This procedure provides the steps to create an IPsec VPN connection between vCloud Air and a remote site. In this procedure, you configure the vCloud Air side of the connection.

For an explanation of each part of an IPsec VPN connection, such as peer networks, local endpoints, peer IDs, peer IPs, and local IDs, see About Setting up an IPsec VPN Connection in the vCloud Air Networking Guide.

1

Log in to vCloud Air and navigate to the vCloud Edge Gateway Services UI. See Log In and Navigate to Advanced Networking Services for information.

2

Click the Routing tab and IPSEC VPN.

3

Click the Add (add icon) icon.

The Add IPsec VPN dialog box appears.

4

Complete the following settings for the IPsec VPN connection:

Option

Description

Enabled

Select the checkbox to enable the connection between the two VPN endpoints.

Enable perfect forward secrecy (PFS)

Select to generate unique public keys for all sessions your users initiate. Enabling PFS ensures that vCloud Air does not create a link between the edge gateways private key and each session key.

The compromise of a session key will not affect data other than that exchanged in the specific session protected by that particular key. Compromise of the server's private key cannot be used to decrypt archived sessions or future sessions.

When PFS is enabled, IPsec VPN connections to vCloud Air experience a slight processing overhead.

Important

The unique session keys must not be used to derive any additional keys. Additionally, both sides of the IPsec VPN tunnel must support PFS for it to work.

Name

(Optional) Enter a name for the connection.

Local Id

Type the external IP address of the edge gateway instance, which is the public IP address of the edge gateway.

This will be the peer Id on the remote site.

Local Endpoint

Type the network that is the local endpoint for the connection. The local endpoint specifies the network in vCloud Air on which the edge gateway transmits. Typically, the external network is the local endpoint.

Note

If you are adding an IP-to-IP tunnel using a pre-shared key, the local Id and local endpoint IP can be the same.

Local Subnets

Type the networks to share between the sites. Use a comma separator to type multiple subnets.

Note

Enter a network range (not a specific IP address) by entering the IP address using CIDR format; for example, 192.168.99.0/24.

Peer Id

Type the peer ID to uniquely identify the peer site. The peer ID is the public IP address of the remote device terminating the VPN connection.

For peers using certificate authentication, this ID must be the common name in the peer's certificate. For PSK peers, this ID can be any string. VMware recommends that you use the public IP address of the VPN or a FQDN for the VPN service as the peer ID.

When the peer IP address is from another organization VDC network, enter the native IP address of the peer. When NAT is configured for the peer, enter the private IP address of the peer.

Peer Endpoint

Type the IP address of the peer site, which is the public IP address of the remote device to which you are connecting. When you leave this option blank, the edge gateway waits for the peer device to request a connection.

Note

When NAT is configured for the peer, enter the public IP address that the device uses for NAT.

Peer Subnets

Enter the remote network to which the VPN connects. Use a comma separator to type multiple subnets.

Note

Enter a network range (not a specific IP address) by entering the IP address using CIDR format; for example, 192.168.99.0/24.

Encryption Algorithm

Select the encryption type from the drop-down list.

Note

The encryption type you select must match the encryption type configured on the remote site VPN device.

Authentication

Select one of the following options:

PSK (Pre Shared Key)—Indicates that the secret key shared between vCloud Air and the peer site is to be used for authentication.

Certificate—Indicates that the certificate defined at the global level is to be used for authentication.

Pre-Shared Key

If you selected PSK as the authentication type, type an alphanumeric string between 32 and 128 characters, which includes at least one uppercase letter, one lowercase letter, and one number.

Indicates that the secret key shared between vCloud Air and the peer site is to be used for authentication.

Note

The shared key must match the key that is configured on the remote site VPN device.

Important

VMware recommends that you configure a shared key when anonymous sites will connect to the VPN service.

Display shared key

(Optional) Select to display the shared key on the peer site.

Diffie-Hellman Group

If you selected PSK as the authentication type, select the cryptography scheme that will allow the peer site and the edge gateway in vCloud Air to establish a shared secret over an insecure communications channel.

Note

The Diffie-Hellman Group must match what is configured on the remote site VPN device.

Extension

(Optional) Type one of the following options:

securelocaltrafficbyip=IPAddress to re-direct the edge gateway local traffic over the IPsec VPN tunnel. This is the default value.

passthroughSubnets=PeerSubnetIPAddress to support overlapping subnets.

5

Click OK.

The VPN configuration appears in the table.

You must configure the IPsec VPN connection from both sides of the connection—vCloud Air and your on-premises facility. This procedure details how to configure the connection for vCloud Air. Configure the connection for your on-premises facility.