The on-premises end of any IPsec VPN must be configured to match the settings you specified for the SDDC end of that VPN.
Information in the following tables summarizes the available SDDC IPsec VPN settings. Some of the settings can be configured. Some are static. Use this information to verify that your on-premises VPN solution can be configured to match the one in your SDDC. Choose an on-premises VPN solution that supports all the static settings and any of the configurable settings listed in these tables.
Phase 1 Internet Key Exchange (IKE) Settings
| Attribute | Allowed Values | Recommended Value |
|---|---|---|
| Protocol | IKEv1, IKEv2, IKE FLEX | IKEv2 |
| Encryption Algorithm | AES (128, 256), AES-GCM (128, 192, 256) | AES GCM |
| Tunnel/IKE Digest Algorithm | SHA-1, SHA-2 | SHA-2 |
| Diffie Hellman | DH Groups 2, 5, 14-16 | DH Group 14-16 |
| Attribute | Value |
|---|---|
| ISAKMP mode | Main mode (Disable aggressive mode) |
| ISAKMP/IKE SA lifetime | 86400 seconds (24 hours) |
| IPsec Mode | Tunnel |
| IKE Authentication | Pre-Shared Key |
Phase 2 IKE Settings
| Attribute | Allowed Values | Recommended Value |
|---|---|---|
| Encryption Algorithm | AES-256, AES-GCM, AES | AES-GCM |
| Perfect forward secrecy (PFS) | Enabled, Disabled | Enabled |
| Diffie Hellman | DH Groups 2, 5, 14-16 | DH Group 14-16 |
| Attribute | Value |
|---|---|
| Hashing Algorithm | SHA-1 |
| Tunnel Mode | Encapsulating Security Payload (ESP) |
| SA lifetime | 3600 seconds (one hour) |
On-Premises IPsec VPN Configuration
Click
DOWNLOAD CONFIG on the status page of any VPN to download a file that contains VPN configuration details. You can use these details to configure the on-premises end of the VPN.
Note: Do not configure the on-premises side of a VPN to have an idle timeout (for example, the NSX
Session idle timeout setting). On-premises idle timeouts can cause the VPN to become periodically disconnected.
Sample configuration files for several popular endpoint devices are available on VMware {code}.
