VMware allows the Enterprise users to define and configure a Non SD-WAN Destination instance to establish a secure IPsec tunnel to a Non SD-WAN Destination through an SD-WAN Gateway.

The Orchestrator selects the nearest Gateway for the Non SD-WAN Destination with its configured IP address, using geolocation service.

You can configure Non SD-WAN Destination via Gateway only at the Profile Level and cannot override at the SD-WAN Edge level.

ECMP

To optimize the utilization of the aggregated bandwidth across the ingress interfaces of non-SDWAN sites, VMware SD-WAN solution incorporates active-active mode support in its gateways.

This can be achieved by enabling the establishment of multiple IPsec tunnels in active-active mode towards non-SDWAN sites. This configuration allows load balancing of network traffic across tunnels optimizing the flow of distribution.

To implement active-active mode with multiple IPsec tunnels towards non-SDWAN sites, the following three steps are required:

  1. Set up tunnels connecting to Non-SDWAN sites with tunnel mode as Active-Active.
  2. Choose the preferred load balancing algorithm.
  3. Configure BGP or Static site subnet routes directing traffic to these sites.

Procedure

  1. In the SD-WAN service of the Enterprise portal, go to Configure > Network Services, and then under Non SD-WAN Destinations, expand Non SD-WAN Destinations via Gateway.
  2. Click New or New NSD via Gateway option to create a new Non SD-WAN Destination.
    Note: The New NSD via Gateway option appears only when there are no items in the table.
    Option Description
    Name Enter a name for the Non SD-WAN Destination in the text box.
    Type Select an IPsec tunnel type. The available options are:
    Tunnel Mode Active/ Hot-Standby mode supports to set up a maximum of 2 tunnel endpoints or Gateways.
    Active/Activemode supports to set up a maximum of 4 tunnel endpoints or Gateways. All Active tunnels can send and receive traffic through ECMP.
    ECMP Load Sharing Method Flow Load Based (Default) Flow load based algorithm maps the new flow to the path with least number of flows mapped among the available paths to the destination.
    Hash Load Based algorithm takes input parameters from 5-tuple (SrcIP, DestIP, SrcPort, DestPort, Protocol). These inputs can be any or all or any subset of this tuple based on user configuration. Flow is mapped to the path based on hash value with selected inputs.
    VPN Gateway 1 Enter a valid IP address.
    VPN Gateway 2 Enter a valid IP address. This field is optional.
    VPN Gateway 3 Enter a valid IP address. This field is optional.
    VPN Gateway 4 Enter a valid IP address. This field is optional.
  3. Click the Create button.
    You are redirected to an additional configuration options page based on the selected IPsec tunnel type. Click each of the links in the table above for more information on these tunnel types.
  4. Following are the various options available under the Non SD-WAN Destinations via Gateway section:
    Option Description
    Delete Select an item and click this option to delete it.
    Operator Alerts Select an item and set the Operator Alert to On or Off.
    Update Alerts Select an item and update the previously set Operator Alert.
    Columns Click and select the columns to be displayed or hidden on the page.
    Note:
    • You can also access these options by clicking the vertical ellipsis next to the item name in the table.
    • The Edit option takes you to the additional configuration settings screen.
    • Click the information icon at the top of the table to view the Conceptual Destination Diagram, and then hover across the diagram for more details.

    To edit or configure BGP, see Configure BGP Over IPsec from Gateways.

    To edit or configure BFD, see Configure BFD for Gateways.

    Non SD-WAN Peer Type Number of Tunnels Allowed
    Active/Active Mode Active/Hot standbyMode
    AWS VPN Gateway upto 4 upto 2
    Check Point upto 4 upto 2
    Cisco ASA 1 (Mode not applicable) 1 (Mode not applicable)
    Cisco ISR upto 4 upto 2
    Generic IKEv2 Router (Route Based VPN) upto 4 upto 2
    Microsoft Azure Virtual Hub upto 2 upto 2
    Palo Alto upto 4 upto 2
    SonicWALL upto 4 upto 2
    Zscaler upto 4 upto 2

    Generic IKEv1 Router (Route Based VPN)

    upto 4 upto 2

    Generic Firewall (Policy Based VPN)

    1 (Mode not applicable) 1 (Mode not applicable)

    Flow Pinning Behavior

    Existing flows are pinned to the same path as long as the path/route is available. These flows are not affected during mode or algorithm change.

What to do next