The edge gateways in a vCloud Director environment support site-to-site Internet Protocol Security (IPsec) to secure VPN tunnels between organization virtual data center networks or between an organization virtual data center network and an external IP address. You can configure the IPsec VPN service on an edge gateway.
Setting up an IPsec VPN connection from a remote network to your organization virtual data center is the most common scenario. The NSX software provides an edge gateway IPsec VPN capabilities, including support for certificate authentication, preshared key mode, and IP unicast traffic between itself and remote VPN routers. You can also configure multiple subnets to connect through IPsec tunnels to the internal network behind an edge gateway. When you configure multiple subnets to connect through IPsec tunnels to the internal network, those subnets and the internal network behind the edge gateway must not have address ranges that overlap.
The following IPsec VPN algorithms are supported:
- AES (AES128-CBC)
- AES256 (AES265-CBC)
- Triple DES (3DES192-CBC)
- AES-GCM (AES128-GCM)
- DH-2 (Diffie-Hellman group 2)
- DH-5 (Diffie-Hellman group 5)
- DH-14 (Diffie-Hellman group 14)
As described in the IPSec VPN Overview topic in the NSX Administration Guide, the maximum number of tunnels supported on an edge gateway is determined by its configured size: compact, large, x-large, quad large. You can view the size of your edge gateway by logging in to the vCloud Director Web console, navigating to the edge gateway, and using the Properties action to view the edge gateway configuration. See the vCloud Director Administrator's Guide for information about using the vCloud Director Web console.
Configuring IPsec VPN on an edge gateway is a multi-step process.
- IP Protocol ID 50 (ESP)
- IP Protocol ID 51 (AH)
- UDP Port 500 (IKE)
- UDP Port 4500