Create a Route-Based VPN

A route-based VPN creates an IPsec tunnel interface and routes traffic through it as dictated by the SDDC routing table. A route-based VPN provides resilient, secure access to multiple VMware Cloud on AWS subnets. When you use a route-based VPN, new routes are added automatically when new networks are created.

Note:

This topic explains how to create a route-based VPN that connects to the SDDC's default public or private IP. If your SDDC has additional Tier-1 gateways (see Add a Custom Tier-1 Gateway to a VMware Cloud on AWS SDDC), you can click OPEN NSX MANAGER and add IPv4 or IPv6 VPN services that terminate on those gateways. See Adding VPN Services in the NSX Data Center Administration Guide.

In VMware Cloud on AWS, VPN services to a Tier-1 gateway do not support BGP.

Route based VPNs in your VMware Cloud on AWS SDDC use an IPsec protocol to secure traffic and the Border Gateway Protocol (BGP) to discover and propagate routes as networks are added and removed. To create a route-based VPN, you configure BGP information for the local (SDDC) and remote (on-premises) endpoints, then specify tunnel security parameters for the SDDC end of the tunnel.

Procedure

Log in to VMware Cloud Services at https://vmc.vmware.com.
Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page. See SDDC Network Administration with NSX Manager.
You can also use the VMware Cloud Console Networking & Security tab for this workflow.
Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page. See SDDC Network Administration with NSX Manager.
You can also use the VMware Cloud Console Networking & Security tab for this workflow.
(Optional) Change the default local Autonomous System Number (ASN).
All route-based VPNs in the SDDC default to ASN 65000. The local ASN must be different from the remote ASN. (iBGP, which requires the local and remote ASNs to be the same, is not supported in SDDC networks.) To change the default local ASN, click EDIT LOCAL ASN, enter a new value in the range 64521 to 65534 (or 4200000000 to 4294967294) and click APPLY.
Note: Any change in this value affects all route-based VPNs in this SDDC.
Click VPN > Route Based > ADD VPN and give the new VPN a Name and optional Description.
Select a Local IP Address from the drop-down menu.
- If this SDDC is member of an SDDC group or has been configured to use AWS Direct Connect, select the private IP address to have the VPN use that connection rather than a connection over the Internet. Note that VPN traffic over Direct Connect or VMware Managed Transit Gateway (VTGW) is limited to the default MTU of 1500 bytes even if the link supports a higher MTU. See Configure Direct Connect to a Private Virtual Interface for SDDC Management and Compute Network Traffic.
- Select the public IP address if you want the VPN to connect over the Internet.
For Remote Public IP, enter the address of your on-premises VPN endpoint.
This is the address of the device that initiates or responds to IPsec requests for this VPN. This address must meet the following requirements:
- It must not already be in use for another VPN. VMware Cloud on AWS uses the same public IP for all VPN connections, so only a single VPN connection (Route-based, Policy-based, or L2VPN) can be created to a given remote public IP.
- It must be reachable over the Internet if you specified a public IP in Step 7.
- It must be reachable over VTGW or Direct Connect to a private VIF if you specified a private IP in Step 7.
For BGP Local IP/Prefix Length, enter a network address from a CIDR block of size of /30 within the 169.254.0.0/16 subnet.

Some blocks in this range are reserved, as noted in Reserved Network Addresses. If you can't use a network from the 169.254.0.0/16 subnet (due to a conflict with an existing network), you must create a firewall rule that allows traffic from the BGP service to the subnet you choose here. See Add or Modify Compute Gateway Firewall Rules.

The BGP Local IP/Prefix Length specifies both a local subnet and an IP address in it, so the value you enter must be the second or third address in a /30 range and include the /30 suffix. For example, a BGP Local IP/Prefix Length of 169.254.32.1/30 creates network 169.254.32.0 and assigns 169.254.32.1 as the local BGP IP (also known as the Virtual Tunnel Interface, or VTI).
For BGP Remote IP, enter the remaining IP address from the range you specified in Step 9.
For example, if you specified a BGP Local IP/Prefix Length of 169.254.32.1/30, use 169.254.32.2 for BGP Remote IP. When configuring the on-premises end of this VPN, use the IP address you specify for BGP Remote IP as its local BGP IP or VTI address.
For BGP Neighbor ASN, enter the ASN of your on-premises VPN gateway.
Choose an Authentication Mode.
- For PSK authentication, enter the Preshared Key string. The maximum key length is 128 characters. This key must be identical for both ends of the VPN tunnel.
- For Certificate-based authentication see Configure Certificate-Based Authentication for an IPSec VPN.
Specify the Remote Private IP.
Leave this blank to use the Remote Public IP as the remote ID for IKE negotiation. If your on-premises VPN gateway is behind a NAT device and/or uses a different IP for its local ID, you need to enter that IP here.

Configure the Advanced Tunnel Parameters.

