Edge Gateway IPSEC VPN Configuration

Please note that an IPSEC VPN capable device must be installed at the remote site in order to configure this type of VPN. If there is no VPN capable device at the remote site, no site-to-site VPN can be deployed on the Edge Gateway.

 

1.      Begin VPN Creation

The Edge Gateway can also negotiate and manage VPN connections. To create a VPN, navigate to the Edge Gateway, right-click and select “Edge Gateway Services”. Then select the VPN tab.

The VPN service (“Enable VPN” checkbox at the top) is disabled by default to consume resources. Check this box before adding a VPN. Then select “Add” to begin the configuration process.

 

2.      VPN Configuration

Name the VPN and specify that the VPN will go to a remote network, as shown below.

Select a Local network to map to the VPN. This should generally be the internal network for the vDC, the same network on which the VMs are addressed. Add the Peer Networks, which will be connected to that subnet. This should be the internal network at the remote site on which the client devices are addressed. Please note that the subnets are not allowed to duplicate any existing subnet on either site.

Select the Local Endpoint, which should be the external network connected to the Edge Gateway, and input the Local ID, which should be the specific external IP for that Edge Gateway. Set the Peer ID and Peer IP to both be the external IP for the remote site. The Pre-Shared Key can also be entered at this stage.

Please note that Pre-Shared Keys for VPNs on Edge Gateways must be a minimum of 32 characters in length. Ensure that the MTU size is correct for the remote network device, and the VPN configuration is complete. Select “OK” to complete the configuration.

 

VPN Firewall Rules

An additional firewall rule will be necessary in order to pass traffic across the VPN. Without this Firewall rule no traffic will be allowed and both endpoints will report the VPN as down.

This Firewall rule allows traffic from the remote/peer subnet (see the configuration above) to flow to any internal/private subnet, which includes the internal network on which the client’s VMs should be addressed.

At this point the corresponding settings must be entered on the remote network device in order to begin VPN negotiation. Note that the Edge Gateways on vCloud follow the VMware default configuration listed in this KB article. The only exception to this is that Edge Gateways in Nashville, Houston, and Greenville use DH Group 5 rather than Group 2 as specified. Logs and further support may be obtained by contacting GreenCloud Support.

 

VPN Configuration Settings

Please see below for a list of VMware Edge Gateway default settings for VPNs.

 

Setting Name Setting Value
IKE Phase 1
Encryption AES, SHA1
Diffie-Hellman Group MODP Group 2 (1024 Bits)
SA Lifetime 28800 seconds
ISAKMP Aggressive Mode Disabled
IKE Phase 2
Encryption Matches Phase1
Diffie-Hellman Group MODP Group 2 (1024 Bits)
Perfect Forward Secrecy Enabled
SA Lifetime 3600 seconds

Was this article helpful?

Related Articles