Configuration of the gateway device in your on-premises data center might need to be performed by a member of your networking team. Consult the documentation for your gateway or firewall device to learn how to configure it to match the VPN settings you've configured.
- An on-premises router or firewall capable of terminating an IPsec VPN, such as Cisco ISR, Cisco ASA, CheckPoint Firewall, Juniper SRX, NSX Edge, or any other device capable of IPsec tunneling.
The SDDC end of an IPSec VPN supports only time-based rekeying. Your on-premises device must disable lifebytes rekeying.
Do not configure the on-premises side of the VPN to have an idle timeout (for example, the NSX Session idle timeout setting). On-premises idle timeouts can cause the VPN to become periodically disconnected.
- If your on-premises gateway is behind another firewall, you must configure that firewall to forward IPsec VPN protocol traffic:
- Open UDP port 500 to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through the firewall.
- Set IP protocol ID 50 to allow IPsec Encapsulating Security Protocol (ESP) traffic to be forwarded through the firewall.
- Set IP protocol ID 51 to allow Authentication Header (AH) traffic to be forwarded through the firewall.
- Navigate to the Network tab of your SDDC.
- Under Management Gateway, click IPsec VPNs and open the VPN that you created in the SDDC.
- Download the SDDC management VPN configuration details.
Under Remote VPN Config File, click Download to download a configuration file listing the configuration parameters for the SDDC side of the management VPN.
- Configure the on-premises management VPN.
Example: VPN Configuration File
# Configuration for IPsec VPN connection # # Peer NSX Edge and IPSec Site configuration details. # # IPsec site Id : ipsecsite-17 # IPsec site name : VPN1 # IPsec site description: # IPsec site enabled : true # IPsec site vpn type : Policy based VPN # NSX Edge Id : edge-1 # Feature version : 45 # Time stamp : 040618_182347GMT # # Internet Key Exchange Configuration # Phase 1 # Configure the IKE SA as outlined below IKE version : ikev1 Connection initiation mode : initiator Authentication method : psk Pre shared key : 123456 Authentication algorithm : sha1 Encryption algorithm : aes256 SA life time : 28800 seconds Phase 1 negotiation mode : main DH group : DH14 # IPsec_configuration # Phase 2 # Configure the IPsec SA as outlined below Protocol : ESP Authentication algorithm : sha1 Sa life time : 3600 seconds Encryption algorithm : aes256 Encapsulation mode : Tunnel mode Enable perfect forward secrecy : true Perfect forward secrecy DH group: DH14 # Peer configuration Peer address : 126.96.36.199 # Peer gateway public IP. Peer id : 188.8.131.52 Peer subnets : [ 10.2.0.0/16 ] # IPsec Dead Peer Detection (DPD) settings DPD enabled : true DPD interval : 30 seconds DPD timeout : 150 seconds # Local configuration Local address : 184.108.40.206 # Local gateway public IP. Local id : 220.127.116.11 Local subnets : [ 10.101.101.0/24 ]
What to do next
Configure firewall rules to manage traffic between the on-premises and SDDC ends of the management VPN. By default, your new management gateway firewall rules deny all traffic through the firewall. The firewall rules accelerator provides a set of predefined firewall rules that are likely to be appropriate for most new installations.