You can configure an IPsec VPN connection between networks within vCloud Air and between a remote site and vCloud Air. Setting up an IPsec VPN connection from a remote network to vCloud Air is the most common scenario.

Using vCloud Director, you configure an IPsec VPN connection for vCloud Air as part of configuring gateway services. When you configure an IPsec VPN connection between sites, you configure the connection from the point of view of your current location. Setting up the connection requires that you understand how to configure the following values so that you configure the VPN connection correctly:

Peer Networks: specifies the remote networks to which the VPN connects. When you configure this setting, enter a network range and not a specific IP address. Enter the IP address using CIDR format; for example, 192.168.1099.0/24.

Local Endpoint (LEP): specifies the network in vCloud Air on which the gateway transmits. Typically, the external network is the local endpoint.

Peer ID: specifies the public IP address of the remote device terminating the VPN connection. If the peer IP address is from another organization VDC network, you enter the peer's native IP address. If NAT is configured for the peer, you enter the private peer IP address.

Peer IP: specifies the public IP address of the remote device to which you are connecting. If NAT is configured for the peer, you enter the public IP address that the devices uses for NAT.

Local ID: specifies the public IP address of the gateway. You can enter an IP address or hostname in conjunction with the gateway firewall. Typically, the local ID is the public IP address.

The following diagram shows an example for how to specify the VPN connection settings correctly:

Architecture: IPsec VPN betweenvCloud Air and a Remote Site
Archittecture: IPsec VPN between vCloud Air and a Remote Site

Specifying the peer IDs and peer IPs configure how network traffic travels from one side of the connection to the other side. In the example above, the peer ID and peer IP for the vCloud Air side of the connection are different values because in the on-premises side of the connection, the on-premises gateway is not directly accessible from the Internet (it connects to the Internet through another device, specifically an external router). In the on-premises side of the connection, the peer ID and peer IP are the same value because the gateway in vCloud Air is directly accessible from the Internet (it does not sit behind another device).