Use the IPsec VPN Sites screen in the vCloud Director tenant portal to configure settings needed to create an IPsec VPN connection between your organization virtual datacenter and another site using the edge gateway's IPsec VPN capabilities.

About this task

When you configure an IPsec VPN connection between sites, you configure the connection from the point of view of your current location. Setting up the connection requires that you understand the concepts in the context of the vCloud Director environment so that you configure the VPN connection correctly.

  • The local and peer subnets specify the networks to which the VPN connects. When you specify these subnets in the configurations for IPsec VPN sites, enter a network range and not a specific IP address. Use CIDR format, such as 192.168.99.0/24.

  • The peer ID is an identifier that uniquely identifies the remote device that terminates the VPN connection, typically its public IP address. For peers using certificate authentication, this ID must be the distinguished name set in the peer's certificate. For PSK peers, this ID can be any string. An NSX best practice is to use the remote device's public IP address or FQDN as the peer ID. If the peer IP address is from another organization virtual datacenter network, you enter the peer’s native IP address. If NAT is configured for the peer, you enter the peer's private IP address.

  • The peer endpoint specifies the public IP address of the remote device to which you are connecting. The peer endpoint might be a different address from the peer ID if the peer's gateway is not directly accessible from the Internet, but connects through another device. If NAT is configured for the peer, you enter the public IP address that the devices uses for NAT.

  • The local ID specifies the public IP address of the organization virtual datacenter's edge gateway. You can enter an IP address or hostname in conjunction with the edge gateway's firewall.

  • The local endpoint specifies the network in your organization virtual datacenter on which the edge gateway transmits. Typically the edge gateway's external network is the local endpoint.

Prerequisites

Verify you have completed the steps described in Configure IPsec VPN Using the Tenant Portal and in Navigate to the IPsec VPN Screen in the Tenant Portal.

If you intend to use a global certificate as the authentication method, verify that certificate authentication is enabled on the Global Configuration screen. See Specify Global IPsec VPN Settings for details.

Procedure

  1. Launch Edge Gateway Services by completing the following steps.
    1. Click Network > Edge Gateway.
    2. Select the edge gateway to edit, and click Configure Services.

      The tenant portal opens Edge Gateway Services.

  2. Navigate to VPN > IPsec VPN > IPsec VPN Sites.
  3. Click the + icon.
  4. In the window that opens, configure the following options for the IPsec VPN connection.

    Option

    Description

    Enabled

    Toggle on to enable this connection between the two VPN endpoints.

    Enable perfect forward secrecy (PFS)

    Toggle on to have the system generate unique public keys for all IPsec VPN sessions your users initiate. Enabling PFS ensures that the system does not create a link between the edge gateway's private key and each session key.

    The compromise of a session key will not affect data other than that exchanged in the specific session protected by that particular key. Compromise of the server's private key cannot be used to decrypt archived sessions or future sessions.

    When PFS is enabled, IPsec VPN connections to this edge gateway experience a slight processing overhead.

    Important:

    The unique session keys must not be used to derive any additional keys. Additionally, both sides of the IPsec VPN tunnel must support PFS for it to work.

    Name

    (Optional) Enter a name for this connection.

    Local Id

    Type the external IP address of the edge gateway instance, which is the public IP address of the edge gateway.

    This IP address will be the one used for the peer Id in the IPsec VPN configuration on the remote site.

    Local Endpoint

    Type the network that is the local endpoint for this connection. The local endpoint specifies the network in your organization virtual datacenter on which the edge gateway transmits. Typically, the external network is the local endpoint.

    Note:

    If you are adding an IP-to-IP tunnel using a pre-shared key, the local Id and local endpoint IP can be the same.

    Local Subnets

    Type the networks to share between the sites. Use a comma separator to type multiple subnets.

    Note:

    Enter a network range (not a specific IP address) by entering the IP address using CIDR format; for example, 192.168.99.0/24.

    Peer Id

    Type a peer ID to uniquely identify the peer site. The peer ID is an identifier that uniquely identifies the remote device that terminates the VPN connection, typically its public IP address.

    For peers using certificate authentication, this ID must be the distinguished name in the peer's certificate. For PSK peers, this ID can be any string. An NSX best practice is to use the remote device's public IP address or FQDN as the peer ID.

    If the peer IP address is from another organization virtual datacenter network, you enter the peer’s native IP address. If NAT is configured for the peer, you enter the peer's private IP address.

    Peer Endpoint

    Type the IP address or FQDN of the peer site, which is the public-facing address of the remote device to which you are connecting.

    Note:

    When NAT is configured for the peer, enter the public IP address that the device uses for NAT.

    Peer Subnets

    Enter the remote network to which the VPN connects. Use a comma separator to type multiple subnets.

    Note:

    Enter a network range (not a specific IP address) by entering the IP address using CIDR format; for example, 192.168.99.0/24.

    Encryption Algorithm

    Select the encryption type from the drop-down list.

    Note:

    The encryption type you select must match the encryption type configured on the remote site VPN device.

    Authentication

    Select one of the following options:

    • PSK (Pre Shared Key) specifies that the secret key shared between the edge gateway and the peer site is to be used for authentication.

    • Certificate specifies that the certificate defined at the global level is to be used for authentication. This option is not available unless you have configured the global certificate on the IPsec VPN tab's Global Configuration screen.

    Change Shared Key

    (Optional) When you are updating an existing connection's settings, you can turn on this toggle to make the Pre-Shared Key field available so that you can update the shared key.

    Pre-Shared Key

    If you selected PSK as the authentication type, type an alphanumeric string. The secret key can be a string with a maximum length of 128 bytes.

    Note:

    The shared key must match the key that is configured on the remote site VPN device.

    Important:

    A best practice is to configure a shared key when anonymous sites will connect to the VPN service.

    Display Shared Key

    (Optional) Toggle this on to make the shared key visible in the screen.

    Diffie-Hellman Group

    Select the cryptography scheme that will allow the peer site and this edge gateway to establish a shared secret over an insecure communications channel.

    Note:

    The Diffie-Hellman Group must match what is configured on the remote site VPN device.

    Extension

    (Optional) Type one of the following options:

    • securelocaltrafficbyip=IPAddress to re-direct the edge gateway's local traffic over the IPsec VPN tunnel. This is the default value.

    • passthroughSubnets=PeerSubnetIPAddress to support overlapping subnets.

  5. Click Keep to add the entry to the on-screen table.
  6. Click Save changes.

    The save operation can take a minute to complete.

What to do next

Configure the connection for the remote site. You must configure the IPsec VPN connection on both sides of the connection: your organization virtual datacenter and the peer site.

Enable the IPsec VPN service on this edge gateway. When at least one IPsec VPN connection is configured, you can enable the service. See Enable the IPsec VPN Service on an Edge Gateway.