This section provides a brief overview and detailed procedures to configure route based NSD via Edge to the VMware Cloud AWS Gateway.

Route Based NSD Via Edge to the VMware Cloud AWS Gateway Overview

The figure below illustrates the Integration of VMware SD-WAN and VMware Cloud on AWS, which uses IPSec connectivity between the VMware SD-WAN Edge and the VMware Cloud Gateway.

Procedure

This section provides step-by-step procedures on how to achieve connectivity between an SDWAN Edge and a VMware Cloud Gateway.
  1. Log into the VMware Cloud Console based on the URL for your SDDC organization (The VMware Cloud Services Login Page). On the Cloud Services Platform, select VMware Cloud on AWS.
  2. Find Public IP used for VPN connectivity by clicking the Networking and Security tab. The VPN Public IP displays below the Overview pane.

  3. Determine the networks/subnets for traffic encryption selection (interesting traffic) and note them down. These should originate from Segments in Networking/Security in the VMware Cloud. (Locate this by clicking Segments, under Network.
  4. Log into the SD-WAN Orchestrator and verify that SD-WAN Edges are present with a green status icon displayed next to them.

  5. Go to the Configure tab and click Network Services, and then under Non SD-WAN Destination via Edge, click the New button.

  6. Provide a name for the Non SD-WAN Destination via Edge, select the type, in this case, Generic IKEv2 Router(Route Based VPN), and click Next.

  7. Click the Advanced button and provide below details.
    1. Enter the Public IP of the VMC obtained in Step 2.
    2. Ensure encryption set to AES 128.
    3. Change DH group to 2.
    4. Enable PFS to 2.
    5. Auth Algorithm set to SHA 1.
    6. Subnets will be learned via BGP, (if BGP is not configured then add site subnets which captured at step 3, e.g. static route).
    7. Click Save Changes.

  8. Along the left pane, click Configure > Edges.

  9. Go to the device setting page of edge in which NSD will be associated.
  10. Under the device setting of Edge complete the following.
    1. Under Cloud VPN and Branch to Non SD-WAN Destination via Edge, click the check box next to Enable.
    2. In the drop-down menu, select the NSD via Edge.

  11. Click the Add button and update the following fields below (see image below).
    1. Select the Edge WAN link from where NSD tunnel to form.
    2. Local ID type – IP address.
    3. Local id will be public IP of WAN link.
    4. Enter the PSK.
    5. Destination primary Public IP – VMC Gateway Public IP.

  12. Activate BGP settings for an Edge, as shown in the image below.

  13. Click the Edit button and update BGP params for NSD neighbour.
    1. Select configured NSD name.
    2. Edge wan link where NSD is associated.
    3. Configure Local ASN 65001.
    4. Neighbour IP – 169.254.32.2.
    5. Peer ASN – 65000 (VMC default ASN is 65000).
    6. Local IP – 169.254.32.1 NOTE: It is recommended to use a /30 CIDR from 169.254.0.0/16 subnet excluding following VMC reserved addresses - 169.254.0.0-169.254.31.255, 169.254.101.0-169.254.101.3

  14. The tunnel should be ready on the SD-WAN Orchestrator with BGP over IPSec.
  15. Log into the VMware Cloud Console.
  16. Go to Networking and Security and click the VPN tab. In the VPN area, select Route Based VPN, and click Add VPN.

  17. Provide a name for the Route Based VPN and configure the following.
    1. Choose a name. (Choose a name that starts with “To_SDWAN_EDGE,” so the VPN can be easily identified during troubleshooting and future support).
    2. Select the Public IP.
    3. Enter the remote Public IP. (Edge WAN link Public IP).
    4. Enter the remote Private IP – it should same as section 11c.
    5. Specify the BGP local ip.
    6. Specify the BGP remote IP.
    7. Under Tunnel Encryption, select AES 128.
    8. Under Tunnel Digest Algorithm, select SHA1.
    9. Make sure Perfect Forward Secrecy is set to Enabled.
    10. Enter the PSK, to match Step 12d.
    11. Under IKE Encryption, select AES 128.
    12. Under IKE Digest Algorithm, select SHA 1.
    13. Under IKE Type, select IKEv2.
    14. Under Diffie Hellman, select Group 2.
    15. Click Save.

  18. Once the configuration is complete, the tunnel is automatically activated and will proceed to negotiate the IKE Phase 1 and Phase 2 parameters with the peer, which is the SD-WAN EDGE.

  19. Once the tunnel displays (green), verify that the NSD via Edge tunnel/BGP status in the SD-WAN Orchestrator (go to Monitor > Network Services).

  20. Start a ping from a client connected at each end towards the opposite client, and verify ping reachability. The tunnel configuration has been completed and verified.