Describes how to configure a Non VMware SD-WAN Site of type Generic IKEv2 Router (Route Based VPN) in SD-WAN Orchestrator.

Note: To configure a Generic IKEv2 Router (Route Based VPN) via Edge, see Configure a Non-VMware SD-WAN Site of Type Generic IKEv2 Router via Edge.

Procedure

  1. From the navigation panel in the SD-WAN Orchestrator, go to Configure > Network Services.
    The Services screen appears.
  2. In the Non SD-WAN Destinations via Gateway area, click the New button.
    The New Non SD-WAN Destinations via Gateway dialog box appears.
  3. In the Name text box, enter the name for the Non VMware SD-WAN Site.
  4. From the Type drop-down menu, select Generic IKEv2 Router (Route Based VPN).
  5. Enter the IP address for the Primary VPN Gateway (and the Secondary VPN Gateway if necessary), and click Next.
    A route-based Non VMware SD-WAN Site of type IKEv2 is created and a dialog box for your Non VMware SD-WAN Site appears.
  6. To configure tunnel settings for the Non VMware SD-WAN Site’s Primary VPN Gateway, click the Advanced button.
  7. In the Primary VPN Gateway area, you can configure the following tunnel settings:
    Field Description
    PSK The Pre-Shared Key (PSK), which is the security key for authentication across the tunnel. The Orchestrator generates a PSK by default. If you want to use your own PSK or password then you can enter it in the textbox.
    Encryption Select either AES 128 or AES 256 as the AES algorithms key size to encrypt data. The default value is AES 128.
    DH Group Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging a pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH Groups are 2, 5, and 14. It is recommended to use DH Group 14.
    PFS Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS levels are 2 and 5. The default value is 2.
    Authentication Algorithm The authentication algorithm for the VPN header. Select one of the following supported Secure Hash Algorithm (SHA) function from the list:
    • SHA 1
    • SHA 256
    • SHA 384
    • SHA 512

    The default value is SHA 1.

    IKE SA Lifetime(min) Time when Internet Key Exchange (IKE) rekeying is initiated for Edges. The minimum IKE life time is 10 minutes and maximum is 1440 minutes. The default value is 1440 minutes.
    IPsec SA Lifetime(min) Time when Internet Security Protocol (IPsec) rekeying is initiated for Edges. The minimum IPsec life time is 3 minutes and maximum is 480 minutes. The default value is 480 minutes.
    DPD Type The Dead Peer Detection (DPD) method is used to detect if the Internet Key Exchange (IKE) peer is alive or dead. If the peer is detected as dead, the device deletes the IPsec and IKE Security Association. Select either Periodic or onDemand from the list. The default value is onDemand.
    DPD Timeout(sec) The maximum time that the device should wait to receive a response to the DPD message before considering the peer to be dead. The default value is 20 seconds. You can disable DPD by configuring the DPD timeout timer to 0 second.
    Note: When AWS initiates the rekey tunnel with a VMware SD-WAN Gateway (in Non SD-WAN Destinations), a failure can occur and a tunnel will not be established, which can cause traffic interruption. Adhere to the following:
    • IPsec SA Lifetime(min) timer configurations for the SD-WAN Gateway must be less than 60 minutes (50 minutes recommended) to match the AWS default IPsec configuration.
    • DH and PFS DH groups must be matched.
  8. If you want to create a Secondary VPN Gateway for this site, then click the Add button next to Secondary VPN Gateway. In the pop-up window, enter the IP address of the Secondary VPN Gateway and click Save Changes.

    The Secondary VPN Gateway will be created immediately for this site and will provision a VMware VPN tunnel to this Gateway.

  9. Select the Redundant VeloCloud Cloud VPN checkbox to add redundant tunnels for each VPN Gateway.
    Any changes made to Encryption, DH Group, or PFS of Primary VPN Gateway will also be applied to the redundant VPN tunnels, if configured. After modifying the tunnel settings of the Primary VPN Gateway, save the changes and then click View IKE/IPSec Template to view the updated tunnel configuration.
  10. Click the Update location link to set the location for the configured Non VMware SD-WAN Site. The latitude and longitude details are used to determine the best Edge or Gateway to connect to in the network.
  11. Local authentication ID defines the format and identification of the local gateway. From the Local Auth Id drop-down menu, choose from the following types and enter a value that you determine:
    • FQDN - The Fully Qualified Domain Name or hostname. For example, google.com.
    • User FQDN - The User Fully Qualified Domain Name in the form of email address. For example, user@google.com.
    • IPv4 - The IP address used to communicate with the local gateway.
    Note:

    For Generic route based VPN, if the user do not specify a value, Default is used as the local authentication ID. The default local authentication ID value will be the SD-WAN Gateway Interface Public IP.

  12. Under Site Subnets, you can add subnets for the Non VMware SD-WAN Site by clicking the + button. If you do not need subnets for the site, select the Disable Site Subnets checkbox.
  13. Check the Enable Tunnel(s) checkbox once you are ready to initiate the tunnel from the SD-WAN Gateway to the Generic IKEv2 VPN gateways.
  14. Click Save Changes.