All Products
Search
Document Center

VPN Gateway:Create and manage IPsec servers

Last Updated:Nov 22, 2024

VPN Gateway allows you to establish an IPsec-VPN connection between an IPsec server and Alibaba Cloud by using the built-in VPN application on your mobile device that runs iOS. The IPsec server controls the networks and resources that you can access by using your mobile device.

Prerequisites

  • You have understood the limits of and prerequisites for IPsec servers. For more information, see the Limits and Prerequisites sections of the "Configure IPsec-VPN servers" topic.

  • A VPN gateway is created and the SSL-VPN feature is enabled for the VPN gateway. For more information, see Create and manage a VPN gateway.

Create an IPsec server

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec-VPN Server.

  3. In the top navigation bar, select the region in which you want to create the IPsec server.

    Regions that support IPsec servers

    China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), Germany (Frankfurt), UK (London), US (Virginia), US (Silicon Valley), UAE (Dubai), and SAU (Riyadh - Partner Region)

  4. On the IPsec-VPN Server page, click Create IPsec-VPN Server.

  5. On the Create IPsec-VPN Server page, configure the parameters that are described in the following table and click OK.

    Parameter

    Description

    Name

    The name of the IPsec server.

    Resource Group

    The resource group to which the VPN gateway belongs.

    The IPsec server and associated VPN gateway must belong to the same resource group.

    VPN Gateway

    The VPN gateway with which you want to associate the IPsec server.

    Note

    After you create an IPsec server, you cannot change the associated VPN gateway.

    Local Network

    The CIDR block of the network to which you want to connect by using the IPsec-VPN connection.

    The CIDR block can be the CIDR block of a virtual private cloud (VPC), a vSwitch, or a data center that is connected to a VPC by using an Express Connect circuit.

    Click Add Local Network to add more CIDR blocks.

    Client CIDR Block

    The CIDR block that the client uses to connect to the SSL server. An IP address from the CIDR block is allocated to the virtual network interface controller (NIC) of the client. Do not enter the private CIDR block of the client. When the client accesses the destination network by using an IPsec-VPN connection, the VPN gateway allocates an IP address from the client CIDR block to the client.

    Important
    • Make sure that the client CIDR block does not overlap with the local CIDR block or the CIDR blocks of vSwitches in the VPC.

    • Make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections supported by the VPN gateway.

      For example, if you specify 192.168.0.0/24 as the client CIDR block, the system first divides a subnet CIDR block with a subnet mask of 30 from 192.168.0.0/24, such as 192.168.0.4/30. This subnet provides up to four IP addresses. Then, the system allocates an IP address from 192.168.0.4/30 to the client and uses the other three IP addresses to ensure network communication. In this case, one client consumes four IP addresses. Therefore, to ensure that an IP address can be allocated to your client, you must make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections supported by the associated VPN gateway.

    Pre-Shared Key

    The pre-shared key of the IPsec server. The key is used for authentication between the IPsec server and the client. The key must be 1 to 100 characters in length.

    If you do not specify a pre-shared key, the system randomly generates a 16-bit string as the pre-shared key. To view the pre-shared key that is generated by the system for an IPsec server after it is created, go to the IPsec-VPN Server page, find the IPsec server that you want to manage, and then click Edit in the Actions column. For more information, see the Modify an IPsec server section of this topic.

    Important

    The authentication key of the client must be the same as the pre-shared key of the IPsec server. Otherwise, you cannot establish a connection between the client and IPsec server.

    Effective Immediately

    Specifies whether to immediately start negotiations for the connection. Valid values:

    • Yes: immediately starts negotiations after the configuration is complete.

    • No: starts negotiations when inbound traffic is detected.

    Advanced Configuration: IKE Configurations

    Version

    The version of the Internet Key Exchange (IKE) protocol. Valid values:

    • ikev1

    • ikev2

    IKEv1 and IKEv2 are supported. Compared with IKEv1, IKEv2 simplifies the negotiation process and provides better support for scenarios in which multiple subnets are used. We recommend that you select IKEv2.

    LocalId

    The identifier of the IPsec server. The default value is the SSL address of the VPN gateway. If the VPN gateway uses the single-tunnel mode, the SSL address is the public IP address of the VPN gateway.

    You can enter an IP address or a fully qualified domain name (FQDN). The value of this parameter must be the same as the Remote ID of the peer IPsec client.

    We recommend that you enter an IP address.

    RemoteId

    The identifier of the client. You can enter an IP address or an FQDN. The value of this parameter must be the same as the Local ID of the peer IPsec client. We recommend that you enter an IP address.

Modify an IPsec server

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec-VPN Server.

  3. In the top navigation bar, select the region in which the IPsec server resides.

  4. On the IPsec-VPN Server page, find the IPsec server that you want to manage. Click Edit in the Actions column.

  5. On the Edit IPsec-VPN Server page, modify the configurations of the IPsec server and click OK.

    For more information about the parameter descriptions, see the Create an IPsec server section of this topic.

Delete an IPsec server

If you delete an IPsec server, the connections between the IPsec server and clients are automatically closed.

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec-VPN Server.

  3. In the top navigation bar, select the region in which the IPsec server resides.

  4. On the IPsec-VPN Server page, find the IPsec server that you want to delete. Click Delete in the Actions column.

  5. In the Delete IPsec-VPN Server message, confirm the information and click OK.

Create and manage IPsec servers by calling API operations

VPN Gateway allows you to call API operations to create, modify, and delete an IPsec server by using various tools such as Alibaba Cloud SDKs (recommended), Alibaba Cloud CLI, Terraform, and Resource Orchestration Service (ROS). The following API operations can be called to manage IPsec servers: