Describes how to configure a Non SD-WAN Destination of type Generic IKEv2 Router (Route Based VPN) through SD-WAN Edge in SD-WAN Orchestrator.

Procedure

  1. From the navigation panel in the SD-WAN Orchestrator, go to Configure > Network Services.
    The Services screen appears.
  2. In the Non SD-WAN Destinations via Edge area, click the New button.
    The Non SD-WAN Destinations via Edge dialog box appears.
  3. In the Service Name text box, enter a name for the Non SD-WAN Destination.
  4. From the Service Type drop-down menu, select Generic IKEv2 Router (Route Based VPN) as the IPSec tunnel type.
  5. Click Next.
    A route-based Non SD-WAN Destination of type IKEv2 is created and a dialog box for your Non SD-WAN Destination appears.
  6. Under Primary VPN Gateway, in the Public IP text box, enter the IP address of the Primary VPN Gateway.
  7. To configure tunnel settings for the Non SD-WAN Destination’s Primary VPN Gateway, click the Advanced button.
  8. In the Primary VPN Gateway area, you can configure the following tunnel settings:
    Field Description
    Encryption Select either AES 128 or AES 256 as the AES algorithms key size to encrypt data. If you do not want to encrypt data, select Null. The default value is AES 128.
    DH Group Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging a pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH Groups are 2, 5, 14, 15, and 16. It is recommended to use DH Group 14.
    PFS Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS levels are 2, 5, 14, 15, and 16. The default value is Deactivated.
    Hash The authentication algorithm for the VPN header. Select one of the following supported Secure Hash Algorithm (SHA) function from the list:
    • SHA 1
    • SHA 256
    • SHA 384
    • SHA 512

    The default value is SHA 256.

    IKE SA Lifetime(min) Time when Internet Key Exchange (IKE) rekeying is initiated for Edges. The minimum IKE lifetime is 10 minutes and maximum is 1440 minutes. The default value is 1440 minutes.
    IPsec SA Lifetime(min) Time when Internet Security Protocol (IPsec) rekeying is initiated for Edges. The minimum IPsec lifetime is 3 minutes and maximum is 480 minutes. The default value is 480 minutes.
    DPD Timeout Timer(sec) Enter the DPD timeout value. The DPD timeout value will be added to the internal DPD timer, as described below. Wait for a response from the DPD message before considering the peer to be dead (Dead Peer Detection).
    Prior to the 5.1.0 release, the default value is 20 seconds. For the 5.1.0 release and later, see the list below for the default value.
    • Library Name: Quicksec
    • Probe Interval: Exponential (0.5 sec, 1 sec, 2 sec, 4 sec, 8 sec, 16 sec)
    • Default Minimum DPD Interval: 47.5sec (Quicksec waits for 16 seconds after the last retry. Therefore, 0.5+1+2+4+8+16+16 = 47.5).
    • Default Minimum DPD interval + DPD Timeout(sec): 67.5 sec
    Note: Prior to the 5.1.0 release, you can deactivate DPD by configuring the DPD timeout timer to 0 seconds. However, for the 5.1.0 release and later, you cannot deactivate DPD by configuring the DPD timeout timer to 0 seconds. The DPD timeout value in seconds will get added onto the default minimum value of 47.5 seconds).
    Note: When AWS initiates the rekey tunnel with a VMware SD-WAN Gateway (in Non SD-WAN Destinations), a failure can occur and a tunnel will not be established, which can cause traffic interruption. Adhere to the following:
    • IPsec SA Lifetime(min) timer configurations for the SD-WAN Gateway must be less than 60 minutes (50 minutes recommended) to match the AWS default IPsec configuration.
    • DH and PFS DH groups must be matched.
  9. If you want to create a Secondary VPN Gateway for this site, then select the Secondary VPN Gateway checkbox and then enter the IP address of the Secondary VPN Gateway in the Public IP text box.

    The Secondary VPN Gateway will be created immediately for this site and will provision a VMware VPN tunnel to this Gateway.

  10. Select the Keep Tunnel Active checkbox to keep the Secondary VPN tunnel active for this site.
  11. Select the Tunnel settings are same as Primary VPN Gateway checkbox to apply the same tunnel settings as that of the Primary VPN Gateway.
    Any tunnel setting changes made to the Primary VPN Gateway will also be applied to the Secondary VPN tunnels, if configured.
  12. Under Site Subnets, you can add subnets for the Non SD-WAN Destination by clicking the + button.
    Note: To support the datacenter type of Non SD-WAN Destination, besides the IPSec connection, you will need to configure Non SD-WAN Destination local subnets into the VMware system.
  13. Click Save Changes.

What to do next