A route-based VPN creates an IPsec tunnel interface and routes traffic through it as dictated by the SDDC routing table. A route-based VPN provides resilient, secure access to multiple subnets. When you use a route-based VPN, new routes are added automatically when new networks are created.

Route based VPNs in your VMware Cloud on AWS SDDC use an IPsec protocol to secure traffic and the Border Gateway Protocol (BGP) to discover and propagate routes as new networks are created. To create a route-based VPN, you configure BGP information for the local (SDDC) and remote (on-premises) endpoints, then specify tunnel security parameters for the SDDC end of the tunnel.

Procedure

  1. Log in to the VMC Console at https://vmc.vmware.com.
  2. Click Networking & Security > VPN > Route Based.
  3. (Optional) Change the default local Autonomous System Number (ASN).
    All route-based VPNs in the SDDC use the same local ASN value in their implementation of BGP. It cannot be the same as the remote ASN for any configured VPN connections. The default value is 65000. To change this, click EDIT LOCAL ASN, enter a new value in the range 64521 to 65535, and click APPLY.
  4. Click ADD VPN and give the new VPN a Name.
  5. Select a Local IP Address from the drop-down menu.
  6. (Optional) If your on-premises gateway has a NAT address, enter that address as the Remote Public IP.
    This IP address must match the local identity (IKE ID) sent by the on-premises VPN gateway. If this field is empty, the Remote Public IP field is used to match the local identity of the on-premises VPN gateway.
  7. For BGP Local IP/Prefix Length, enter the IP address, in CIDR format, of the local VPN tunnel.
    Choose a network of size of /30 from the 169.254.0.0/16 subnet. The second and third IP addresses in this range are configured as the remote and local VTI (VPN Tunnel interfaces). For example, in the CIDR block 169.254.111.0/30 (address range 169.254.111.0-169.254.111.3), the local (SDDC) interface is 169.254.111.2/30 and the remote (on-premises) interface 169.254.111.1/30.
    Note:
    The following networks are reserved for internal use. The network you specify for BGP Local IP/Prefix Length must not overlap any of them.
    • 169.254.0.2/28
    • 169.254.10.1/24
    • 169.254.11.1/24
    • 169.254.12.1/24
    • 169.254.13.1/24
    • 169.254.101.253/30
  8. For BGP Remote IP, enter the IP address of your on-premises VPN gateway.
  9. For BGP Remote ASN, enter the ASN of your on-premises VPN gateway.
  10. Configure Advanced Tunnel Parameters.
    Option Description
    Tunnel Encryption Select a Phase 2 security association (SA) cipher that is supported by your on-premises VPN gateway.
    Tunnel Digest Algorithm Select a Phase 2 digest algorithm that is supported by your on-premises VPN gateway.
    Note:

    If you specify a GCM-based cipher for Tunnel Encryption, set Tunnel Digest Algorithm to None. The digest function is integral to the GCM cipher.

    Perfect Forward Secrecy Enable or Disable to match the setting of your on-premises VPN gateway. Enabling Perfect Forward Secrecy prevents recorded (past) sessions from being decrypted if the private key is ever compromised.
    Preshared Key Enter the preshared key string.

    The maximum key length is 128 characters. This key must be identical for both ends of the VPN tunnel.

    IKE Encryption Select a Phase 1 (IKE) cipher that is supported by your on-premises VPN gateway.
    IKE Digest Algorithm Select a Phase 1 digest algorithm that is supported by your on-premises VPN gateway. The best practice is to use the same algorithm for both the IKE Digest Algorithm and the Tunnel Digest Algorithm.
    Note:

    If you specify a GCM-based cipher for IKE Encryption, set IKE Digest Algorithm to None. The digest function is integral to the GCM cipher. You must use IKE V2 if you use a GCM-based cipher

    .
    IKE Type
    • Specify IKE V1 to initiate and accept the IKEv1 protocol.
    • Specify IKE V2 to initiate and accept the IKEv2 protocol. You must use IKEv2 if you have specified a GCM-based IKE Digest Algorithm.
    • Specify IKE FLEX to accept either IKEv1 or IKEv2 and then initiate using IKEv2. If IKEv2 initiation fails, IKE FLEX will not fall back to IKEv1.
    Diffie Hellman Select a Diffie Hellman group that is supported by your on-premises VPN gateway. This value must be identical for both ends of the VPN tunnel. Higher group numbers offer better protection. The best practice is to select group 14 or higher.
  11. (Optional) Under Advanced BGP Parameters, enter a BGP Secret that matches the one used by the on-premises gateway.
  12. Click Save.

Results

The VPN creation process might take a few minutes. When the based VPN becomes available, the tunnel status and BGP session state are displayed. The following actions are available to help you with troubleshooting and configuring the on-premises end of the VPN:
  • Click DOWNLOAD CONFIG to download a file that contains VPN configuration details. You can use these details to configure the on-premises end of this VPN.
  • Click VIEW STATISTICS to view packet traffic statistics for this VPN. See View VPN Tunnel Status and Statistics.
  • Click VIEW ROUTES to open a display of routes advertised and learned by this VPN.
  • Click DOWNLOAD ROUTES to download a list of Advertised Routes or Learned Routes in CSV format.

What to do next

Create or update firewall rules as needed. To allow traffic through the route-based VPN, specify VPN Tunnel Interface in the Applied to field. The All Uplinks option does not include the routed VPN tunnel.