VMware allows the Enterprise users to define and configure a Non SD-WAN Destination instance in order to establish a secure IPSec v4 and v6 tunnels directly from an SD-WAN Edge to a Non SD-WAN Destination. This section also allows you to configure Cloud Security Services.
Procedure
- In the SD-WAN service of the Enterprise portal, go to Configure > Network Services, and then under Non SD-WAN Destinations, expand Non SD-WAN Destinations via Edge.
- In the Non SD-WAN Destinations via Edge area, click New or New NSD via Edge option to create a new Non SD-WAN Destination.
Note: The New NSD via Edge option appears only when there are no items in the table.
- Following configuration options are available:
Note: To support the datacenter type of Non SD-WAN Destination, besides the IKE/IPSec settings, you must configure Non SD-WAN Destination local subnets into the VMware system.
Option Description General Service Name Enter a name for the Non SD-WAN Destination. This field is mandatory. Service Type Select the service type from the drop-down menu. The available options are Generic IKEv1 Router (Route Based VPN), Generic IKEv2 Router (Route Based VPN), and Microsoft Azure Virtual Wan. This field is mandatory. Tunnel mode Select a tunnel mode from the drop-down menu. The available options are Active/Active, Active/Hot-Standby, and Active/Standby. IKE/IPSec Settings IP Version Select an IP version (IPv4 or IPv6) of the current Non SD-WAN Destination from the drop-down menu. Primary VPN Gateway Public IP Enter a valid IPv4 or IPv6 address. This field is mandatory. View advanced settings for IKE Proposal: Expand this option to view the following fields. Encryption Select the AES algorithm key size from the drop-down list, to encrypt data. The available options are AES 128, AES 256, AES 128 GCM, AES 256 GCM, and Auto. The default value is AES 128. DH Group Select the Diffie-Hellman (DH) Group algorithm from the drop-down list. This is used for generating keying material. The DH Group sets the strength of the algorithm in bits. The supported DH Groups are 2, 5, 14, 15, 16, 19, 20, and 21. The default value is 14. Hash Select one of the following supported Secure Hash Algorithm (SHA) functions from the drop-down list: - SHA 1
- SHA 256
- SHA 384
Note: This value is not available for the Microsoft Azure Virtual Wan Service Type.
- SHA 512
Note: This value is not available for the Microsoft Azure Virtual Wan Service Type.
- Auto
The default value is SHA 256.
IKE SA Lifetime(min) Enter the time when Internet Key Exchange (IKE) rekeying is initiated for Edges. The minimum IKE lifetime is 10 minutes and maximum is 1440 minutes. The default value is 1440 minutes. Note: Rekeying must be initiated before 75-80 % of lifetime expires.DPD Timeout(sec) Enter the DPD timeout value. The DPD timeout value will be added to the internal DPD timer, as described below. Wait for a response from the DPD message before considering the peer to be dead (Dead Peer Detection). Prior to the 5.1.0 release, the default value is 20 seconds. For the 5.1.0 release and later, see the list below for the default value.- Library Name: Quicksec
- Probe Interval: Exponential (0.5 sec, 1 sec, 2 sec, 4 sec, 8 sec, 16 sec)
- Default Minimum DPD Interval: 47.5sec (Quicksec waits for 16 seconds after the last retry. Therefore, 0.5+1+2+4+8+16+16 = 47.5).
- Default Minimum DPD interval + DPD Timeout(sec): 67.5 sec
Note: For the 5.1.0 release and later, you cannot deactivate DPD by configuring the DPD timeout timer to 0 seconds. The DPD timeout value in seconds gets added into the default minimum value of 47.5 seconds.View advanced settings for IPsec Proposal: Expand this option to view the following fields. Encryption Select the AES algorithm key size from the drop-down list, to encrypt data. The available options are None, AES 128, and AES 256. The default value is AES 128. PFS Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS levels are 2, 5, 14, 15, 16, 19, 20, and 21. The default value is 14. Hash Select one of the following supported Secure Hash Algorithm (SHA) functions from the drop-down list: - SHA 1
- SHA 256
- SHA 384
Note: This value is not available for the Microsoft Azure Virtual Wan Service Type.
