.16.0.0/12 CIDR block of the user VPC: 192.168.0.0/16 The CIDR block of the Alibaba Cloud OpenAPI that can be accessed from internal networks. The value of the CIDR block is fixed as 100.64.0.0/10.
Remote Network	Enter a CIDR block of the data center to be connected to the VPC. This CIDR block is used in Phase 2 negotiations. Click the icon on the right side of the text box to add CIDR blocks. You can add multiple CIDR blocks. Note If you specify multiple CIDR blocks, you must set the IKE version to ikev2.	192.10.0.0/16
Effective Immediately	Specify whether to start IPsec negotiations immediately. Yes: immediately starts IPsec negotiations after the configuration is complete. No (default): starts IPsec negotiation only when traffic is received.	Yes

Publish the peer CIDR block to CEN.
1. In the left-side navigation pane, click Route Tables.
2. On the Route Tables page, find the route table of the user VPC and click the ID of the route table.
3. On the route table details page that appears, select the Route Entry List tab and click the Custom Route tab.
4. Find the peer CIDR block (the CIDR block of the private network used by the data center) that you configured and click Publish in the Actions column.
  If the value in the Status column of the CIDR block is Published, the CIDR block is published.

Step 2: Load the VPN configurations to the data center gateway

The following section describes the operations that you must perform to load the VPN configurations to the data center gateway.

Log on to the CEN console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click Generate Peer Configuration in the Actions column.
Add the IPsec connection configurations to the data center gateway.
For more information, see Configure an H3C firewall device.

Step 3: Configure routing and DNS for cloud services

Configure routing for cloud services.
The CIDR block of the cloud services in Alibaba Cloud that can be accessed over a VPC is 100.64.0.0/10. This CIDR block is a reserved CIDR block that is defined in RFC 6598. To ensure that you can call the WUYING Workspace API from an Alibaba Cloud Workspace client as expected, configure a route for the CIDR block 100.64.0.0/10 in the on-premises data center network to forward requests that are destined for the CIDR block to the user VPC in the cloud.
Before you configure Domain Name System (DNS), run the following command to test whether the domain name can be resolved:
```
nslookup ecd-vpc.cn-hangzhou.aliyuncs.com
```
If an IP address is returned, the domain name can be resolved. In this case, you can skip the next step. If no IP address is returned, perform the following step to configure DNS.
(Optional) Configure DNS.
DNS addresses are required to resolve the domain names involved in the WUYING Workspace API and streaming gateways that reside in the VPC. In this example, set the DNS addresses to the following values:
- 100.100.2.136
- 100.100.2.138
You can use one of the following methods to configure the DNS addresses:
- Add the preceding DNS addresses to the Dynamic Host Configuration Protocol (DHCP) service of the on-premises data center.
- Configure transit routers on the DNS server of the on-premises data center to route domain name resolution requests that end with aliyuncs.com to 100.100.2.136 or 100.100.2.138.

Step 4: Check whether the cloud computer can be connected over the private network

The IPsec-VPN solution can be used on WUYING hardware terminals and WUYING clients for Windows and macOS.

Note

In this example, a Windows client of Alibaba Cloud Workspace V5.2.0 is used to check whether the access to a cloud computer over a VPC is allowed. You can also use another client to access your cloud computer over a VPC based on your business requirements.

Obtain information, such as the office network ID, username, and password, that is required to log on to the Windows client from the received email.
1. Double-click the icon to open the Windows client.
2. Follow the on-screen instructions to enter the username and password.
  Important
  If you log on to a client by using only an office network ID, select Alibaba Cloud VPC.
3. Click Connection Type, select Alibaba Cloud VPC, and then click Confirm.
4. Click Next.
5. Follow the on-screen instructions to enter the username and password. Then, click Next.
Connect to the cloud computer.
If the client logon is successful, your cloud computer is displayed as a card on your screen. You can click Connect Cloud Computer on the card to connect to your cloud computer. If the connection is successful, you can view and use your cloud computer in a new window.
Important
If a network request timeout error is reported, the network is inaccessible. In this case, you need to check your parameter settings. After you confirm your parameter settings, you can log on to your client and connect to your cloud computer again.