How to set up an Edge Gateway site-to-site VPN
This guide will show you one of the ways to configure a site-to-site IPSEC VPN in Edge Gateway.
Edge Gateway is flexible and allows you to use different settings. For example, we will be using a pfSense firewall appliance that will represent the on-premises firewall (customer’s office). However, the same configuration steps apply for other types of firewall devices.
Please ensure that the Performance Cloud powered by VMware network is not overlapping your on-premises network as you will not be able to set up the site-to-site IPSEC VPN tunnel.
In this example, the on-premises network will be represented with a subnet of 192.168.100.0/24 and Performance Cloud powered by VMware will be represented with a subnet of 10.0.0.0/24. This will change depending on which subnet is used on-premises and in Performance Cloud powered by VMware.
Set up the site-to-site IPSEC VPN in Performance Cloud powered by VMware
1. Log in to the Performance Cloud portal
2. Click on your virtual datacenter
3. Go to Networking > Edges
4. Select your edge gateway and click SERVICES
5. Go to the VPN tab
6. Click IPsec VPN Sites
7. Click on “+” to create a new VPN. As previously mentioned, we are going to use example VPN settings (encryption algorithm, etc.), but you are free to choose a different one.
Important note: If you absolutely need to use an FQDN instead of an external IP for the on-premises site, please contact our cloud support team as this will require extra steps to configure the Edge Gateway.
- Enabled: On
- Enable perfect forward secrecy: On (if the PFS group is enabled, the setting will be the same as the setting chosen for “Diffie-Hellman Group”)
- Name: Name for your VPN
- Local ID: External IP of the Edge Gateway (same as Local Endpoint)
- Local Endpoint: External IP of the Edge Gateway (click on select to choose it)
- Local Subnets: 10.0.0.0/24 (used for the example, but this will be the subnet you configured in Performance Cloud powered by VMware)
- Peer ID: External IP of the on-premises firewall (pfSense in this example)Peer Endpoint: External IP of the on-premises firewall (pfSense in this example)
- Peer Endpoint: External IP of the on-premises firewall (pfSense in this example)
- Peer Subnets: 192.168.100.0/24 (used for this example, but this will be the subnet configured on-premises)
- Extension: Can be left blank
- Encryption Algorithm: AES256 (you may choose a different option)
- Authentication: PSK (you may choose a different option)
- Pre-Shared Key: Any strong password (this password will be used to configure the tunnel on-premises)
- Diffie-Hellman Group: DH2 (you may choose a different option – this group will be applied for PFS)
- Digest Algorithm: SHA-1 (you may choose a different option)
- IKE Option: IKEv2 (you may choose a different option)
- IKE Responder Only: Can be left disabled unless the on-premises firewall can only be the initiator
- Session Type: Policy Based Session (you may choose a different option)
8. Click Save changes
9. Go to Activation Status and enable IPsec VPN Service Status, then click Save
10. Take note of the configuration you’ve selected to configure the remote site. There are hardcoded settings that you cannot change from the GUI.
SA Lifetime: 28800 seconds
SA Lifetime: 3600 seconds
If PFS group is enabled, the PFS group setting will be the same as the DH Group configured in the portal for Diffie-Hellman Group.
The configuration will look like this (If desired, a configuration file for the VPN tunnel can be generated by our cloud support.):
# Internet Key Exchange Configuration
# Phase 1
# Configure the IKE SA as outlined below
IKE version: ikev2
Connection initiation mode: initiator
Authentication method: psk
Pre shared key: ****************
Authentication algorithm: sha1
Encryption algorithm: aes256
SA life time: 28800 seconds
Phase 1 negotiation mode: Not applicable for ikev2
DH group: DH2
# Phase 2
# Configure the IPsec SA as outlined below
Authentication algorithm: sha1
Sa life time: 3600 seconds
Encryption algorithm: aes256
Encapsulation mode: Tunnel mode
Enable perfect forward secrecy: true
Perfect forward secrecy DH group: DH2
# Peer configuration
Peer address: 188.8.131.52 # Peer gateway public IP.
Peer id: 184.108.40.206
Peer subnets: [ 10.0.0.0/2 ]
# IPsec Dead Peer Detection (DPD) settings
DPD enabled: true
DPD interval: 30 seconds
DPD timeout: 150 seconds
# Local configuration
Local address: 220.127.116.11 # Local gateway public IP.
Local id: 18.104.22.168
Local subnets: [ 192.168.100.0/24 ]
11. Ensure that the traffic coming from the on-premises network will be permitted to go through the VPN and reach the Performance Cloud powered by VMware network. To do so, go to the Firewall tab and click “+” to create a new rule.
- Configure a rule to permit traffic from the on-premises network to the Performance Cloud powered by VMware network and click Save changes.
- Also, make sure to permit traffic from your Performance Cloud powered by VMware network to reach the on-premises network. If you have a rule previously created firewall rule permitting your Performance Cloud powered by VMware network to reach any destination, it will be fine. Otherwise, you will need to create a new rule. Here are 2 examples:
12. Note: You can monitor VPN tunnel status in the Edge Gateway if you go to Statistics > IPsec VPN. A checkmark represents an UP tunnel. An X represents a DOWN tunnel.
If you require logs or support to configure site-to-site VPN on Edge Gateway, please contact our cloud support team.
Set up the site-to-site IPSEC VPN on the on-premises device
1. Log in to your on-premises firewall (pfSense in this example)
2. Create a new tunnel and configure the same settings used on the Edge Gateway
3. You can confirm if the tunnel is up on the on-premises firewall (pfSense in this example).
4. Make sure the on-premises firewall (pfSense in this example) permits traffic through the tunnel. For this example, we allowed “any-any” in the VPN tunnel, but this could be more restricted, depending on your requirements.
Test traffic through site-to-site IPSEC VPN
1. You can now test traffic from Performance Cloud powered by VMware to on-premises.
2. You can now test traffic run on-premises to Performance Cloud powered by VMware
3. Note: If the VPN tunnel is UP and both the Edge Gateway firewall and on-premises firewall rules are properly configured but traffic won’t go through (ping for example), you will also need to verify the firewall directly in the VM (Windows firewall for example).
Some common misconfiguration issues that can cause an IPSEC VPN tunnel to fail are as follows:
- Some third-party VPN solutions offer an aggressive negotiation mode. NSX Data Center for vSphere supports only the standard negotiation mode (main mode).