VMware supports the following Non VMware SD-WAN Site configurations:

  • Check Point
  • Cisco ASA
  • Cisco ISR
  • Generic IKEv2 Router (Route Based VPN)
  • Microsoft Azure Virtual Hub
  • Palo Alto
  • SonicWALL
  • Zscaler
  • Generic IKEv1 Router (Route Based VPN)
  • Generic Firewall (Policy Based VPN)
    Note: VMware now supports both Generic IKEv1 Router (Route Based VPN) and Generic IKEv2 Router (Route Based VPN) Non VMware SD-WAN Site Configurations.

Cisco ASA

Cisco ASA is another common third party configuration. Instructions on how to configure with Cisco ASA in the SD-WAN Orchestrator are listed below.

To configure via Cisco ASA:

  1. Go to Configure > Network Services.
  2. In the Non-VeloCloud Sites area, click the New button.

    The New Non-VeloCloud Site dialog box appears.

    complementary-config-third-party-cisco-asa-new-dialog

  3. In the New Non-VeloCloud Site dialog box:
    1. In the Name text box, enter the name for the Non VMware SD-WAN Site.
    2. From the Type drop-down menu, select Cisco ASA.
    3. Enter the IP address for the Primary VPN Gateway, and click Next. .

    Your Non VMware SD-WAN Site is created, and a dialog box for your Non VMware SD-WAN Site appears.

    complementary-config-third-party-cisco-asa-site-dialog

  4. In the dialog box for your Non VMware SD-WAN Site:
    1. To configure tunnel settings for the Non VMware SD-WAN Site’s Primary VPN Gateway, click the Advanced button located at the bottom of the dialog box.
    2. In the Primary VPN Gateway area, you can configure the following tunnel settings:
      Field Description
      PSK The Pre-Shared Key (PSK), which is the security key for authentication across the tunnel. The Orchestrator generates a PSK by default. If you want to use your own PSK or password then you can enter it in the textbox.
      Encryption Select either AES 128 or AES 256 as the algorithm to encrypt data. The default value is AES 128.
      DH Group Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging a pre-shared key. The DH Group sets the strength of the algorithm in bits. The default value is 2.
      PFS Select the Perfect Forward Secrecy (PFS) level for additional security. The default value is 2.
      Note: The Secondary VPN Gateway are not supported for the Cisco ASA network service type.
      Note:

      For Cisco ASA Non VMware SD-WAN Site, by default, the local authentication ID value used is SD-WAN Gateway Interface Local IP.

    3. Select the Redundant VeloCloud Cloud VPN checkbox to add redundant tunnels for each VPN Gateway.

      Any changes made to Encryption, DH Group, or PFS of Primary VPN Gateway will also be applied to the redundant VPN tunnels, if configured. After modifying the tunnel settings of the Primary VPN Gateway, save the changes and then click View IKE/IPSec Template to view the updated tunnel configuration.

    4. Click the Update location link to set the location for the configured Non VMware SD-WAN Site. The latitude and longitude details are used to determine the best Edge or Gateway to connect to in the network.
    5. Under Site Subnets, you can add subnets for the Non VMware SD-WAN Site by clicking the + button.
    6. Use Custom Source Subnets to override the source subnets routed to this VPN device. Normally, source subnets are derived from the edge LAN subnets routed to this device.
    7. Check the Enable Tunnel(s) checkbox once you are ready to initiate the tunnel from the SD-WAN Gateway to the Cisco ASA VPN gateways.
    8. Click Save Changes.

Cisco ISR

Cisco ISR is one of the more common third party configurations. Instructions on how to configure with Cisco ISR in the SD-WAN Orchestrator are listed below.

To configure via Cisco ISR:

  1. Go to Configure > Network Services.
  2. In the Non-VeloCloud Sites area, click the New button.

    The New Non-VeloCloud Site dialog box appears.

    complementary-config-third-party-datacenter-new-dialog

  3. In the New Non-VeloCloud Site dialog box:
    1. In the Name text box, enter the name for the Non VMware SD-WAN Site.
    2. From the Type drop-down menu, select Cisco ISR.
    3. Enter the IP address for the Primary VPN Gateway, and click Next. .

    Your Non VMware SD-WAN Site is created, and a dialog box for your Non VMware SD-WAN Site appears.

    complementary-config-third-party-site-dialog

  4. In the dialog box for your Non VMware SD-WAN Site:
    1. To configure tunnel settings for the Non VMware SD-WAN Site’s Primary VPN Gateway, click the Advanced button located at the bottom of the dialog box.
    2. Configure tunnel settings such as PSK, Encryption, DH Group, and PFS by referring to the above table.
    3. If you want to create a Secondary VPN Gateway for this site, then click the Add button next to Secondary VPN Gateway. In the pop-up window, enter the IP address of the Secondary VPN Gateway and click Save Changes.

      The Secondary VPN Gateway will be created immediately for this site and will provision a VMware VPN tunnel to this Gateway.

      Note:

      For Cisco ISR Non VMware SD-WAN Site, by default, the local authentication ID value used is SD-WAN Gateway Interface Local IP.

    4. Select the Redundant VeloCloud Cloud VPN checkbox to add redundant tunnels for each VPN Gateway.
    5. Under Site Subnets, you can add subnets for the Non VMware SD-WAN Site by clicking the + button.
    6. Check the Enable Tunnel(s) checkbox once you are ready to initiate the tunnel from the SD-WAN Gateway to the Cisco ISR VPN gateways.
    7. Click Save Changes.

Microsoft Azure Virtual Hub

Microsoft Azure Virtual Hub is one of the more common third party configurations. For instructions on how to configure a Non VMware SD-WAN Site of type Microsoft Azure Virtual Hub in SD-WAN Orchestrator, see Configure a Microsoft Azure Non VMware SD-WAN Site.