A policy-based VPN creates an IPsec tunnel and a policy that specifies how traffic uses it. When you use a policy-based VPN, you must update the routing tables on both ends of the network when new routes are added.

Policy-based VPNs in your VMware Cloud on AWS SDDC use an IPsec protocol to secure traffic. To create a policy-based VPN, you configure the local (SDDC) endpoint, then configure a matching remote (on-premises) endpoint. Because each policy-based VPN must create a new IPsec security association for each network, an administrator must update routing information on premises and in the SDDC whenever a new policy-based VPN is created. A policy-based VPN can be an appropriate choice when you have only a few networks on either end of the VPN, or if your on-premises network hardware does not support BGP (which is required for route-based VPNs).

Procedure

  1. Log in to the VMC Console at https://vmc.vmware.com.
  2. Select Networking & Security > VPN > Policy Based.
  3. Click ADD VPN and give the new VPN a Name.
  4. Select a Local IP Address for the VPN.
    Specify a public IP address to have the VPN connect over the Internet. If you have configured AWS Direct Connect for this SDDC, you can select an available private IP address to create a VPN that uses Direct Connect and a private VIF. See Using AWS Direct Connect with VMware Cloud on AWS for more information about Direct Connect.
    Note: Because of the way Direct Connect handles the security association (SA) required by the IPSec protocol (only a single SA is supported), a route-based VPN is usually a better choice for use with Direct Connect. And while you can configure a policy-based VPN to use Direct Connect, you cannot configure Direct Connect failover to a policy-based VPN.
  5. Enter the Remote Public IP address of your on-premises gateway.
    This IP address must be reachable over the Internet if you specified a public IP in Step 4. If you specified a private IP, it must be reachable over Direct Connect to a private VIF. Default gateway firewall rules allow inbound and outbound traffic over the VPN connection, but you must create firewall rules to manage traffic over the VPN tunnel.
  6. (Optional) If your on-premises gateway is behind a NAT device, enter the gateway address as the Remote Private IP.
    This IP address must match the local identity (IKE ID) sent by the on-premises VPN gateway. If this field is empty, the Remote Public IP field is used to match the local identity of the on-premises VPN gateway.
  7. Specify the Remote Networks that this VPN can connect to.
    This list must include all networks defined as local by the on-premises VPN gateway. ‚ÄčEnter each network in CIDR format, separating multiple CIDR blocks with commas.
  8. Specify the Local Networks that this VPN can connect to.
    This list includes all routed compute networks in the SDDC, as well as the entire Management network and the appliance subnet (a subset of the Management network that includes vCenter and other management appliances, but not the ESXi hosts). It also includes the CGW DNS Network, a single IP address used to source requests forwarded by the CGW DNS service.
  9. Configure Advanced Tunnel Parameters.
    Option Description
    Tunnel Encryption Select a Phase 2 security association (SA) cipher that is supported by your on-premises VPN gateway.
    Tunnel Digest Algorithm Select a Phase 2 digest algorithm that is supported by your on-premises VPN gateway.
    Note:

    If you specify a GCM-based cipher for Tunnel Encryption, set Tunnel Digest Algorithm to None. The digest function is integral to the GCM cipher.

    Perfect Forward Secrecy Enable or Disable to match the setting of your on-premises VPN gateway. Enabling Perfect Forward Secrecy prevents recorded (past) sessions from being decrypted if the private key is ever compromised.
    IKE Encryption Select a Phase 1 (IKE) cipher that is supported by your on-premises VPN gateway.
    IKE Digest Algorithm Select a Phase 1 digest algorithm that is supported by your on-premises VPN gateway. The best practice is to use the same algorithm for both the IKE Digest Algorithm and the Tunnel Digest Algorithm.
    Note:

    If you specify a GCM-based cipher for IKE Encryption, set IKE Digest Algorithm to None. The digest function is integral to the GCM cipher. You must use IKE V2 if you use a GCM-based cipher

    .
    IKE Type
    • Specify IKE V1 to initiate and accept the IKEv1 protocol.
    • Specify IKE V2 to initiate and accept the IKEv2 protocol. You must use IKEv2 if you have specified a GCM-based IKE Digest Algorithm.
    • Specify IKE FLEX to accept either IKEv1 or IKEv2 and then initiate using IKEv2. If IKEv2 initiation fails, IKE FLEX will not fall back to IKEv1.
    Diffie Hellman Select a Diffie Hellman group that is supported by your on-premises VPN gateway. This value must be identical for both ends of the VPN tunnel. Higher group numbers offer better protection. The best practice is to select group 14 or higher.
    Preshared Key Enter a preshared key used by both ends of the tunnel to authenticate with each other.

    The string has a maximum length of 128 characters.

  10. Click Save.

Results

The VPN creation process might take a few minutes. When the policy-based VPN becomes available, the following actions are available to help you with troubleshooting and configuring the on-premises end of the VPN:
  • Click DOWNLOAD CONFIG to download a file that contains VPN configuration details. You can use these details to configure the on-premises end of this VPN.
  • Click VIEW STATISTICS to view packet traffic statistics for this VPN. See View VPN Tunnel Status and Statistics.

What to do next

Create or update firewall rules as needed. To allow traffic through the policy-based VPN, specify Internet Interface in the Applied to field.