Configure an IPsec VPN between your on-premises data center and cloud SDDC to allow easier and more secure communication between the two.
About this task
Creating a management VPN allows you to securely access the vCenter Server system and Content Library deployed in your SDDC. You don't have to set up a VPN connection, but transferring virtual machine templates and disk images into your SDDC in the cloud is easier if you do.
Configuring a management VPN requires the following:
An on-premises router or firewall capable of terminating an IPsec VPN, such as Cisco ISR, Cisco ASA, CheckPoint Firewall, Juniper SRX, NSX Edge, or any other device capable of IPsec tunneling.
The router or firewall should be configured with cryptography settings as described in Recommended On-Premises VPN Settings.
If your on-premises gateway is behind another firewall, allow IPsec VPN traffic to pass through the firewall to reach your device by doing the following:
Open UDP port 500 to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through the firewall.
Set IP protocol ID 50 to allow IPsec Encapsulating Security Protocol (ESP) traffic to be forwarded through the firewall.
Set IP protocol ID 51 to allow Authentication Header (AH) traffic to be forwarded through the firewall.
- Configure the Management Gateway side of the tunnel.
- Log in to the VMC Console at https://vmc.vmware.com.
- Navigate to the Networking tab of your SDDC.
- Under Management Gateway, click IPsec VPNs and then Add VPN.
- Complete the Management Gateway VPN configuration.
Enter a name for the VPN.
Remote Gateway Public IP
Enter the IP address of your on-premises gateway.
Remote Gateway Private IP
If your on-premises gateway is behind NAT, provide the private IP address of the gateway.
Enter the address of your on-premises management network.
Local Gateway IP
Displays the public IP address of the management gateway. This is not an editable field.
Displays the CIDR block of the management subnet for the management gateway. This is not an editable field.
Perfect Forward Secrecy
Select a Diffie Hellman group. Ensure that you use the same group in your on-premises VPN gateway settings.
Enter a pre-shared key. The key is a string with a maximum length of 128 characters that is used by the two ends of the VPN tunnel to authenticate with each other.
- (Optional) Under VPN Peer Configuration, click Download to download a configuration file listing the configuration parameters needed to configure your on-premises gateway.
- Configure the on-premises side of the tunnel.
Configuration of the gateway device in your on-premises data center might need to be performed by a member of your networking team. Consult the documentation for your gateway or firewall device to learn how to configure it to match the VPN settings you've configured.
When the VPN tunnel is configured, you should be able to verify connectivity in both the VMC Console and by accessing the vCenter Server deployed in your environment with a Web browser.