This section provides step-by-step procedures on how to achieve connectivity between an SD-WAN Gateway and a VMware Cloud Gateway.

Overview

The figure below illustrates the Integration of VMware SD-WAN and VMware Cloud on AWS, which uses IPSec connectivity between the VMware SD-WANGateway and the VMware Cloud to Router.

Procedure

  1. Log into the VMware Cloud Console based on the URL for your SDDC organization (The VMware Cloud Services Login Page).

    On the Cloud Services Platform, select VMware Cloud on AWS.

  2. Find Public IP used for VPN connectivity by clicking the Networking and Security tab. The VPN Public IP displays below the Overview pane.

  3. Determine the networks/subnets for traffic encryption selection (interesting traffic) and note them down. These should originate from Segments in Networking/Security in the VMware Cloud. (Locate this by clicking Segments, under Network.
  4. Log into the SD-WAN Orchestrator and verify that SD-WAN Edges are present with a green status icon displayed next to them.

  5. Go to the Configure tab and click Network Services, and then under Non-VeloCloud Sites, click the New button.

  6. Provide a name for the Non VeloCloud Site, select the type, in this case, Generic Firewall (Policy Based VPN), and Enter the Public IP from the VMC obtained in Step 2, and click Next.

  7. Click the Advanced button, and under the Primary VPN Gateway:
    1. Change to the desired PSK.
    2. Ensure encryption set to AES 256.
    3. Change DH group to 5.
    4. Enable PFS to 5.
    5. Enter the site-subnets captured in Step 3.
    6. Click the checkbox to Enable Tunnels.
    7. Click Save Changes.

  8. Click View IKE/IPSec Template and copy the information into a text file, and then close the window.

  9. Along the left pane, click Configure > Profiles.

  10. Go to the profile for the associated SD-WAN Edge and click the appropriate Profile.
  11. Under the correct Profile:
    1. Go to the Device tab, under Cloud VPN and Branch to Non-VeloCloud Site, click the checkbox next to Enable.
    2. In the drop-down menu, select the NVS Network Service that was created (beginning in Step 5).
    3. Click the Save Changes button at the top of the screen.

  12. The tunnel should be ready on the SD-WAN Orchestrator.
  13. Log into the VMware Cloud Console.
  14. Go to Networking and Security and click the VPN tab. In the VPN area, select Policy Based VPN, and click Add VPN.

  15. Provide a name for the Policy Based VPN and configure the following:
    1. Choose a name. (Choose a name that starts with “To_SDWAN_Gateway,” so the VPN can be easily identified during troubleshooting and future support).
    2. Select the Public IP.
    3. Enter the remote Public IP.
    4. Enter the remote Private IP. NOTE: This will require a call to GSS Support, please refer to the following KB article, and mention the KB ID when contacting Support. https://ikb.vmware.com/s/article/78196.
    5. Specify the remote networks located on the SD-WAN Orchestrator.
    6. Select the Local Networks.
    7. Under Tunnel Encryption, select AES 256.
    8. Under Tunnel Digest Algorithm, select SHA1.
    9. Make sure Perfect Forward Secrecy is set to Enabled.
    10. Enter the PSK, to match Step 7A.
    11. Under IKE Encryption, select AES 256.
    12. Under IKE Digest Algorithm, select SHA 1.
    13. Under IKE Type, select IKEv2.
    14. Under Diffie Hellman, select Group 5.
    15. Click Save.

  16. Once the configuration is complete, the tunnel is automatically enabled and will proceed to negotiate the IKE Phase 1 and Phase 2 parameters with the peer, which is the SD-WAN Gateway.

  17. Once the tunnel displays (green), verify that the tunnel disaplays green in the SD-WAN Orchestrator (go to Monitor > Network Services)).

  18. Start a ping from a client connected at each end towards the opposite client, and verify ping reachability.

    The tunnel configuration has been complete and verified.