Describes how to configure a Non VMware SD-WAN Site of the type AWS VPN Gateway.
About This Task
You can configure Non SD-WAN Destinations via the Gateway only at the Profile Level and cannot override at the SD-WAN Edge level.
Procedure
- From the navigation panel in the SD-WAN Orchestrator, go to Configure > Network Services.
The Services screen appears.
- In the Non SD-WAN Destinations via Gateway area, click the New button.
The New Non SD-WAN Destinations via Gateway dialog box appears.
- In the Name text box, enter the name for the Non SD-WAN Destination.
- From the Type drop-down menu, select AWS VPN Gateway.
- Enter the IP address for the Primary VPN Gateway, and click Next.
A Non SD-WAN Destination of type AWS VPN Gateway is created and a dialog box for your Non SD-WAN Destination appears.
- To configure tunnel settings for the Non SD-WAN Destination’s Primary VPN Gateway, click the Advanced button.
- In the Primary VPN Gateway area, you can configure the following tunnel settings:
Field Description Tunnel Mode Active-Hot-Standby is supported on the SD-WAN Gateway. Active/Hot-Standby automatically displays indicating that if the Active tunnel goes down, the Standby (Hot-Standby) tunnel takes over and becomes the Active tunnel. PSK The Pre-Shared Key (PSK), which is the security key for authentication across the tunnel. The SD-WAN Orchestrator generates a PSK by default. If you want to use your own PSK or password, enter it in the textbox. Encryption Select either AES 128 or AES 256 as the AES algorithms key size to encrypt data. The default value is AES 128. DH Group Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging a pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH Groups are 2, 5, and 14. It is recommended to use DH Group 14. PFS Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS levels are 2 and 5. The default value is Deactivated. Authentication Algorithm The authentication algorithm for the VPN header. Select one of the following supported Secure Hash Algorithm (SHA) function from the drop-down menu list: - SHA 1
- SHA 256
- SHA 384
- SHA 512
The default value is SHA 1.
IKE SA Lifetime(min) Time when Internet Key Exchange (IKE) rekeying is initiated for SD-WAN Edges. The minimum IKE lifetime is 10 minutes and maximum is 1440 minutes. The default value is 1440 minutes. IPsec SA Lifetime(min) Time when Internet Security Protocol (IPsec) rekeying is initiated for Edges. The minimum IPsec lifetime is 3 minutes and maximum is 480 minutes. The default value is 480 minutes. DPD Type The Dead Peer Detection (DPD) method is used to detect if the Internet Key Exchange (IKE) peer is alive or dead. If the peer is detected as dead, the device deletes the IPsec and IKE Security Association. Select either Periodic or on Demand from the list. The default value is on Demand. DPD Timeout(sec) Enter the DPD timeout value. The DPD timeout value will be added to the internal DPD timer, as described below. Wait for a response from the DPD message before considering the peer to be dead (Dead Peer Detection). Prior to the 5.1.0 release, the default value is 20 seconds. For the 5.1.0 release and later, see the list below for the default value.- Library Name: Quicksec
- Probe Interval: Exponential (0.5 sec, 1 sec, 2 sec, 4 sec, 8 sec, 16 sec)
- Default Minimum DPD Interval: 47.5sec (Quicksec waits for 16 seconds after the last retry. Therefore, 0.5+1+2+4+8+16+16 = 47.5).
- Default Minimum DPD interval + DPD Timeout(sec): 67.5 sec
Note: Prior to the 5.1.0 release, you can deactivate DPD by configuring the DPD timeout timer to 0 seconds. However, for the 5.1.0 release and later, you cannot deactivate DPD by configuring the DPD timeout timer to 0 seconds. The DPD timeout value in seconds will get added onto the default minimum value of 47.5 seconds). - To create a Secondary VPN Gateway for this site, click the Add button next to Secondary VPN Gateway. In the pop-up window, enter the IP address of the Secondary VPN Gateway and click Save Changes.
The Secondary VPN Gateway will be created immediately for this site and will provision a VMware VPN tunnel to this Gateway.
- Select the Redundant VeloCloud Cloud VPN checkbox to add redundant tunnels for each VPN Gateway. Any changes made to Encryption, DH Group, or PFS of Primary VPN Gateway will also be applied to the redundant VPN tunnels, if configured.
- After modifying the tunnel settings of the Primary VPN Gateway, save the changes and then click View IKE/IPsec Template to view the updated tunnel configuration.
- Click the Update location link, located in the top, right corner of the Non SD-WAN Destination Via Gateway dialog, to set the location for the configured Non VMware SD-WAN Site. The latitude and longitude details are used to determine the best SD-WAN Edge or SD-WAN Gateway to connect to in the network.
- Under the Site Subnets area, you can add subnets for the Non VMware SD-WAN Site by clicking the + button. Use Custom Source Subnets to override the source subnets routed to this VPN device. Normally, source subnets are derived from the SD-WAN Edge LAN subnets routed to this device.
Note: Site Subnets should be deactivated for enabling a tunnel if there are no site subnets configured.
- Check the Enable Tunnel(s) checkbox once you are ready to initiate the tunnel from the SD-WAN Gateway to the AWS VPN Gateways.
- Click Save Changes.
- Assign the newly created Non SD-WAN Site Network Service to a Profile by navigating to Configure >Profiles in the SD-WAN Orchestrator. See Configure a Tunnel Between a Branch and a Non SD-WAN Destinations via Gateway.
- Return to the Non SD-WAN Destinations via Gateway area in the SD-WAN Orchestrator by going to Configure > Network Services.
- In the Non SD-WAN Destinations via Gateway area, scroll to the name of your Non SD-WAN Site, and then click the Edit link in the BGP column.
- Configure the BGP based on the AWS values for the following mandatory fields: Local ASN, Tunnel Type, Neighbor IP, and Local IP (from the Advanced Options section). NOTE: Tunnel type is updated by default. Refer to the AWS documentation if needed. For more information, see Configure BGP over IPsec from Gateways.
- Click the OK button to save your changes.
- In the Non SD-WAN Destinations via Gateway area, click the Edit link in the BFD column for a Non SD-WAN Destination, to configure the BFD settings. For more information, see Configure BFD for Gateways.
What to do next
You can check the overall status of the Non SD-WAN Sites in the monitoring tab. See: