All Products
Search
Document Center

Elastic Desktop Service:Use IPsec-VPN to access a cloud computer from an Alibaba Cloud Workspace client over a private network

Last Updated:Dec 17, 2024

IPsec-VPN is a route-based technology that enables secure communication over the Internet. After an IPsec-VPN connection is established, on-premises clients can connect to services that are deployed in virtual private clouds (VPCs) over virtual private networks (VPNs). This topic describes how to use IPsec-VPN to connect an on-premises client to the VPC of an office network in Elastic Desktop Service (EDS).

Preparations

Before you begin, read the Access a cloud computer over a private network topic and complete the following preparations:

  • Create a Cloud Enterprise Network (CEN) instance. For more information, see Create a CEN instance.

  • Create a VPC and attach the VPC to the CEN instance. For more information, see Create a VPC and a vSwitch or Attach a network instance to a CEN instance.

  • Create an office network and attach its VPC to the CEN instance. For more information, see Create and manage convenience office networks and Create and manage an enterprise AD office network.

    Important
    • Before you create an office network, you must plan the IPv4 CIDR block of the office network to prevent CIDR block conflicts between the office network and the CEN instance or between the office network and your data center. For more information, see Plan a CIDR block.

    • If you already created a office network, attach the convenience office network to the CEN instance.

    • If you deploy your AD system on an Elastic Compute Service (ECS) instance, you must attach the VPC of the AD server to the CEN instance. If you deploy your AD system on an on-premises server, you must connect the on-premises network to the cloud network. You can create an enterprise AD office network and establish connectivity between the on-premises server and the cloud. Then, you can configure the AD domain.

Sample CIDR blocks

You must plan CIDR blocks to prevent CIDR block conflicts between the networks used by on-premises devices and cloud instances. In this section, the CIDR blocks described in the following table are used. The actual CIDR blocks shall prevail.

Configuration item

CIDR block/IP address

Description

Office network VPC

172.16.0.0/12

The CIDR block of the VPC that is used by the office network in which the cloud computer resides. Alibaba Cloud PrivateLink (endpoint service) uses the CIDR block.

User VPC

192.168.0.0/16

The VPC that you created to establish a VPN connection.

On-premises data center

192.10.0.0/16

The CIDR block of an on-premises network that the Alibaba Cloud Workspace client uses. A VPN connection is initiated from the CIDR block.

Data center gateway

115.XX.XX.154

The public IP address of the gateway in the on-premises data center.

Note

The data center gateway must support standard IKEv1 and IKEv2 protocols to connect to VPN gateways. IKEv2 and IKEv1 are the two Internet Key Exchange (IKE) iterations. To check whether the gateway supports IKEv1 and IKEv2 protocols, contact the gateway manufacturer.

Step 1: Configure IPsec-VPN

  1. Create a VPN gateway and enable IPsec-VPN. For more information, see Create a VPN gateway.

    Parameters

    Parameter

    Description

    Instance Name

    The name of the VPN gateway.

    Resource Group

    The resource group to which the VPN gateway belongs.

    If you leave this parameter empty, the VPN gateway belongs to the default resource group. You can manage the resource group to which the VPN gateway belongs and resource groups to which other cloud resources belong in the Resource Management console. For more information, see What is Resource Management?

    Region and Zone

    The region in which you want to create the VPN gateway.

    Make sure that the VPN gateway and the VPC with which you want to associate the VPN gateway reside in the same region.

    Gateway Type

    The type of VPN gateway that you want to create. Default value: Standard.

    Network Type

    The network type of the VPN gateway. Valid values:

    • Public: The VPN gateway can be used to establish VPN connections over the Internet.

    • Private: The VPN gateway can be used to establish VPN connections over private networks.

    Note

    If you want to establish a VPN connection over a private network, you recommend that you associate a router with the private IPsec-VPN connection. For more information, see Create multiple private IPsec-VPN connections to implement load balancing.

    Tunnels

    The tunnel mode of the VPN gateway. The system displays the tunnel modes that are supported in this region. Valid values:

    • Single-tunnel

    • Dual-tunnel

    For more information about the tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

    VPC

    The VPC with which you want to associate the VPN gateway.

    vSwitch

    The vSwitch with which you want to associate the VPN gateway. Select a vSwitch from the selected VPC.

    • If you select Single-tunnel, you need to specify only one vSwitch.

    • If you select Dual-tunnel, you need to specify two vSwitches.

