A policy-based VPN creates an IPsec tunnel and a policy that specifies how traffic uses it. When you use a policy-based VPN, you must update the routing tables on both ends of the network when new routes are added.
Policy-based VPNs in your VMware Cloud on AWS GovCloud SDDC use an IPsec protocol to secure traffic. To create a policy-based VPN, you configure the local (SDDC) endpoint, then configure a matching remote (on-premises) endpoint. Because each policy-based VPN must create a new IPsec security association for each network, an administrator must update routing information on premises and in the SDDC whenever a new policy-based VPN is created. A policy-based VPN can be an appropriate choice when you have only a few networks on either end of the VPN, or if your on-premises network hardware does not support BGP (which is required for route-based VPNs).
If your SDDC includes both a policy-based VPN and a route-based VPN, connectivity over the policy-based VPN will fail if the route-based VPN advertises the default route (0.0.0.0/0) to the SDDC.
Procedure
Results
- Click DOWNLOAD CONFIG to download a file that contains VPN configuration details. You can use these details to configure the on-premises end of this VPN.
- Click VIEW STATISTICS to view packet traffic statistics for this VPN. See Create a Policy-Based VPN.
What to do next
Create or update firewall rules as needed. To allow traffic through the policy-based VPN, specify Internet Interface in the Applied to field.