The Edge Cloud VPN settings are inherited from the Profile associated with the Edge and can be reviewed in the Edge Device tab. At the Edge level, you can override the Branch to Non SD-WAN Destination via Edge settings inherited from a Profile and configure Tunnel parameters (WAN link selection and Per tunnel credentials).

  1. In the Enterprise portal, go to Configure > Edges.
  2. Select an Edge you want to override Non SD-WAN Destination settings, and then click the View link under the Device column. The Device Setting page for the selected Edge appears.
  3. Go to the VPN Services area, and expand Non SD-WAN Destination via Edge.
  4. Select the Override check box to override the Non SD-WAN Destination settings inherited from the Profile as needed.
    Note: Any configuration changes to Branch to Non SD-WAN Destination via Gateway settings can be made only in the associated Profile level.
  5. Under the Action column, click + to add tunnels. The Add Tunnel pop-up window appears.
  6. Enter the following details for configuring a tunnel to the Non SD-WAN Destination:
    Option Description
    Authentication Method Select either PSK or Certificate as the authentication method.
    Note: The Certificate Authentication mode is available only when the system property session.options.enableNsdPkiIPv6Config is set to True.
    Public WAN Link Select a WAN link from the drop-down list.
    Local Identification Type Select any one of the Local authentication types from the drop-down menu:
    • FQDN - The Fully Qualified Domain Name or hostname. For example, vmware.com.
    • User FQDN - The User Fully Qualified Domain Name in the form of email address. For example, [email protected].
    • IPv4 - The IP address used to communicate with the local gateway.
    • IPv6 - The IP address used to communicate with the local gateway.
      Note: The IPv6 Local Identification Type is available only when the system property session.options.enableNsdPkiIPv6Config is set to True.
    Note: When you choose the Authentication Method as Certificate, the Local Identification Type is displayed as DER_ASN1_DN. The Local Identification Type must match with the local certificate Subject Name.
    Local Identification Local authentication ID defines the format and identification of the local gateway. For the selected Local Identification Type, enter a valid value. The accepted values are IP address, User FQDN (email address), and FQDN (hostname or domain name). The default value is local IPv4 address.
    Note: Configuring Local Identification in Strongswan is optional. If not configured, Strongswan uses the value from the certificate.
    PSK Enter the Pre-Shared Key (PSK), which is the security key for authentication across the tunnel in the text box.
    Remote Identification Type This field is displayed only when the Authentication Method is selected as Certificate. Currently, only DER_ASN1_DN type is supported.
    Remote Identification This field is displayed only when the Authentication Method is selected as Certificate. Remote authentication ID defines the format and identification of the remote gateway. For the selected Remote Identification Type, enter a valid value. The accepted values are IP address, User FQDN (email address), and FQDN (hostname or domain name). The default value is local IPv4 address.
    Note: Configuring Remote Identification in Strongswan is optional. If not configured, Strongswan uses the value from the certificate.
    Destination Primary Public IP Enter the Public IP address of the destination Primary VPN Gateway.
    Destination Secondary Public IP Enter the Public IP address of the destination Secondary VPN Gateway.
  7. Click Save.