Configure an IPsec VPN between your on-premises data center and cloud SDDC to allow easier and more secure communication between the two.

About this task

Creating a management VPN allows you to securely access the vCenter Server system and Content Library deployed in your SDDC. You don't have to set up a VPN connection, but transferring virtual machine templates and disk images into your SDDC in the cloud is easier if you do.

Prerequisites

Configuring a management VPN requires the following:

  • An on-premises router or firewall capable of terminating an IPsec VPN, such as Cisco ISR, Cisco ASA, CheckPoint Firewall, Juniper SRX, NSX Edge, or any other device capable of IPsec tunneling.

  • The router or firewall should be configured with cryptography settings as described in Recommended On-Premises VPN Settings.

  • If your on-premises gateway is behind another firewall, allow IPsec VPN traffic to pass through the firewall to reach your device by doing the following:

    • Open UDP port 500 to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through the firewall.

    • Set IP protocol ID 50 to allow IPsec Encapsulating Security Protocol (ESP) traffic to be forwarded through the firewall.

    • Set IP protocol ID 51 to allow Authentication Header (AH) traffic to be forwarded through the firewall.

Procedure

  1. Configure the Management Gateway side of the tunnel.
    1. Log in to the VMC Console at https://vmc.vmware.com.
    2. Navigate to the Networking tab of your SDDC.
    3. Under Management Gateway, click VPN and then Add VPN.
    4. Complete the Management Gateway VPN configuration.

      Parameter

      Description

      VPN Name

      Enter a name for the VPN.

      Remote Gateway Public IP

      Enter the IP address of your on-premises gateway.

      Remote Gateway Private IP

      If your on-premises gateway is behind NAT, provide the private IP address of the gateway.

      Remote Networks

      Enter the address of your on-premises management network.

      Local Gateway IP

      Displays the public IP address of the management gateway. This is not an editable field.

      Local Network

      Displays the CIDR block of the management subnet for the management gateway. This is not an editable field.

      Encryption

      Select AES-256.

      Perfect Forward Secrecy

      Select Enabled

      Diffie Hellman

      Select DH2

      Pre-Shared Key

      Enter a pre-shared key. The key is a string with a maximum length of 128 characters that is used by the two ends of the VPN tunnel to authenticate with each other.

  2. Configure the on-premises side of the tunnel.

    Configuration of the gateway device in your on-premises data center might need to be performed by a member of your networking team. Consult the documentation for your gateway or firewall device to learn how to configure it to match the settings VPN settings you've configured.

Results

When the VPN tunnel is configured, you should be able to verify connectivity in both the VMC Console and by accessing the vCenter Server deployed in your environment with a Web browser.