A policy-based VPN creates an IPsec tunnel and a policy that specifies how traffic uses it. When you use a policy-based VPN, you must update the routing tables on both ends of the network when new routes are added.
This topic explains how to create a policy-based VPN that connects to the SDDC's default public or private IP. If your SDDC has additional Tier-1 gateways (see Add a Custom Tier-1 Gateway to a VMware Cloud on AWS SDDC), you can click OPEN NSX MANAGER and add VPN services that terminate on those gateways. See Adding VPN Services in the NSX Data Center Administration Guide.
In VMware Cloud on AWS, VPN services to a Tier-1 gateway do not support BGP.
Policy-based VPNs in your VMware Cloud on AWS SDDC use an IPsec protocol to secure traffic. To create a policy-based VPN, you configure the local (SDDC) endpoint, then configure a matching remote (on-premises) endpoint. Because each policy-based VPN must create a new IPsec security association for each network, an administrator must update routing information on premises and in the SDDC whenever a new policy-based VPN is created. A policy-based VPN can be an appropriate choice when you have only a few networks on either end of the VPN, or if your on-premises network hardware does not support BGP (which is required for route-based VPNs).
If your SDDC includes both a policy-based VPN and another connection such as a route-based VPN, DX, or VTGW connectivity over the policy-based VPN will fail if any of those other connections advertises the default route (0.0.0.0/0) to the SDDC. If none of those other connections advertise the default route, all traffic matching the VPN's policy will flow over the VPN even if the other connections provide a more specific route. In case of overlap, a route-based VPN route is preferred over a policy-based VPN policy match. Networks configured on a policy-based VPN cannot be used over any other connection. Traffic matching the VPN policy is always sent to the VPN when it's enabled, regardless of the state of the VPN tunnel itself, and will be dropped if the tunnel is down but the VPN admin state is enabled.
- Log in to the VMware Cloud Console at https://vmc.vmware.com.
- Click VIEW DETAILS. , then pick an SDDC card and click
- Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page. See SDDC Network Administration with NSX Manager.
You can also use the VMware Cloud Console Networking & Security tab for this workflow.
- Click Name and optional Description. and give the new VPN a
- Select a Local IP Address from the drop-down menu.
- If this SDDC is member of an SDDC group or has been configured to use AWS Direct Connect, select the private IP address to have the VPN use that connection rather than a connection over the Internet. Note that VPN traffic over Direct Connect or VMware Managed Transit Gateway (VTGW) is limited to the default MTU of 1500 bytes even if the link supports a higher MTU. See Configure Direct Connect to a Private Virtual Interface for SDDC Management and Compute Network Traffic.
- Select the public IP address if you want the VPN to connect over the Internet.
- Enter the Remote Public IP address of your on-premises gateway.
The address must not already be in use for another VPN. VMware Cloud on AWS uses the same public IP for all VPN connections, so only a single VPN connection (Route-based, Policy-based, or L2VPN) can be created to a given remote public IP. This address must be reachable over the Internet if you specified a public IP in Step 5. If you specified a private IP, it must be reachable over Direct Connect to a private VIF. Default gateway firewall rules allow inbound and outbound traffic over the VPN connection, but you must create firewall rules to manage traffic over the VPN tunnel.
- Specify the Remote Networks that this VPN can connect to.
This list must include all networks defined as local by the on-premises VPN gateway. Enter each network in CIDR format, separating multiple CIDR blocks with commas.
- Specify the Local Networks that this VPN can connect to.
This list includes all routed compute networks in the SDDC, as well as the entire Management network and the appliance subnet (a subset of the Management network that includes vCenter and other management appliances, but not the ESXi hosts). It also includes the CGW DNS Network, a single IP address used to source requests forwarded by the CGW DNS service.
- Choose an Authentication Mode.
- For PSK authentication, enter the Preshared Key string. The maximum key length is 128 characters. This key must be identical for both ends of the VPN tunnel.
- For Certificate-based authentication see Configure Certificate-Based Authentication for an IPSec VPN.
- (Optional) If your on-premises gateway is behind a NAT device, enter the gateway address as the Remote Private IP.
This IP address must match the local identity (IKE ID) sent by the on-premises VPN gateway. If this field is empty, the Remote Public IP field is used to match the local identity of the on-premises VPN gateway.
- Configure the Advanced Tunnel Parameters.
