You can use the VMware Cloud Director Service Provider Admin Portal to configure site-to-site connectivity between a dedicated provider gateway and remote sites.

Prerequisites

The route-based IPSec VPN tunnel on a dedicated provider gateway works only with Border Gateway Protocol (BGP). Configure BGP before or after configuring the IPSec VPN tunnel. See Configure BGP General Settings on an NSX Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.

Procedure

  1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select Cloud Resources.
  2. From the secondary left panel, click Provider Gateways, and click the name of the target private provider gateway.
  3. From the page-level left navigation, under Services, select IPSec VPN, and click New.
  4. Enter a name and, optionally, a description for the IPSec VPN tunnel.
  5. Select the IPSec VPN tunnel type.
  6. Select a security profile for securing the transmitted data.

    You can use the VMware Cloud Director API to restrict the number of security profiles available to your tenants when they configure NSX IPSec VPN. See VMware Cloud Director OpenAPI.

  7. To enable the tunnel upon creation, turn on the Status toggle.
  8. To enable logging, turn on the Logging toggle.
  9. Click Next.
  10. Select a peer authentication mode.
    Option Description
    Pre-Shared Key Choose a pre-shared key to enter. The pre-shared key must be the same on the other end of the IPSec VPN tunnel.
    Certificate Select site and CA certificates to be used for authentication.
  11. From the drop-down menu, select one of the IP addresses that are available to the edge gateway for the local endpoint.
    The IP address must be either the primary IP of the edge gateway, or an IP address that is separately allocated to the edge gateway.
  12. If you are configuring policy-based IPSec VPN, enter at least one local IP subnet address in CIDR notation to use for the IPSec VPN tunnel.
  13. Enter the IP address for the remote endpoint.
  14. If you are configuring policy-based IPSec VPN, enter at least one remote IP subnet address in CIDR notation to use for the IPSec VPN tunnel.
  15. Enter the remote ID for the peer site.
    The remote ID must match the SAN (Subject Alternative Name) of the remote endpoint certificate, if available. If the remote certificate does not contain a SAN, the remote ID must match the distinguished name of the certificate that is used to secure the remote endpoint, for example, C=US, ST=Massachusetts, O=VMware,OU=VCD, CN=Edge1.
  16. If you are configuring route-based IPSec VPN, for the Virtual Tunnel Interface (VTI), enter a valid IPv4 CIDR, IPv6 CIDR, or one of each by separating them with a comma.

    The Virtual Tunnel Interface represents the endpoint of an IPSec tunnel on a network device.

  17. Click Next.
  18. Review your settings and click Finish.

Results

The newly created IPSec VPN tunnel is listed in the IPSec VPN view.

What to do next

  • To verify that the tunnel is functioning, select it, and click View Statisticts.

    If the tunnel is functioning, Tunnel Status and IKE Service Status both display Up.

  • Configure the remote endpoint of the IPSec VPN tunnel.
  • You can edit the IPSec VPN tunnel settings and customize its security profile as needed.
  • To allow the management of IPSec VPN tunnels only on the provider gateways, on the edge gateways, or on both, under Topology Intentions, select IPSec VPN, and edit the IPSec VPN service intention.