You can use the VMware Cloud Director Service Provider Admin Portal to configure site-to-site connectivity between a dedicated provider gateway and remote sites.
Procedure
- From the primary left navigation panel, select Resources, and from the page top navigation bar, select Cloud Resources.
- From the secondary left panel, click Provider Gateways, and click the name of the target private provider gateway.
- From the page-level left navigation, under Services, select IPSec VPN, and click New.
- Enter a name and, optionally, a description for the IPSec VPN tunnel.
- Select the IPSec VPN tunnel type.
- Select a security profile for securing the transmitted data.
You can use the VMware Cloud Director API to restrict the number of security profiles available to your tenants when they configure NSX IPSec VPN. See VMware Cloud Director OpenAPI.
- To enable the tunnel upon creation, turn on the Status toggle.
- To enable logging, turn on the Logging toggle.
- Click Next.
- Select a peer authentication mode.
Option |
Description |
Pre-Shared Key |
Choose a pre-shared key to enter. The pre-shared key must be the same on the other end of the IPSec VPN tunnel. |
Certificate |
Select site and CA certificates to be used for authentication. |
- From the drop-down menu, select one of the IP addresses that are available to the edge gateway for the local endpoint.
The IP address must be either the primary IP of the edge gateway, or an IP address that is separately allocated to the edge gateway.
- If you are configuring policy-based IPSec VPN, enter at least one local IP subnet address in CIDR notation to use for the IPSec VPN tunnel.
- Enter the IP address for the remote endpoint.
- If you are configuring policy-based IPSec VPN, enter at least one remote IP subnet address in CIDR notation to use for the IPSec VPN tunnel.
- Enter the remote ID for the peer site.
The remote ID must match the SAN (Subject Alternative Name) of the remote endpoint certificate, if available. If the remote certificate does not contain a SAN, the remote ID must match the distinguished name of the certificate that is used to secure the remote endpoint, for example, C=US, ST=Massachusetts, O=VMware,OU=VCD, CN=Edge1.
- If you are configuring route-based IPSec VPN, for the Virtual Tunnel Interface (VTI), enter a valid IPv4 CIDR, IPv6 CIDR, or one of each by separating them with a comma.
The Virtual Tunnel Interface represents the endpoint of an IPSec tunnel on a network device.
- Click Next.
- Review your settings and click Finish.
Results
The newly created IPSec VPN tunnel is listed in the
IPSec VPN view.