The on-premises end of any IPsec VPN must be configured to reflect the settings you specified for the SDDC end of that VPN.

Information in the following tables summarizes the available SDDC IPsec VPN settings. Some of the settings can be configured. Some are static. Use this information to verify that your on-premises VPN solution can be configured to match the one in your SDDC. Choose an on-premises VPN solution that supports all the static settings and any of the configurable settings listed in these tables.

Phase 1 Internet Key Exchange (IKE) Settings

Table 1. Configurable IKE Phase 1 Settings

Attribute

Allowed Values

Recommended Value

Protocol

IKEv1, IKEv2

any

Encryption Algorithm

AES-256, AES-GCM, AES

any

Hashing Algorithm

SHA-1, SHA-256

any

Diffie Hellman

DH Groups 2, 5, 14-16

DH Group 14

Table 2. Static IKE Phase 1 Settings

Attribute

Value

ISAKMP mode

Main mode (Disable aggressive mode)

ISAKMP/IKE SA lifetime

28800 seconds

IPsec Mode

Tunnel

IKE Authentication

Pre-Shared Key

Phase 2 Settings

Table 3. Configurable IKE Phase 2 Settings

Attribute

Allowed Values

Recommended Value

Encryption Algorithm

AES-256, AES-GCM, AES

any

Perfect forward secrecy (PFS)

Enabled, Disabled

any

Diffie Hellman

DH Groups 2, 5, 14-16

DH Group 14

Table 4. Static IKE Phase 2 Settings

Attribute

Value

Hashing Algorithm

SHA-1

Tunnel Mode

Encapsulating Security Payload (ESP)

SA lifetime

3600 seconds (one hour)

On-Premises IPsec VPN Configuration

From the Network tab of your SDDC under Management Gateway, you can download a Remote VPN Config File that lists all settings of the SDDC side of the management VPN. Use the settings in that file to configure the on-premises side of the management VPN.

Note:

Do not configure the on-premises side of the VPN to have an idle timeout (for example, the NSX Session idle timeout setting). On-premises idle timeouts can cause the VPN to become periodically disconnected.