      After the IPsec-VPN feature is enabled, the system creates an elastic network interface (ENI) for each of the two vSwitches as an interface to communicate with the VPC over an IPsec-VPN connection. Each ENI occupies one IP address in the vSwitch.

    Note
    • The system selects a vSwitch by default. You can change or use the default vSwitch.

    • After a VPN gateway is created, you cannot modify the vSwitch associated with the VPN gateway. You can view the vSwitch associated with the VPN gateway, the zone to which the vSwitch belongs, and the ENI in the vSwitch on the details page of the VPN gateway.

    vSwitch 2

    The other vSwitch with which you want to associate the VPN gateway in the associated VPC if you select Dual-tunnel.

    • Specify two vSwitches in different zones in the associated VPC to implement disaster recovery across zones for IPsec-VPN connections.

    • For a region that supports only one zone, disaster recovery across zones is not supported. We recommend that you specify two vSwitches in the zone to implement high availability of IPsec-VPN connections. You can also select the same vSwitch as the first one.

    Regions that support only one zone

    China (Nanjing - Local Region), Thailand (Bangkok), South Korea (Seoul), Philippines (Manila), and UAE (Dubai)

    Peak Bandwidth

    The maximum bandwidth of the VPN gateway. Unit: Mbit/s.

    Traffic

    The metering method of the VPN gateway. Default value: Pay-by-data-transfer.

    IPsec-VPN

    Specifies whether to enable the IPsec-VPN feature for the VPN gateway. Default value: Enable.

    You must enable this feature if you want to establish an IPsec-VPN connection.

    SSL-VPN

    Specifies whether to enable the SSL-VPN feature for the VPN gateway. Default value: Disable.

    You do not need to enable this feature for the VPN gateway to establish an IPsec-VPN connection.

    Billing Cycle

    The billing cycle of the VPN gateway. Default value: By Hour.

    Service-linked Role

    Click Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn.

    The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.

    If Created is displayed, the service-linked role is created and you do not need to create it again.

  2. Creates a customer gateway. For more information, see Create and manage a customer gateway.

    Parameters

    Parameter

    Description

    Name

    The name of the customer gateway.

    IP Address

    The static IP address of the gateway device in your data center.

    • If you want to create a public IPsec-VPN connection, enter a public IP address.

    • If you want to create a private IPsec-VPN connection, enter a private IP address.

    You cannot enter an IP address in the following IP address ranges in the IP Address field. Otherwise, no IPsec-VPN connection can be established.

    • 100.64.0.0 to 100.127.255.255

    • 127.0.0.0 to 127.255.255.255

    • 169.254.0.0 to 169.254.255.255

    • 224.0.0.0 to 239.255.255.255

    • 255.0.0.0 to 255.255.255.255

    ASN

    The autonomous system number (ASN) of the gateway device in your data center. This parameter is required If you want to use Border Gateway Protocol (BGP) for the IPsec-VPN connection. Valid values: 1 to 4294967295.

    You can enter the ASN in two segments and separate the first 16 bits from the following 16 bits with a period (.). Enter the number in each segment in decimal format.

    For example, if you enter 123.456, the ASN is 123 × 65536 + 456 = 8061384.

    Note

    We recommend that you use a private ASN to establish a connection to Alibaba Cloud over BGP. Refer to the relevant documentation for the valid range of a private ASN.

    Description

    The description of the customer gateway.

    Resource Group

    The resource group to which the customer gateway belongs.

    You can manage the resource groups to which customer gateways and other cloud service resources belong in the Resource Management console. For more information, see What is Resource Management?

    Tags

    The tags to be added to the customer gateway. You can use tags to mark and classify customer gateways to facilitate resource search and aggregation. For more information, see What is Tag?.

    • Tag Key: the tag key of the customer gateway. You can select an existing tag key or enter a new tag key.

    • Tag Value: the tag value of the customer gateway. You can select an existing tag value or enter a new tag value. You can leave the Tag Value parameter empty.

  3. Create an IPsec-VPN connection. For more information, see Create an IPsec-VPN connection.Create an IPsec-VPN connection

    Parameters

    Parameter

    Description

    Name

    The name of the IPsec-VPN connection.

    Resource Group

    The resource group to which the VPN gateway belongs.

    If you leave this parameter empty, the system displays the VPN gateways in all resource groups.

    Associate Resource

    The type of network resource to be associated with the IPsec-VPN connection. In this example, VPN Gateway is selected.

