You can configure an IPsec VPN connection between networks within Virtual Private Cloud OnDemand and between a remote site and Virtual Private Cloud OnDemand. Setting up an IPsec VPN connection from a remote network to Virtual Private Cloud OnDemand is the most common scenario.

Using vCloud Director, you configure an IPsec VPN connection for Virtual Private Cloud OnDemand as part of configuring gateway services. When you configure an IPsec VPN connection between sites, you configure the connection from the point of view of your current location. Setting up the connection requires that you understand how to configure the following values so that you configure the VPN connection correctly:

Peer Networks: specifies the remote networks to which the VPN connects. When you configure this setting, enter a network range and not a specific IP address. Enter the IP address using CIDR format; for example, 192.168.109.0/24.

Local Endpoint (LEP): specifies the network in Virtual Private Cloud OnDemand on which the gateway transmits. Typically, the external network is the local endpoint.

Peer ID: specifies the public IP address of the remote device terminating the VPN connection. If the peer IP address is from another organization VDC network, you enter the peer’s native IP address. If NAT is configured for the peer, you enter the private peer IP address.

Peer IP: specifies the public IP address of the remote device to which you are connecting. If NAT is configured for the peer, you enter the public IP address that the devices uses for NAT.

Local ID: specifies the public IP address of the gateway. You can enter an IP address or hostname in conjunction with the gateway firewall. Typically, the local ID is the public IP address.

The following diagram shows an example for how to specify the VPN connection settings correctly:

Architecture: IPsec VPN betweenVirtual Private Cloud OnDemand and a Remote Site
Architecture: IPsec VPN between VPC OnDemand and a Remote Site

Specifying the peer IDs and peer IPs configure how network traffic travels from one side of the connection to the other side. In the example, the peer ID and peer IP for the Virtual Private Cloud OnDemand side of the connection are different values because in the on-premises side of the connection, the on-premises gateway is not directly accessible from the Internet (it connects to the Internet through an external router). In the on-premises side of the connection, the peer ID and peer IP are the same value because the gateway in Virtual Private Cloud OnDemand is directly accessible from the Internet (it does not sit behind another device).