To enable a IPSec VPN on your VMware VDC :

1. Go to your vCloud Director

2. Go to "Edge" > "Configure Services

3. Go to "VPN" tab and enable "IPSec VPN Service Status"

4. Go to "IPSec VPN Sites" and click "+"

5. You will see IPSec VPN Configuration form

6. You can fill the form with your IPSec VPN Configuration (*)

7. You can add Local Subnet IP & Peer Subnet IP on Firewall configuration the IP should be added back and forth

VPN Settings (*)

Field	Description	Required	Options/Example
Enable VPN	Ensure that this is Enabled.	Yes	On / Off
Perfect Forward Security	Ensure that this is enabled. PFS will ensure the same key will not be generated again, so forcing a new diffie-hellman key exchange	Yes	On / Off
Encryption Algorithm	The Encryption Protocol reflects what is configured on the remote site VPN device	Yes	AES-256, AES, 3DES
DH Group	The cryptography scheme that will allow the peer site and the NSX Edge to establish a shared secret over an insecure communications channel.	Yes	DH2, DH5, DH14, DH15, DH16
Name	Enter the name of the VPN tunnel	Yes	e.g. VPN1
Local ID	This is used to describe the Local Endpoint. Generally the Local Public IP is used.	Yes	e.g. 119.252.64.10
Local IP	Select the Uplink Interface IP of the Edge Gateway. (Available on the ?Overview? tab of the VDC)	Yes	e.g. 119.252.64.10
Local Subnets	Enter the network(s) you want to designate as the internal network for the VPN. Subnets should be entered in CIDR format with comma as a separator.	Yes	e.g. 192.168.1.0/24, 192.168.2.0/24
Peer ID	This is used to describe the Remote Endpoint. Generally the Remote Public IP is used.	Yes	e.g. 202.191.5.100
Peer IP	Enter the Public IP address (outside) of the remote device with which you are establishing the VPN.	Yes	e.g. 202.191.5.100
Peer Subnets	Enter the network(s) you want to designate as the remote network for the VPN. Subnets should be entered in CIDR format with comma as a separator.	Yes	e.g. 10.0.1.0/24
Pre-Shared Key	Indicates that the secret key shared between NSX Edge and the peer site is to be used for authentication. The secret key can be a string with a maximum length of 128 bytes.	Yes	MySecretKey1234
Extension	securelocaltrafficbyip=IPAddress to re-direct Edge?s local traffic over the IPSec VPN tunnel. This is the default value passthroughSubnets=PeerSubnetIPAddress to support overlapping subnets	No	securelocaltrafficbyip= passthroughSubnets=

Browser not supported