    VPN Gateway

    The VPN gateway to be associated with the IPsec-VPN connection.

    Routing Mode

    The routing mode of the IPsec-VPN connection. Default value: Destination Routing Mode. Valid values:

    • Destination Routing Mode: routes and forwards traffic based on the destination IP address.

    • Protected Data Flows: routes and forwards traffic based on the source and destination IP addresses.

      If you select Protected Data Flows, you must configure the Local Network and Remote Network parameters. After the IPsec-VPN connection is configured, the system automatically adds policy-based routes to the route table of the VPN gateway.

      By default, the policy-based routes are not advertised. You can determine whether to advertise the routes to the route table of the VPC based on your requirements. For more information, see the "Advertise a policy-based route" section of the Configure policy-based routes topic.

    Note

    If the IPsec-VPN connection is associated with a VPN gateway and the VPN gateway is not of the latest version, you do not need to specify the routing mode.

    Local Network

    The CIDR block of the VPC to be connected to your data center. This CIDR block is used in Phase 2 negotiations.

    Click 添加 next to the field to add multiple CIDR blocks on the VPC side.

    Note

    If you specify multiple CIDR blocks, you must set the IKE version to ikev2.

    Remote Network

    The CIDR block of the data center to be connected to the VPC. This CIDR block is used in Phase 2 negotiations.

    Click 添加 next to the field to add multiple CIDR blocks on the data center side.

    Note

    If you specify multiple CIDR blocks, you must set the IKE version to ikev2.

    Effective Immediately

    Specifies whether to immediately start IPsec-VPN negotiations. Default value: Yes. Valid values:

    • Yes: immediately starts IPsec-VPN negotiations after the IPsec-VPN connection is created.

    • No: starts IPsec-VPN negotiations when inbound traffic is detected.

    Customer Gateway

    The customer gateway to be associated with the IPsec-VPN connection.

    Pre-Shared Key

    The pre-shared key that is used for authentication between the VPN gateway and the data center.

    • The pre-shared key must be 1 to 100 characters in length and can contain digits, letters, and the following characters: ~ ' ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : , . < > / ?. The pre-shared key cannot contain spaces.

    • If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After an IPsec-VPN connection is created, you can click Edit in the Actions column of the IPsec-VPN connection to view the pre-shared key that is generated for the IPsec-VPN connection. For more information, see the Modify an IPsec-VPN connection section of this topic.

    Important

    The pre-shared keys must be the same on both sides. Otherwise, the system cannot establish an IPsec-VPN connection.

    Enable BGP

    Specifies whether to enable the BGP dynamic routing feature for the IPsec-VPN connection. By default, Enable BGP is turned off.

    Before you use the BGP dynamic routing feature, we recommend that you understand how it works and its limits. For more information, see the Configure BGP dynamic routing.

    Local ASN

    The autonomous system number (ASN) of the IPsec-VPN connection on the Alibaba Cloud side. Default value: 45104. Valid values: 1 to 4294967295.

    You can enter the ASN in two segments and separate the first 16 bits from the following 16 bits with a period (.). Enter the number in each segment in decimal format.

    For example, if you enter 123.456, the ASN is 123 × 65536 + 456 = 8061384.

    Note

    We recommend that you use a private ASN to establish a connection to Alibaba Cloud over BGP. For more information about the valid values of a private ASN, see the relevant documentation.

  4. Publish the peer CIDR block to CEN.

    1. Log on to the VPC console.

    2. In the left-side navigation pane, click Route Tables.

    3. On the Route Tables page, find the route table of the user VPC and click the ID of the route table.

    4. On the route table details page, select the Route Entry List tab and click the Custom Route tab.

    5. Find the peer CIDR block (CIDR block of the private network used by the on-premises data center) that you configured and click Publish in the Actions column.

      If the value in the Status column of the CIDR block is Published, the CIDR block is published.

Step 2: Load the VPN configurations to the data center gateway

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  3. In the top navigation bar, select the region of the IPsec-VPN connection.

  4. On the IPsec Connections page, find the IPsec-VPN connection and click Generate Peer Configuration in the Actions column.

  5. Load the IPsec-VPN connection configurations that you downloaded to the data center gateway.

    For more information, see Configure an H3C firewall.

Step 3: Configure an enterprise VPC IP address or a cloud service route

You can select one of the following solutions based on your business requirements: Solution 1 and Solution 2 explain how to configure the IP address for an enterprise VPC. The main difference is that Solution 1 uses a static IP address, which makes the process easier for end users because they do not need to configure a custom IP address.

