In the same Gateway page ( Operator > Gateways), enable the Partner Gateway mode by selecting the Partner Gateway checkbox. Unselect the Secure VPN Gateway checkbox (which is needed only if you plan to use this SD-WAN Gateway to establish an IPSec tunnel to a Non VMware SD-WAN Site).
The Gateways screen includes the following sections: Properties, Partner Gateway (Advanced Handoff) Details, Contact & Location, Customer Usage, Pool Membership. See the sections for information about these sections.
- Service State:
- IP Address
- Gateway Authentication Mode:
- Certificate Disabled : Edge uses a pre-shared key mode of authentication.
- Certificate Acquire: This option is selected by default, and instructs the Edge to acquire a certificate from the certificate authority of the SD-WAN Orchestrator, by generating a key pair and sending a certificate signing request to the Orchestrator. Once acquired, the Edge uses the certificate for authentication to the SD-WAN Orchestrator and for establishment of VCMP tunnels.
Note: After acquiring the certificate, the option can be updated to Certificate Required.
- Certificate Required: Edge uses the PKI certificate. (Operators can change the certificate renewal time window for Gateways via system properties. See Certificate Authority for more information).
- Gateway Roles:
- Control Plane:
- Data Plane:
- Partner Gateway:
- Secure VPN Gateway:
Partner Gateway (Advanced Handoff) Details Area
- Static Routes: Specify the subnets or routes that the SD-WAN Gateway should advertise to the SD-WAN Edge, along with the handoff mode and whether or not to encrypt the traffic. This is global per SD-WAN Gateway and applies to ALL customers. With BGP, this section is typically used only if there is a shared subnet that all customers need to access and if NAT handoff is required.
Remove the unused subnets from the Static Route list above if you do not have any subnets that you need to advertise to the SD-WAN Edge and have the handoff of type NAT.
The ICMP probe parameters are optional and recommended only if you want to use ICMP to check the health of the SD-WAN Gateway. With BGP support on the Partner Gateway, using ICMP probe for failover and route convergence is no longer required.
- ICMP Failover Probe: The SD-WAN Gateway can use ICMP probe to check for the reachability of a particular IP. It can notify the SD-WAN Edge to failover to the secondary Gateway if the SD-WAN Gateway detects that the particular IP is not reachable.
- ICMP Responder Enabled: This will allow the SD-WAN Gateway to respond to the ICMP probe from the next hop router when its tunnels are up.
- Mode=Conditional: The SD-WAN Gateway will respond to the ICMP request only when its service is up and when at least one tunnel is up.
- Mode=Always: The SD-WAN Gateway will always respond to the ICMP request from its peer.