Parameter Value Select a Phase 1 (IKE) cipher that is supported by your on-premises VPN gateway. Select a Phase 1 digest algorithm that is supported by your on-premises VPN gateway. The best practice is to use the same algorithm for both the IKE Digest Algorithm and the Tunnel Digest Algorithm.Note:
If you specify a GCM-based cipher for IKE Encryption, set IKE Digest Algorithm to None. The digest function is integral to the GCM cipher. You must use IKE V2 if you use a GCM-based cipher.
- Specify IKE V1 to initiate and accept the IKEv1 protocol.
- Specify IKE V2 to initiate and accept the IKEv2 protocol. You must use IKEv2 if you have specified a GCM-based IKE Digest Algorithm.
- Specify IKE FLEX to accept either IKEv1 or IKEv2 and then initiate using IKEv2. If IKEv2 initiation fails, IKE FLEX will not fall back to IKEv1.
Select a Diffie Hellman group that is supported by your on-premises VPN gateway. This value must be identical for both ends of the VPN tunnel. Higher group numbers offer better protection. The best practice is to select group 14 or higher. Select a Phase 2 security association (SA) cipher that is supported by your on-premises VPN gateway. IPSec Profile Tunnel Digest Algorithm Select a Phase 2 digest algorithm that is supported by your on-premises VPN gateway.Note:
If you specify a GCM-based cipher for Tunnel Encryption, set Tunnel Digest Algorithm to None. The digest function is integral to the GCM cipher.
Enable or Disable to match the setting of your on-premises VPN gateway. Enabling Perfect Forward Secrecy prevents recorded (past) sessions from being decrypted if the private key is ever compromised. Select a Diffie Hellman group that is supported by your on-premises VPN gateway. This value must be identical for both ends of the VPN tunnel. Higher group numbers offer better protection. The best practice is to select group 14 or higher. One of Periodic or On Demand.
For a periodic DPD probe mode, a DPD probe is sent every time the specified DPD probe interval time is reached.
For an on-demand DPD probe mode, a DPD probe is sent if no IPSec packet is received from the peer site after an idle period. The value in DPD Probe Interval determines the idle period used.
Integer number of retries allowed. Values in the range 1 - 100 are valid. The default retry count is 10. The number of seconds you want the NSX IKE daemon to wait between sending the DPD probes.
For a periodic DPD probe mode, the valid values are between 3 and 360 seconds. The default value is 60 seconds.
For an on-demand probe mode, the valid values are between 1 and 10 seconds. The default value is 3 seconds.
When the periodic DPD probe mode is set, the IKE daemon sends a DPD probe periodically. If the peer site responds within half a second, the next DPD probe is sent after the configured DPD probe interval time has been reached. If the peer site does not respond, then the DPD probe is sent again after waiting for half a second. If the remote peer site continues not to respond, the IKE daemon resends the DPD probe again, until a response is received or the retry count has been reached. Before the peer site is declared to be dead, the IKE daemon resends the DPD probe up to a maximum of times specified in the Retry Count property. After the peer site is declared dead, NSX then tears down the security association (SA) on the dead peer's link.
When the on-demand DPD mode is set, the DPD probe is sent only if no IPSec traffic is received from the peer site after the configured DPD probe interval time has been reached.
To enable or disable the DPD profile, click the Admin Status toggle. By default, the value is set to Enabled. When the DPD profile is enabled, the DPD profile is used for all IPSec sessions in the IPSec VPN service that uses the DPD profile. TCP MSS Clamping To use TCP MSS Clamping to reduce the maximum segment size (MSS) payload of the TCP session during the IPsec connection, toggle this option to Enabled, then select the TCP MSS Direction and optionally the TCP MSS Value. See Understanding TCP MSS Clamping in the NSX Data Center Administration Guide.
- (Optional) Tag the VPN.
See Add Tags to an Object in the NSX Data Center Administration Guide for more information about tagging NSX objects.
- Click SAVE.
- Click DOWNLOAD CONFIG to download a file that contains VPN configuration details. You can use these details to configure the on-premises end of this VPN.
- Click VIEW STATISTICS to view packet traffic statistics for this VPN. See View VPN Tunnel Status and Statistics.
What to do next
Create or update firewall rules as needed. To allow traffic through the policy-based VPN, specify Internet Interface in the Applied to field.