- SHA 512
Note: This value is not available for the Microsoft Azure Virtual Wan Service Type.
The default value is SHA 256.
IPsec SA Lifetime(min) Enter the time when Internet Security Protocol (IPsec) rekeying is initiated for Edges. The minimum IPsec lifetime is 3 minutes and maximum is 480 minutes. The default value is 480 minutes. Note: Rekeying must be initiated before 75-80 % of lifetime expires.Secondary VPN Gateway Add - Click this option to add a secondary VPN Gateway. Following fields are displayed. Public IP Enter a valid IPv4 or IPv6 address. Remove Deletes the Secondary VPN Gateway. Tunnel settings are the same as Primary VPN Gateway Select this check box if you want to use the same settings for Primary and Secondary Gateways. You can choose to enter the settings for the Secondary VPN Gateway manually. Site Subnets Add Click this option to add a subnet and a description for the Non SD-WAN Destination. Delete Click this option to delete the selected Subnet. - Click Save.
- In the Non SD-WAN Destinations via Edge area, click New or New NSD via Edge option to create a new Non SD-WAN Destination.
- In the Cloud Security Services area, click New.
- In the New Cloud Security Service window, select a service type from the drop-down menu. VMware SD-WAN supports the following CSS types:
- Generic Cloud Security Service
- Symantec / Palo Alto Cloud Security Service
- Zscaler Cloud Security Service
- If you have selected either "Generic" or "Symantec / Palo Alto" Cloud Security Service as the Service Type, then configure the following fields, and then click Save Changes.
Option Description Service Name Enter a descriptive name for the cloud security service. Primary Point-of-Presence/Server Enter the IP address or hostname for the Primary server. Secondary Point-of-Presence/Server Enter the IP address or hostname for the Secondary server. This field is optional. - If you have selected Zscaler Cloud Security Service as the Service Type, then configure the following fields, and then click Save Changes.
Option Description Service Name Enter a descriptive name for the cloud security service. Automate Cloud Service Deployment Select the check box to choose automation deployment. URL for logging in to Zscaler You can choose to use the existing Zscaler URL from the drop-down list or enter a new URL. Primary Server Enter the IP address or hostname for the Primary server. Secondary Server Enter the IP address or hostname for the Secondary server. This field is optional. L7 Health Check Select the check box to monitor the health of Zscaler Server. Note: For a given Edge/Profile, a user cannot override the L7 Health Check parameters configured in the Network Services.HTTP Probe Interval Displays the duration of the interval between individual HTTP probes. The default probe interval is 5 seconds. Number of Retries Select the number of retries allowed before marking the cloud service as DOWN. The default value is 3. RTT Threshold The Round Trip Time (RTT) threshold, expressed in milliseconds, is used to calculate the cloud service status. The cloud service is marked as DOWN if the measured RTT is above the configured threshold. The default value is 3000 milliseconds. Zscaler Login URL Enter the login URL and then click Login to Zscaler. This will redirect you to the Zscaler Admin portal of the selected Zscaler cloud. Note: The Login to Zscaler link is activated only if you enter the Zscaler login URL.Note: For more information, see Cloud Security Services.
- Following are the other options available under the Non SD-WAN Destinations via Edge section:
Option Description Delete Select an item and click this option to delete it. Columns Click and select the columns to be displayed or hidden on the page. Note: Click the information icon at the top of the table to view the Conceptual Diagram, and then hover across the diagram for more details.
What to do next
- Configure tunnel settings for your Non SD-WAN Destination. For more information, see:
- Associate your Non SD-WAN Destination to a Profile or Edge. For more information, see Configure Tunnel Between Branch and Non SD-WAN Destinations via Edge.
- Configure Tunnel parameters (WAN link selection and Per tunnel credentials) at the Edge level. For more information, see Configure Cloud VPN and Tunnel Parameters for Edges.
- Configure Business Policy. Configuring business policy is an optional procedure for Non SD-WAN Destinations via Edge. If there are no Non SD-WAN Destinations configured then you can redirect the Internet traffic via business policy. For more information, see Create Business Policy Rule.