Solution 1: Configure a static IP address for an enterprise VPC

  1. Obtain the private gateway address of the office network.

  2. Configure a CNAME record on the enterprise DNS server and point the private.wuying.com domain name to the private gateway address.

  3. Configure the network access mode on an Alibaba Cloud Workspace client as an end user.

    1. Open a Windows client.

    2. In the upper-right corner of the logon page, click the icon and then click Connection Configuration.

      bt_connection_type.png

    3. In the Connection Configuration dialog box, configure the following parameters:

      Important

      Make sure that the version of your Windows client is 7.7 or later. Otherwise, you cannot configure an enterprise VPC IP address.

      field_default_vpc_address.png

      • Connection Type: Set the value to Alibaba Cloud VPC.

      • Alibaba Cloud VPC Address: Set the value to Default Address.

    4. Click Confirm.

Solution 2: Configure a custom IP address for an enterprise VPC

  1. Obtain the private gateway address of the office network.

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    3. On the Office Networks page, find the desired office network and click the network ID.

    4. In the Network Information section of the office network details page, find the Private Gateway Address parameter and copy the parameter value. The private gateway address is required in subsequent steps.

      ex_office_network_vpc_private_gateway.png

  2. Configure the network access mode on an Alibaba Cloud Workspace client as an end user.

    1. Open a Windows client.

    2. In the upper-right corner of the logon page, click the icon and then click Connection Configuration.

      bt_connection_type.png

    3. In the Connection Configuration dialog box, configure the following parameters:

      Important

      Make sure that the version of your Windows client is 7.7 or later. Otherwise, you cannot configure an enterprise VPC IP address.

      field_custom_vpc_address.png

      • Connection Type: Set the value to Alibaba Cloud VPC.

      • Alibaba Cloud VPC Address: Set the value to Custom Address.

      • Custom Address: Enter the obtained private gateway address of the office network.

    4. Click Confirm.

Solution 3: Configure routing and DNS for cloud services

  1. Configure a route for cloud services.

    The CIDR block of cloud services in Alibaba Cloud that can be accessed over a private network is 100.64.0.0/10, which is a reserved CIDR block that is defined in RFC 6598. To call the EDS API from an Alibaba Cloud Workspace client as expected, configure a route for the 100.64.0.0/10 CIDR block in the data center network to forward requests destined for the CIDR block to the user VPC in the cloud

    Note

    If the 100.xxx.xxx.xxx CIDR block conflicts with other CIDR blocks, we recommend that you use Solution 1 or Solution 2.

  2. (Optional) Before you configure DNS, run the following command to test whether the domain name can be resolved:

    nslookup ecd-vpc.cn-hangzhou.aliyuncs.com

    If an IP address is returned, the domain name can be resolved. In this case, you can skip the next step. If no IP address is returned, perform the following steps to configure DNS.

  3. (Optional) Configure DNS.

    To access cloud computers over a private network, DNS is required to resolve the domain names involved in the EDS API and streaming gateways that reside in the private network. In this example, the following IP addresses are used for your DNS server:

    • 100.100.2.136

    • 100.100.2.138

    You can use one of the following methods to configure the DNS addresses:

    • Add the preceding DNS addresses to the Dynamic Host Configuration Protocol (DHCP) service of the data center.

    • Configure transit routers on the DNS server of the on-premises data center to route domain name resolution requests that end with aliyuncs.com to 100.100.2.136 or 100.100.2.138.

Step 4: Check whether the cloud computer can be connected over the private network

Note

In this section, the Windows client of Alibaba Cloud Workspace V7.7 is used as an example to check whether the cloud computer can be connected over the private network. The actual type of the Alibaba Cloud Workspace client that you use prevails.

  1. Open a Windows client.

  2. In the upper-right corner of the logon page, click the icon and then click Connection Configuration.

  3. In the Connection Configuration dialog box, set the Connection Type parameter to Alibaba Cloud VPC.

  4. Enter the logon credentials sent to your email address, which includes an office network ID or organization ID, username, and password,. Then, click the Next icon to proceed.

    image.png

  5. Find the cloud computer from the resource list. Then, start and connect to the cloud computer.

    Note

    If errors such as network request timeout occur, network connectivity is not established. Check whether the preceding network settings are correctly configured. Then, re-log on to the client and connect to the cloud computer.