Parameter	Value
IKE Profile > IKE Encryption	Select a Phase 1 (IKE) cipher that is supported by your on-premises VPN gateway.
IKE Profile > IKE Digest Algorithm	Select a Phase 1 digest algorithm that is supported by your on-premises VPN gateway. The best practice is to use the same algorithm for both the IKE Digest Algorithm and the Tunnel Digest Algorithm. Note: If you specify a GCM-based cipher for IKE Encryption, set IKE Digest Algorithm to None. The digest function is integral to the GCM cipher. You must use IKE V2 if you use a GCM-based cipher .
IKE Profile > IKE Version	Specify IKE V1 to initiate and accept the IKEv1 protocol. Specify IKE V2 to initiate and accept the IKEv2 protocol. You must use IKEv2 if you have specified a GCM-based IKE Digest Algorithm. Specify IKE FLEX to accept either IKEv1 or IKEv2 and then initiate using IKEv2. If IKEv2 initiation fails, IKE FLEX will not fall back to IKEv1.
IKE Profile > Diffie Hellman	Select a Diffie Hellman group that is supported by your on-premises VPN gateway. This value must be identical for both ends of the VPN tunnel. Higher group numbers offer better protection. The best practice is to select group 14 or higher.
IPSec Profile > Tunnel Encryption	Select a Phase 2 security association (SA) cipher that is supported by your on-premises VPN gateway.
IPSec Profile Tunnel Digest Algorithm	Select a Phase 2 digest algorithm that is supported by your on-premises VPN gateway. Note: If you specify a GCM-based cipher for Tunnel Encryption, set Tunnel Digest Algorithm to None. The digest function is integral to the GCM cipher.
IPSec Profile > Perfect Forward Secrecy	Enable or Disable to match the setting of your on-premises VPN gateway. Enabling Perfect Forward Secrecy prevents recorded (past) sessions from being decrypted if the private key is ever compromised.
IPSec Profile > Diffie Hellman	Select a Diffie Hellman group that is supported by your on-premises VPN gateway. This value must be identical for both ends of the VPN tunnel. Higher group numbers offer better protection. The best practice is to select group 14 or higher.
DPD Profile > DPD Probe Mode	One of Periodic or On Demand. For a periodic DPD probe mode, a DPD probe is sent every time the specified DPD probe interval time is reached. For an on-demand DPD probe mode, a DPD probe is sent if no IPSec packet is received from the peer site after an idle period. The value in DPD Probe Interval determines the idle period used.
DPD Profile > Retry Count	Integer number of retries allowed. Values in the range 1 - 100 are valid. The default retry count is 10.
DPD Profile > DPD Probe Interval	The number of seconds you want the NSX IKE daemon to wait between sending the DPD probes. For a periodic DPD probe mode, the valid values are between 3 and 360 seconds. The default value is 60 seconds. For an on-demand probe mode, the valid values are between 1 and 10 seconds. The default value is 3 seconds. When the periodic DPD probe mode is set, the IKE daemon sends a DPD probe periodically. If the peer site responds within half a second, the next DPD probe is sent after the configured DPD probe interval time has been reached. If the peer site does not respond, then the DPD probe is sent again after waiting for half a second. If the remote peer site continues not to respond, the IKE daemon resends the DPD probe again, until a response is received or the retry count has been reached. Before the peer site is declared to be dead, the IKE daemon resends the DPD probe up to a maximum of times specified in the Retry Count property. After the peer site is declared dead, NSX then tears down the security association (SA) on the dead peer's link. When the on-demand DPD mode is set, the DPD probe is sent only if no IPSec traffic is received from the peer site after the configured DPD probe interval time has been reached.
DPD Profile > Admin Status	To enable or disable the DPD profile, click the Admin Status toggle. By default, the value is set to Enabled. When the DPD profile is enabled, the DPD profile is used for all IPSec sessions in the IPSec VPN service that uses the DPD profile.
TCP MSS Clamping	To use TCP MSS Clamping to reduce the maximum segment size (MSS) payload of the TCP session during the IPsec connection, toggle this option to Enabled, then select the TCP MSS Direction and optionally the TCP MSS Value. See Understanding TCP MSS Clamping in the NSX Data Center Administration Guide.

(Optional) Under Advanced BGP Parameters, enter a BGP Secret that matches the one used by the on-premises gateway.
(Optional) Tag the VPN.

See Add Tags to an Object in the NSX Data Center Administration Guide for more information about tagging NSX objects.
Click SAVE.

Results

The VPN creation process might take a few minutes. When the route-based VPN becomes available, the tunnel status and BGP session state are displayed. The following actions are available to help you with troubleshooting and configuring the on-premises end of the VPN:

Click DOWNLOAD CONFIG to download a file that contains VPN configuration details. You can use these details to configure the on-premises end of this VPN.
Click VIEW STATISTICS to view packet traffic statistics for this VPN. See View VPN Tunnel Status and Statistics.
Click VIEW ROUTES to open a display of routes advertised and learned by this VPN.
Click DOWNLOAD ROUTES to download a list of Advertised Routes or Learned Routes in CSV format.

What to do next

Create or update firewall rules as needed. Default Compute Gateway firewall rules allow the VPN tunnel to establish and operate, but you must create a Compute Gateway firewall rule like this one to allow your workload traffic to communicate through the VPN tunnel interface (VTI). This is just an example. You'll need to provide your own values for Sources and Destinations.


Name	Sources	Destinations	Services	Applied To	Action
Workload VPN traffic	`On-premises users`	`Application servers`	HTTPS	VPN Tunnel Interface	Allow

To allow VPN traffic, you must specify VPN Tunnel Interface in the Applied to field. The All Uplinks option does not include the VTI.