Use the IPsec VPN Sites screen in the VMware Cloud Director tenant portal to configure settings needed to create an IPsec VPN connection between your organization virtual data center and another site using the edge gateway IPsec VPN capabilities.
When you configure an IPsec VPN connection between sites, you configure the connection from the point of view of your current location. Setting up the connection requires that you understand the concepts in the context of the VMware Cloud Director environment so that you configure the VPN connection correctly.
- The local and peer subnets specify the networks to which the VPN connects. When you specify these subnets in the configurations for IPsec VPN sites, enter a network range and not a specific IP address. Use CIDR format, such as 192.168.99.0/24.
- The peer ID is an identifier that uniquely identifies the remote device that terminates the VPN connection, typically its public IP address. For peers using certificate authentication, this ID must be the distinguished name set in the peer certificate. For PSK peers, this ID can be any string. An NSX best practice is to use the public IP address of the remote device or FQDN as the peer ID. If the peer IP address is from another organization virtual data center network, you enter the native IP address of the peer. If NAT is configured for the peer, you enter the peer's private IP address.
- The peer endpoint specifies the public IP address of the remote device to which you are connecting. The peer endpoint might be a different address from the peer ID if the peer's gateway is not directly accessible from the Internet, but connects through another device. If NAT is configured for the peer, you enter the public IP address that the devices uses for NAT.
- The local ID specifies the public IP address of the edge gateway of the organization virtual data center. You can enter an IP address or hostname along with the edge gateway firewall.
- The local endpoint specifies the network in your organization virtual data center on which the edge gateway transmits. Typically the external network of the edge gateway is the local endpoint.
Prerequisites
- Navigate to the IPsec VPN Screen on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.
- Configure IPsec VPN on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.
- If you intend to use a global certificate as the authentication method, verify that certificate authentication is enabled on the Global Configuration screen. See Specify Global IPsec VPN Settings on an NSX Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.
Procedure
- On the IPsec VPN tab, click IPsec VPN Sites.
- Click the Add () button.
- Configure the IPsec VPN connection settings.
Option Action Enabled Enable this connection between the two VPN endpoints. Enable perfect forward secrecy (PFS) Enable this option to have the system generate unique public keys for all IPsec VPN sessions your users initiate. Enabling PFS ensures that the system does not create a link between the edge gateway private key and each session key.
The compromise of a session key will not affect data other than the data exchanged in the specific session protected by that particular key. Compromise of the server's private key cannot be used to decrypt archived sessions or future sessions.
When PFS is enabled, IPsec VPN connections to this edge gateway experience a slight processing overhead.
Important: The unique session keys must not be used to derive any additional keys. Also, both sides of the IPsec VPN tunnel must support PFS for it to work.Name (Optional) Enter a name for the connection. Local ID Enter the external IP address of the edge gateway instance, which is the public IP address of the edge gateway. The IP address is the one used for the peer ID in the IPsec VPN configuration on the remote site.
Local Endpoint Enter the network that is the local endpoint for this connection. The local endpoint specifies the network in your organization virtual data center on which the edge gateway transmits. Typically, the external network is the local endpoint.
If you add an IP-to-IP tunnel using a pre-shared key, the local ID and local endpoint IP can be the same.
Local Subnets Enter the networks to share between the sites and use a comma as a separator to enter multiple subnets. Enter a network range (not a specific IP address) by entering the IP address using CIDR format. For example, 192.168.99.0/24.
Peer ID Enter a peer ID to uniquely identify the peer site. The peer ID is an identifier that uniquely identifies the remote device that terminates the VPN connection, typically its public IP address.
For peers using certificate authentication, the ID must be the distinguished name in the peer's certificate. For PSK peers, this ID can be any string. An NSX best practice is to use the remote device's public IP address or FQDN as the peer ID.
If the peer IP address is from another organization virtual data center network, you enter the native IP address of the peer. If NAT is configured for the peer, you enter the peer's private IP address.
Peer Endpoint Enter the IP address or FQDN of the peer site, which is the public-facing address of the remote device to which you are connecting. Note: When NAT is configured for the peer, enter the public IP address that the device uses for NAT.Peer Subnets Enter the remote network to which the VPN connects and use a comma as a separator to enter multiple subnets. Enter a network range (not a specific IP address) by entering the IP address using CIDR format. For example, 192.168.99.0/24.
Encryption Algorithm Select the encryption algorithm type from the drop-down menu. Note: The encryption type you select must match the encryption type configured on the remote site VPN device.Authentication Select an authentication. The options are: - PSK
Pre Shared Key (PSK) specifies that the secret key shared between the edge gateway and the peer site is to be used for authentication.
- Certificate
Certificate authentication specifies that the certificate defined at the global level is to be used for authentication. This option is not available unless you have configured the global certificate on the IPsec VPN tab's Global Configuration screen.
Change Shared Key (Optional) When you are updating the settings of an existing connection, you can turn on this option on to make the Pre-Shared Key field available so that you can update the shared key. Pre-Shared Key If you selected PSK as the authentication type, type an alphanumeric secret string which can be a string with a maximum length of 128 bytes. Note: The shared key must match the key that is configured on the remote site VPN device. A best practice is to configure a shared key when anonymous sites will connect to the VPN service.Display Shared Key (Optional) Enable this option to make the shared key visible in the screen. Diffie-Hellman Group Select the cryptography scheme that allows the peer site and this edge gateway to establish a shared secret over an insecure communications channel. Note: The Diffie-Hellman Group must match what is configured on the remote site VPN device.Extension (Optional) Type one of the following options: securelocaltrafficbyip=
IPAddress to redirect the edge gateway local traffic over the IPsec VPN tunnel.This is the default value.
passthroughSubnets=
PeerSubnetIPAddress to support overlapping subnets.
- PSK
- Click Keep.
- Click Save changes.
What to do next
Configure the connection for the remote site. You must configure the IPsec VPN connection on both sides of the connection: your organization virtual data center and the peer site.
Enable the IPsec VPN service on this edge gateway. When at least one IPsec VPN connection is configured, you can enable the service. See Enable the IPsec VPN Service on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.