This procedure provides the steps to create an IPsec VPN connection between vCloud Air and a remote site. In this procedure, you configure the vCloud Air side of the connection.

You use vCloud Director to configure the IPsec VPN connection. You configure an IPsec VPN connection as part of configuring gateway services in vCloud Director.

Verify that you have networking administration privileges in vCloud Air.

If a firewall is between the connection endpoints, you must configure it to allow the following IP protocols and UDP ports:

IP Protocol ID 50 (ESP)

IP Protocol ID 50 (ESP)

IP Protocol ID 51 (AH)

UDP Port 500 (IKE)

UDP Port 4500

1

In vCloud Air, click the Gateways tab.

The complete list of gateways configured for vCloud Air appears. The virtual data center to which each gateway belongs is displayed next to the gateway name.

2

Click the gateway for which you want to set up an IPsec VPN connection.

3

Click Manage Advanced Gateway Settings under the In vCloud Director heading.

The vCloud Director Administration page > Edge Gateway tab displays.

4

Select the gateway name, right-click and choose Edge Gateway Services > VPN tab.

5

Check Enable VPN to enable the VPN networking service for the gateway.

6

If necessary, click Configure Public IPs to add a public IP address for the external network.

7

Click Add.

The Add a Site-to-Site VPN configuration dialog box appears.

8

Complete the following settings for the IPsec VPN connection:

Option

Description

Name

Enter a name for the connection.

Description

(Optional) Enter a description for the connection.

Enable this VPN Configuration

Select the checkbox to enable the connection between the two VPN endpoints.

Establish VPN to

From the drop-down menu, select a remote network.

Local Networks

In the text field, select the local network to which the connection applies.

Peer Networks

Enter the remote networks to which the VPN connects.

Note

Enter a network range (not a specific IP address) by entering the IP address using CIDR format; for example, 192.168.99.0/24.

Local Endpoint

From the drop-down list, select the network that is the local endpoint for the connection. The local endpoint specifies the network in vCloud Air on which the gateway transmits. Typically, the external network is the local endpoint.

Local ID

Enter the local ID, which is the public IP address of the gateway.

Peer ID

Enter the peer ID, which is the public IP address of the remote device terminating the VPN connection.

Note

If the peer IP address is from another organization VDC network, enter the peer's native IP address. If NAT is configured for the peer, enter the private peer IP address.

Peer IP

Enter the peer IP, which is the public IP address of the remote device to which you are connecting.

Note

If NAT is configured for the peer, you enter the public IP address that the devices uses for NAT.

Encryption protocol

Select the encryption type from the drop-down list.

Note

The encryption type you select must match the encryption type configured on the remote site VPN device.

Shared Key

Enter an alphanumeric string between 32 and 128 characters, which includes at least one uppercase letter, one lowercase letter, and one number.

Note

The shared key must match the key that is configured on the remote site VPN device.

MTU

Enter the the maximum transmission units (MTU) for the VPN connection. The MTU is the maximum amount of data that can be transmitted in one packet before it is divided into smaller packets.

9

Click OK.

The VPN configuration appears in the table.

You must configure the IPsec VPN connection from both sides of the connection—vCloud Air and your on-premises facility. This procedure detailes how to configure the connection for vCloud Air. Configure the connection for your on-premises facility.