IPSec VPN Configuration

Owned by Tahir Kulelija
Last updated: 07 Sept 2022 by Jason Baseley
3 min read
 

To enable a IPSec VPN on your VMware VDC : 

1. Go to your vCloud Director 

2. Go to "Edge" > "Configure Services


3. Go to "VPN" tab and enable "IPSec VPN Service Status"


4. Go to "IPSec VPN Sites" and click "+"


5. You will see IPSec VPN Configuration form 


6. You can fill the form with your IPSec VPN Configuration (*)


7. You can add Local Subnet IP & Peer Subnet IP on Firewall configuration the IP should be added back and forth


VPN Settings (*)

 

Field 

Description 

Required 

Options/Example 

Enable VPN 

Ensure that this is Enabled. 

Yes 

On / Off 

Perfect Forward Security 

Ensure that this is enabled. PFS will ensure the same key will not be generated again, so forcing a new diffie-hellman key exchange 

Yes 

On / Off 

Encryption Algorithm 

The Encryption Protocol reflects what is configured on the remote site VPN device 

Yes 

AES-256, AES, 3DES 

DH Group 

The cryptography scheme that will allow the peer site and the NSX Edge to establish a shared secret over an insecure communications channel. 

Yes 

DH2, DH5, DH14, DH15, DH16 

Name 

 Enter the name of the VPN tunnel 

Yes 

e.g. VPN1 

Local ID 

 This is used to describe the Local Endpoint. Generally the Local Public IP is used. 

Yes 

e.g. 119.252.64.10 

Local IP 

 Select the Uplink Interface IP of the Edge Gateway. (Available on the ?Overview? tab of the VDC) 

Yes 

e.g. 119.252.64.10 

Local Subnets 

Enter the network(s) you want to designate as the internal network for the VPN. Subnets should be entered in CIDR format with comma as a separator. 

Yes 

e.g. 192.168.1.0/24, 192.168.2.0/24 

Peer ID 

 This is used to describe the Remote Endpoint. Generally the Remote Public IP is used. 

Yes 

e.g. 202.191.5.100 

Peer IP 

 Enter the Public IP address (outside) of the remote device with which you are establishing the VPN. 

Yes 

e.g. 202.191.5.100 

Peer Subnets 

Enter the network(s) you want to designate as the remote network for the VPN. Subnets should be entered in CIDR format with comma as a separator. 

Yes 

e.g. 10.0.1.0/24 

Pre-Shared Key 

 Indicates that the secret key shared between NSX Edge and the peer site is to be used for authentication. The secret key can be a string with a maximum length of 128 bytes. 

Yes 

MySecretKey1234 

Extension 

securelocaltrafficbyip=IPAddress to re-direct Edge?s local traffic over the IPSec VPN tunnel. This is the default value 
passthroughSubnets=PeerSubnetIPAddress to support overlapping subnets 

No 

securelocaltrafficbyip= 

  

passthroughSubnets=