If you want to connect a VPN to a Tier-1 gateway, you must create an IPsec service on the gateway and suitable NAT rules to enable IPsec VPN traffic over the gateway's Internet interface.

In SDDC version 1.18 and later, you have the option to create a VPN that terminates on a custom Tier-1 gateway. This configuration is especially useful when you need to provide dedicated VPN access to a specific tenant or workgroup.

For more information see the VMware Tech Zone article Understanding VPN to Customer Created NSX T1s in VMC on AWS

Prerequisites

Create a NATted or routed Tier-1 gateway. See Add a Custom Tier-1 Gateway to a VMware Cloud on AWS SDDC.

Procedure

  1. Log in to VMware Cloud Services at https://vmc.vmware.com.
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page.
  4. (Optional) Request a public IP address for the VPN endpoint.
    In the typical case, where you want to reach this VPN from the Internet, its local endpoint will need to be a public IP address. See Request or Release a Public IP Address. For this example, we're going to use 93.184.216.34 as that address. If you want to reach this VPN over DX or VMware Transit Connect, you can use any available IP address in the SDDC compute network.
    Note: You cannot use any subnet of the Management CIDR as the local endpoint.
  5. Add a VPN service to the Tier-1 gateway.
    Click Networking > VPN. Open the Tier-1 tab and click VPN Services > ADD SERVICE > IPSec. Give the IPsec service a Name, then select a Tier-1 Gateway from the drop-down menu. Click SAVE to create the service.
  6. Create the local endpoint.
    Open the Local Endpoints tab and click ADD LOCAL ENDPOINT. Give the new local endpoint a Name and optional Description. For VPN Service, use the name of the IPsec service you created in Step 5. For the IP Address, use the Public IP address you requested in Step 4 or any available address in the SDDC compute network. Click SAVE to create the local endpoint.
  7. Configure the VPN.
    Open the IPSec Sessions tab and select Route Based or Policy Based in the ADD IPSEC SESSION drop-down.
    1. For VPN Service, use the name of the IPsec service you created in Step 5. For Local Endpoint, use the one you created in Step 6.
    2. For Remote IP, enter the address of your on-premises VPN endpoint.
    3. Enter the Preshared Key string.

      The maximum key length is 128 characters. This key must be identical for both ends of the VPN tunnel.

  8. Specify the Remote ID.
    Leave this blank to use the Remote IP as the remote ID for IKE negotiation. If your on-premises VPN gateway is behind a NAT device and/or uses a different IP for its local ID, you need to enter that IP here.
  9. Configure the Advanced Tunnel Parameters.
    Parameter Value
    IKE Profile > IKE Encryption Select a Phase 1 (IKE) cipher that is supported by your on-premises VPN gateway.
    IKE Profile > IKE Digest Algorithm Select a Phase 1 digest algorithm that is supported by your on-premises VPN gateway. The best practice is to use the same algorithm for both the IKE Digest Algorithm and the Tunnel Digest Algorithm.
    Note:

    If you specify a GCM-based cipher for IKE Encryption, set IKE Digest Algorithm to None. The digest function is integral to the GCM cipher. You must use IKE V2 if you use a GCM-based cipher

    .
    IKE Profile > IKE Version
    • Specify IKE V1 to initiate and accept the IKEv1 protocol.
    • Specify IKE V2 to initiate and accept the IKEv2 protocol. You must use IKEv2 if you have specified a GCM-based IKE Digest Algorithm.
    • Specify IKE FLEX to accept either IKEv1 or IKEv2 and then initiate using IKEv2. If IKEv2 initiation fails, IKE FLEX will not fall back to IKEv1.
    IKE Profile > Diffie Hellman Select a Diffie Hellman group that is supported by your on-premises VPN gateway. This value must be identical for both ends of the VPN tunnel. Higher group numbers offer better protection. The best practice is to select group 14 or higher.
    IPSec Profile > Tunnel Encryption Select a Phase 2 security association (SA) cipher that is supported by your on-premises VPN gateway.
    IPSec Profile Tunnel Digest Algorithm Select a Phase 2 digest algorithm that is supported by your on-premises VPN gateway.
    Note:

    If you specify a GCM-based cipher for Tunnel Encryption, set Tunnel Digest Algorithm to None. The digest function is integral to the GCM cipher.

