Configure Non SD-WAN Destinations via Gateway

VMware allows the Enterprise users to define and configure a Non SD-WAN Destination instance to establish a secure IPsec tunnel to a Non SD-WAN Destination through an SD-WAN Gateway.

The Orchestrator selects the nearest Gateway for the Non SD-WAN Destination with its configured IP address, using geolocation service.

You can configure Non SD-WAN Destination via Gateway only at the Profile Level and cannot override at the SD-WAN Edge level.

ECMP

To optimize the utilization of the aggregated bandwidth across the ingress interfaces of non-SDWAN sites, VMware SD-WAN solution incorporates active-active mode support in its gateways.

This can be achieved by enabling the establishment of multiple IPsec tunnels in active-active mode towards non-SDWAN sites. This configuration allows load balancing of network traffic across tunnels optimizing the flow of distribution.

To implement active-active mode with multiple IPsec tunnels towards non-SDWAN sites, the following three steps are required:

Set up tunnels connecting to Non-SDWAN sites with tunnel mode as Active-Active.
Choose the preferred load balancing algorithm.
Configure BGP or Static site subnet routes directing traffic to these sites.

Procedure

In the SD-WAN service of the Enterprise portal, go to Configure > Network Services, and then under Non SD-WAN Destinations, expand Non SD-WAN Destinations via Gateway.

Click New or New NSD via Gateway option to create a new Non SD-WAN Destination.

Note: The New NSD via Gateway option appears only when there are no items in the table.


Option	Description
Name	Enter a name for the Non SD-WAN Destination in the text box.
Type	Select an IPsec tunnel type. The available options are: AWS VPN Gateway Note: This service is introduced in the 4.3.0 release. Customers can also use different primary Public IPs and Secondary Public IPs for NVS Gateways for AWS. Check Point Cisco ASA Note: Secondary VPN Gateway is not supported for this option. Cisco ISR Generic IKEv2 Router (Route Based VPN) Microsoft Azure Virtual Hub Note: Requires a valid subscription. Palo Alto SonicWall Configure a Non SD-WAN Destination of Type Zscaler Generic IKEv1 Router (Route Based VPN) Generic Firewall (Policy Based VPN) Note: Secondary VPN Gateway is not supported for this option.
Tunnel Mode	Active/ Hot-Standby mode supports to set up a maximum of 2 tunnel endpoints or Gateways.
Tunnel Mode	Active/Activemode supports to set up a maximum of 4 tunnel endpoints or Gateways. All Active tunnels can send and receive traffic through ECMP.
ECMP Load Sharing Method	Flow Load Based (Default) Flow load based algorithm maps the new flow to the path with least number of flows mapped among the available paths to the destination.
ECMP Load Sharing Method	Hash Load Based algorithm takes input parameters from 5-tuple (SrcIP, DestIP, SrcPort, DestPort, Protocol). These inputs can be any or all or any subset of this tuple based on user configuration. Flow is mapped to the path based on hash value with selected inputs.
VPN Gateway 1	Enter a valid IP address.
VPN Gateway 2	Enter a valid IP address. This field is optional.
VPN Gateway 3	Enter a valid IP address. This field is optional.
VPN Gateway 4	Enter a valid IP address. This field is optional.

Click the Create button.
You are redirected to an additional configuration options page based on the selected IPsec tunnel type. Click each of the links in the table above for more information on these tunnel types.

Following are the various options available under the Non SD-WAN Destinations via Gateway section:


Option	Description
Delete	Select an item and click this option to delete it.
Operator Alerts	Select an item and set the Operator Alert to On or Off.
Update Alerts	Select an item and update the previously set Operator Alert.
Columns	Click and select the columns to be displayed or hidden on the page.

Note:

You can also access these options by clicking the vertical ellipsis next to the item name in the table.
The Edit option takes you to the additional configuration settings screen.
Click the information icon at the top of the table to view the Conceptual Destination Diagram, and then hover across the diagram for more details.

To edit or configure BGP, see Configure BGP Over IPsec from Gateways.

To edit or configure BFD, see Configure BFD for Gateways.


Non SD-WAN Peer Type	Number of Tunnels Allowed
	Active/Active Mode	Active/Hot standbyMode
AWS VPN Gateway	upto 4	upto 2
Check Point	upto 4	upto 2
Cisco ASA	1 (Mode not applicable)	1 (Mode not applicable)
Cisco ISR	upto 4	upto 2
Generic IKEv2 Router (Route Based VPN)	upto 4	upto 2
Microsoft Azure Virtual Hub	upto 2	upto 2
Palo Alto	upto 4	upto 2
SonicWALL	upto 4	upto 2
Zscaler	upto 4	upto 2
Generic IKEv1 Router (Route Based VPN)	upto 4	upto 2
Generic Firewall (Policy Based VPN)	1 (Mode not applicable)	1 (Mode not applicable)

Flow Pinning Behavior

Existing flows are pinned to the same path as long as the path/route is available. These flows are not affected during mode or algorithm change.

What to do next

Associate your Non SD-WAN Destination to a Profile. For more information, see:
Configure a Business Policy. For more information, see Configure Business Policies.
Note: Configuring Business Policy is not mandatory for this feature.