Describes how to configure a Non VMware SD-WAN Site of type Generic Firewall (Policy Based VPN) in SD-WAN Orchestrator.


  1. From the navigation panel in the SD-WAN Orchestrator, go to Configure > Network Services.
    The Services screen appears.
  2. In the Non SD-WAN Destinations via Gateway area, click the New button.
    The New Non SD-WAN Destinations via Gateway dialog box appears.
  3. In the Name text box, enter the name for the Non VMware SD-WAN Site.
  4. From the Type drop-down menu, select Generic Firewall (Policy Based VPN).
  5. Enter the IP address for the Primary VPN Gateway, and click Next.
    A Non VMware SD-WAN Site of type Generic Firewall (Policy Based VPN) is created and a dialog box for your Non VMware SD-WAN Site appears.
  6. To configure tunnel settings for the Non VMware SD-WAN Site’s Primary VPN Gateway, click the Advanced button.
  7. In the Primary VPN Gateway area, you can configure the following tunnel settings:
    Field Description
    PSK The Pre-Shared Key (PSK), which is the security key for authentication across the tunnel. The Orchestrator generates a PSK by default. If you want to use your own PSK or password then you can enter it in the textbox.
    Encryption Select either AES 128 or AES 256 as the AES algorithms key size to encrypt data. The default value is AES 128.
    DH Group Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging a pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH Groups are 2, 5, and 14. It is recommended to use DH Group 14.
    PFS Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS levels are 2 and 5. The default value is disabled.
    Note: The Secondary VPN Gateway are not supported for the Generic Firewall (Policy Based VPN) network service type.
  8. Select the Redundant VeloCloud Cloud VPN checkbox to add redundant tunnels for each VPN Gateway.
    Any changes made to Encryption, DH Group, or PFS of Primary VPN Gateway will also be applied to the redundant VPN tunnels, if configured. After modifying the tunnel settings of the Primary VPN Gateway, save the changes and then click View IKE/IPSec Template to view the updated tunnel configuration.
    Note: Currently, the supported IKE version is IKEv1.
  9. Click the Update location link to set the location for the configured Non VMware SD-WAN Site. The latitude and longitude details are used to determine the best Edge or Gateway to connect to in the network.
  10. Local authentication ID defines the format and identification of the local gateway. From the Local Auth Id drop-down menu, choose from the following types and enter a value that you determine:
    • FQDN - The Fully Qualified Domain Name or hostname. For example,
    • User FQDN - The User Fully Qualified Domain Name in the form of email address. For example,
    • IPv4 - The IP address used to communicate with the local gateway.

    For Generic Firewall (Policy based VPN), if the user do not specify a value, Default is used as the local authentication ID. The default local authentication ID value will be the SD-WAN Gateway Interface Local IP.

  11. Under Site Subnets, you can add subnets for the Non VMware SD-WAN Site by clicking the + button. If you do not need subnets for the site, select the Disable Site Subnets checkbox.
  12. Use Custom Source Subnets to override the source subnets routed to this VPN device. Normally, source subnets are derived from the edge LAN subnets routed to this device.
  13. Check the Enable Tunnel(s) checkbox once you are ready to initiate the tunnel from the SD-WAN Gateway to the Generic Firewall (Policy Based VPN) VPN gateways.
  14. Click Save Changes.