The edge gateways in a vCloud Director environment support site-to-site Internet Protocol Security (IPsec) to secure VPN tunnels between organization virtual data center networks or between an organization virtual data center network and an external IP address. If the edge gateway for your organization virtual data center has been converted to an advanced edge gateway, you can use the IPsec VPN screen in the tenant portal to configure the IPsec VPN service on that edge gateway.
Setting up an IPsec VPN connection from a remote network to your organization virtual data center is the most common scenario. The NSX software provides an edge gateway IPsec VPN capabilities, including support for certificate authentication, preshared key mode, and IP unicast traffic between itself and remote VPN routers. You can also configure multiple subnets to connect through IPsec tunnels to the internal network behind an edge gateway. When you configure multiple subnets to connect through IPsec tunnels to the internal network, those subnets and the internal network behind the edge gateway must not have address ranges that overlap.
If the local and remote peer across an IPsec tunnel have overlapping IP addresses, traffic forwarding across the tunnel might not be consistent depending on whether local connected routes and auto-plumbed routes exist.
The following IPsec VPN algorithms are supported:
Triple DES (3DES192-CBC)
DH-2 (Diffie-Hellman group 2)
DH-5 (Diffie-Hellman group 5)
DH-14 (Diffie-Hellman group 14)
Dynamic routing protocols are not supported with IPsec VPN. When you configure an IPsec VPN tunnel between an edge gateway of the organization virtual data center and a physical gateway VPN at a remote site, you cannot configure dynamic routing for that connection. The IP address of that remote site cannot be learned by dynamic routing on the edge gateway uplink.
As described in the IPSec VPN Overview topic in the NSX Administration Guide, the maximum number of tunnels supported on an edge gateway is determined by its configured size: compact, large, x-large, quad large. You can view the size of your edge gateway by logging in to the vCloud Director Web console, navigating to the edge gateway, and using the Properties action to view the edge gateway configuration. See the vCloud Director Administrator's Guide for information about using the vCloud Director Web console.
Configuring IPsec VPN on an edge gateway is a multi-step process.
If a firewall is between the tunnel endpoints, after you configure the IPsec VPN service, update the firewall rules to allow the following IP protocols and UDP ports:
IP Protocol ID 50 (ESP)
IP Protocol ID 51 (AH)
UDP Port 500 (IKE)
UDP Port 4500
To use the vCloud Director tenant portal to work with edge gateway services, the edge gateway must be converted to an advanced edge gateway. You can do this on the edge gateway in the vCloud Director Web console or from the tenant portal. For details on performing this step from the tenant portal, see Convert an Edge Gateway to an Advanced Edge Gateway.