The Edge Cloud VPN settings are inherited from the Profile associated with the Edge and can be reviewed in the Edge Device tab. At the Edge level, you can override these settings inherited from a Profile and configure tunnel parameters.
- In the SD-WAN service of the Enterprise portal, go to .
- Select an Edge you want to override Non SD-WAN Destination settings for, and then click the View link under the Device column. The Device settings page for the selected Edge appears.
- Go to the VPN Services area, and expand Non SD-WAN Destination via Edge.
- Select the Override check box to override the Non SD-WAN Destination settings inherited from the Profile as needed.
Note: Any configuration changes to Branch to Non SD-WAN Destination via Gateway settings can be made only in the associated Profile level.
- Under the Action column, click + to add tunnels. The Add Tunnel pop-up window appears.
- Enter the following details for configuring a tunnel to the Non SD-WAN Destination:
Option Description Authentication Method Select either PSK or Certificate as the authentication method. Note: The Certificate Authentication mode is available only when the system propertysession.options.enableNsdPkiIPv6Configis set to True.Public WAN Link Select a WAN link from the drop-down list. Local Identification Type Select any one of the Local authentication types from the drop-down menu: - FQDN - The Fully Qualified Domain Name or hostname. For example, vmware.com.
- User FQDN - The User Fully Qualified Domain Name in the form of email address. For example, [email protected].
- IPv4 - The IP address used to communicate with the local gateway.
- IPv6 - The IP address used to communicate with the local gateway.
Note:- These values are available only when you select the Authentication Mode as PSK.
- The IPv6 Local Identification Type displays the value DER_ASN1_DN when the Authentication Mode is Certificate. Also, the IPv6 is available only when the system property
session.options.enableNsdPkiIPv6Configis set to True.
Local Identification Local authentication ID defines the format and identification of the local gateway. For the selected Local Identification Type, enter a valid value. The accepted values are IP address, User FQDN (email address), and FQDN (hostname or domain name). The default value is local IPv4 or IPv6 address. Note: Configuring Local Identification in Strongswan is optional. If not configured, Strongswan uses the value from the certificate.PSK Enter the Pre-Shared Key (PSK), which is the security key for authentication across the tunnel in the text box. Remote Identification Type This field is displayed only when the Authentication Method is selected as Certificate. Currently, only DER_ASN1_DN type is supported. Remote Identification This field is displayed only when the Authentication Method is selected as Certificate. Remote authentication ID defines the format and identification of the remote gateway. For the selected Remote Identification Type, enter a valid value. The accepted values are IP address, User FQDN (email address), and FQDN (hostname or domain name). The default value is local IPv4 or IPv6 address. Note: Configuring Remote Identification in Strongswan is optional. If not configured, Strongswan uses the value from the certificate.Destination Primary Public IP Enter the Public IP address of the destination Primary VPN Gateway. Destination Secondary Public IP Enter the Public IP address of the destination Secondary VPN Gateway. Note:- When you choose the Authentication Method as Certificate, the Local Identification Type and Remote Identification Type display the value DER_ASN1_DN by default.
- The Local Identification and Remote Identification fields must be configured in DER_ASN1_DN format. The values FQDN, User FQDN, IPv4, and IPv6 are reserved for future use.
- Click Save to save the changes.