    IPSec Profile > Perfect Forward Secrecy Enable or Disable to match the setting of your on-premises VPN gateway. Enabling Perfect Forward Secrecy prevents recorded (past) sessions from being decrypted if the private key is ever compromised.
    IPSec Profile > Diffie Hellman Select a Diffie Hellman group that is supported by your on-premises VPN gateway. This value must be identical for both ends of the VPN tunnel. Higher group numbers offer better protection. The best practice is to select group 14 or higher.
    DPD Profile > DPD Probe Mode One of Periodic or On Demand.

    For a periodic DPD probe mode, a DPD probe is sent every time the specified DPD probe interval time is reached.

    For an on-demand DPD probe mode, a DPD probe is sent if no IPSec packet is received from the peer site after an idle period. The value in DPD Probe Interval determines the idle period used.

    DPD Profile > Retry Count Integer number of retries allowed. Values in the range 1 - 100 are valid. The default retry count is 10.
    DPD Profile > DPD Probe Interval The number of seconds you want the NSX IKE daemon to wait between sending the DPD probes.

    For a periodic DPD probe mode, the valid values are between 3 and 360 seconds. The default value is 60 seconds.

    For an on-demand probe mode, the valid values are between 1 and 10 seconds. The default value is 3 seconds.

    When the periodic DPD probe mode is set, the IKE daemon sends a DPD probe periodically. If the peer site responds within half a second, the next DPD probe is sent after the configured DPD probe interval time has been reached. If the peer site does not respond, then the DPD probe is sent again after waiting for half a second. If the remote peer site continues not to respond, the IKE daemon resends the DPD probe again, until a response is received or the retry count has been reached. Before the peer site is declared to be dead, the IKE daemon resends the DPD probe up to a maximum of times specified in the Retry Count property. After the peer site is declared dead, NSX then tears down the security association (SA) on the dead peer's link.

    When the on-demand DPD mode is set, the DPD probe is sent only if no IPSec traffic is received from the peer site after the configured DPD probe interval time has been reached.

    DPD Profile > Admin Status To enable or disable the DPD profile, click the Admin Status toggle. By default, the value is set to Enabled. When the DPD profile is enabled, the DPD profile is used for all IPSec sessions in the IPSec VPN service that uses the DPD profile.
    TCP MSS Clamping To use TCP MSS Clamping to reduce the maximum segment size (MSS) payload of the TCP session during the IPsec connection, toggle this option to Enabled, then select the TCP MSS Direction and optionally the TCP MSS Value. See Understanding TCP MSS Clamping in the NSX Data Center Administration Guide.
  10. (Optional) Tag the VPN.

    See Add Tags to an Object in the NSX Data Center Administration Guide for more information about tagging NSX objects.

  11. Click SAVE to create the VPN.
  12. Add a Compute Gateway firewall rule that allows IPsec VPN traffic through the Internet interface of the CGW.
    Open the Gateway Firewall tab and click Compute Gateway. A rule like this one will work but is probably more permissive than you'd want for production use. Consider restricting the Sources to a CIDR block that you trust or control. In this example, we're using public IP address we got in Step 4 (93.184.216.34) as the Destinations address.
    Name Sources Destinations Services Applied To Action
    VPN Access Any 93.184.216.34 Must include IKE (NAT Traversal) , IKE (Key Exchange) , IPSec VPN ESP Internet Interface Allow
  13. Create a NAT rule to make the public IP address of the VPN externally accessible.
    Navigate to Networking > NAT > Internet. Click Add NAT Rule and create a NAT rule like this one.
    Name Public IP Service Public Port Internal IP Firewall
    VPN Access 93.184.216.34 All Traffic Any 93.184.216.34 Match External Address
    The rule must use the same address (in this example, it's the public IP address requested in Step 4) for Public IP and Internal IP. The firewall must match the external address when examining incoming packets.