If you want to connect a VPN to a Tier-1 gateway, you must create an IPsec service on the gateway and suitable NAT rules to enable IPsec VPN traffic over the gateway's Internet interface.
In SDDC version 1.18 and later, you have the option to create a VPN that terminates on a custom Tier-1 gateway. This configuration is especially useful when you need to provide dedicated VPN access to a specific tenant or workgroup.
For more information see the VMware Tech Zone article Understanding VPN to Customer Created NSX T1s in VMC on AWS
Create a NATted or routed Tier-1 gateway. See Add a Custom Tier-1 Gateway to a VMware Cloud on AWS SDDC.
- Log in to VMware Cloud Services at https://vmc.vmware.com.
- Click VIEW DETAILS. , then pick an SDDC card and click
- Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page.
- (Optional) Request a public IP address for the VPN endpoint.
In the typical case, where you want to reach this VPN from the Internet, its local endpoint will need to be a public IP address. See Request or Release a Public IP Address. For this example, we're going to use 220.127.116.11 as that address. If you want to reach this VPN over DX or VMware Transit Connect, you can use any available IP address in the SDDC compute network.Note: You cannot use any subnet of the Management CIDR as the local endpoint.
- Add a VPN service to the Tier-1 gateway.
Click Tier-1 tab and click . Give the IPsec service a Name, then select a Tier-1 Gateway from the drop-down menu. Click SAVE to create the service.. Open the
- Create the local endpoint.
Open the Local Endpoints tab and click ADD LOCAL ENDPOINT. Give the new local endpoint a Name and optional Description. For VPN Service, use the name of the IPsec service you created in Step 5. For the IP Address, use the Public IP address you requested in Step 4 or any available address in the SDDC compute network. Click SAVE to create the local endpoint.
- Configure the VPN.
Open the IPSec Sessions tab and select Route Based or Policy Based in the ADD IPSEC SESSION drop-down.
- For VPN Service, use the name of the IPsec service you created in Step 5. For Local Endpoint, use the one you created in Step 6.
- For Remote IP, enter the address of your on-premises VPN endpoint.
- Enter the Preshared Key string.
The maximum key length is 128 characters. This key must be identical for both ends of the VPN tunnel.
- Specify the Remote ID.
Leave this blank to use the Remote IP as the remote ID for IKE negotiation. If your on-premises VPN gateway is behind a NAT device and/or uses a different IP for its local ID, you need to enter that IP here.
- Configure the Advanced Tunnel Parameters.
Parameter Value Select a Phase 1 (IKE) cipher that is supported by your on-premises VPN gateway. Select a Phase 1 digest algorithm that is supported by your on-premises VPN gateway. The best practice is to use the same algorithm for both the IKE Digest Algorithm and the Tunnel Digest Algorithm.Note:
If you specify a GCM-based cipher for IKE Encryption, set IKE Digest Algorithm to None. The digest function is integral to the GCM cipher. You must use IKE V2 if you use a GCM-based cipher.
- Specify IKE V1 to initiate and accept the IKEv1 protocol.
- Specify IKE V2 to initiate and accept the IKEv2 protocol. You must use IKEv2 if you have specified a GCM-based IKE Digest Algorithm.
- Specify IKE FLEX to accept either IKEv1 or IKEv2 and then initiate using IKEv2. If IKEv2 initiation fails, IKE FLEX will not fall back to IKEv1.
Select a Diffie Hellman group that is supported by your on-premises VPN gateway. This value must be identical for both ends of the VPN tunnel. Higher group numbers offer better protection. The best practice is to select group 14 or higher. Select a Phase 2 security association (SA) cipher that is supported by your on-premises VPN gateway. IPSec Profile Tunnel Digest Algorithm Select a Phase 2 digest algorithm that is supported by your on-premises VPN gateway.Note:
If you specify a GCM-based cipher for Tunnel Encryption, set Tunnel Digest Algorithm to None. The digest function is integral to the GCM cipher.
Enable or Disable to match the setting of your on-premises VPN gateway. Enabling Perfect Forward Secrecy prevents recorded (past) sessions from being decrypted if the private key is ever compromised. Select a Diffie Hellman group that is supported by your on-premises VPN gateway. This value must be identical for both ends of the VPN tunnel. Higher group numbers offer better protection. The best practice is to select group 14 or higher. One of Periodic or On Demand.
For a periodic DPD probe mode, a DPD probe is sent every time the specified DPD probe interval time is reached.
For an on-demand DPD probe mode, a DPD probe is sent if no IPSec packet is received from the peer site after an idle period. The value in DPD Probe Interval determines the idle period used.
Integer number of retries allowed. Values in the range 1 - 100 are valid. The default retry count is 10. The number of seconds you want the NSX IKE daemon to wait between sending the DPD probes.
For a periodic DPD probe mode, the valid values are between 3 and 360 seconds. The default value is 60 seconds.
For an on-demand probe mode, the valid values are between 1 and 10 seconds. The default value is 3 seconds.
When the periodic DPD probe mode is set, the IKE daemon sends a DPD probe periodically. If the peer site responds within half a second, the next DPD probe is sent after the configured DPD probe interval time has been reached. If the peer site does not respond, then the DPD probe is sent again after waiting for half a second. If the remote peer site continues not to respond, the IKE daemon resends the DPD probe again, until a response is received or the retry count has been reached. Before the peer site is declared to be dead, the IKE daemon resends the DPD probe up to a maximum of times specified in the Retry Count property. After the peer site is declared dead, NSX then tears down the security association (SA) on the dead peer's link.
When the on-demand DPD mode is set, the DPD probe is sent only if no IPSec traffic is received from the peer site after the configured DPD probe interval time has been reached.
To enable or disable the DPD profile, click the Admin Status toggle. By default, the value is set to Enabled. When the DPD profile is enabled, the DPD profile is used for all IPSec sessions in the IPSec VPN service that uses the DPD profile. TCP MSS Clamping To use TCP MSS Clamping to reduce the maximum segment size (MSS) payload of the TCP session during the IPsec connection, toggle this option to Enabled, then select the TCP MSS Direction and optionally the TCP MSS Value. See Understanding TCP MSS Clamping in the NSX Data Center Administration Guide.
- (Optional) Tag the VPN.
See Add Tags to an Object in the NSX Data Center Administration Guide for more information about tagging NSX objects.
- Click SAVE to create the VPN.
- Add a Compute Gateway firewall rule that allows IPsec VPN traffic through the Internet interface of the CGW.
Open the Gateway Firewall tab and click Compute Gateway. A rule like this one will work but is probably more permissive than you'd want for production use. Consider restricting the Sources to a CIDR block that you trust or control. In this example, we're using public IP address we got in Step 4 (18.104.22.168) as the Destinations address.
Name Sources Destinations Services Applied To Action VPN Access Any 22.214.171.124 Must include IKE (NAT Traversal) , IKE (Key Exchange) , IPSec VPN ESP Internet Interface Allow
- Create a NAT rule to make the public IP address of the VPN externally accessible.
Navigate to Add NAT Rule and create a NAT rule like this one.. Click
Name Public IP Service Public Port Internal IP Firewall VPN Access 126.96.36.199 All Traffic Any 188.8.131.52 Match External Address