How to set up an Edge Gateway site-to-site VPN

Synopsis

This guide will show you one of the ways to configure a site-to-site IPSEC VPN in Edge Gateway.

Overview

Edge Gateway is flexible and allows you to use different settings. For example, we will be using a pfSense firewall appliance that will represent the on-premises firewall (customer’s office). However, the same configuration steps apply for other types of firewall devices.


Please ensure that the Performance Cloud powered by VMware network is not overlapping your on-premises network as you will not be able to set up the site-to-site IPSEC VPN tunnel.


In this example, the on-premises network will be represented with a subnet of 192.168.100.0/24 and Performance Cloud powered by VMware will be represented with a subnet of 10.0.0.0/24. This will change depending on which subnet is used on-premises and in Performance Cloud powered by VMware.

 

PCv2 site to site vpn_1

How to

Set up the site-to-site IPSEC VPN in Performance Cloud powered by VMware

1. Log in to the Performance Cloud portal

 

2. Click on your virtual datacenter

 

PCv2 site to site vpn_2

 

3. Go to Networking Edges

 

PCv2 site to site vpn_3

 

4. Select your edge gateway and click SERVICES

 

PCv2 site to site vpn_4

 

5. Go to the VPN tab

 

PCv2 site to site vpn_5

 

6. Click IPsec VPN Sites

 

PCv2 site to site vpn_6

 

7. Click on “+” to create a new VPN. As previously mentioned, we are going to use example VPN settings (encryption algorithm, etc.), but you are free to choose a different one.

Important note: If you absolutely need to use an FQDN instead of an external IP for the on-premises site, please contact our cloud support team as this will require extra steps to configure the Edge Gateway.

 

  • Enabled: On
  • Enable perfect forward secrecy: On (if the PFS group is enabled, the setting will be the same as the setting chosen for “Diffie-Hellman Group”)
  • Name: Name for your VPN
  • Local ID: External IP of the Edge Gateway (same as Local Endpoint)
  • Local Endpoint: External IP of the Edge Gateway (click on select to choose it)
  • Local Subnets: 10.0.0.0/24 (used for the example, but this will be the subnet you configured in Performance Cloud powered by VMware)
  • Peer ID: External IP of the on-premises firewall (pfSense in this example)Peer Endpoint: External IP of the on-premises firewall (pfSense in this example)
  • Peer Endpoint: External IP of the on-premises firewall (pfSense in this example)

 

PCv2 site to site vpn_7

 

  • Peer Subnets: 192.168.100.0/24 (used for this example, but this will be the subnet configured on-premises)
  • Extension: Can be left blank
  • Encryption Algorithm: AES256 (you may choose a different option)
  • Authentication: PSK (you may choose a different option)
  • Pre-Shared Key: Any strong password (this password will be used to configure the tunnel on-premises)

 

PCv2 site to site vpn_8

 

  • Diffie-Hellman Group: DH2 (you may choose a different option – this group will be applied for PFS)
  • Digest Algorithm: SHA-1 (you may choose a different option)
  • IKE Option: IKEv2 (you may choose a different option)
  • IKE Responder Only: Can be left disabled unless the on-premises firewall can only be the initiator
  • Session Type: Policy Based Session (you may choose a different option)

 

PCv2 site to site vpn_9

 

8. Click Save changes

 

PCv2 site to site vpn_10

 

9. Go to Activation Status and enable IPsec VPN Service Status, then click Save

 

PCv2 site to site vpn_11

 

10. Take note of the configuration you’ve selected to configure the remote site. There are hardcoded settings that you cannot change from the GUI.

 

Phase 1
 SA Lifetime: 28800 seconds

 

Phase 2
Protocol: ESP
SA Lifetime: 3600 seconds
 If PFS group is enabled, the PFS group setting will be the same as the DH Group configured in the portal for Diffie-Hellman Group.

 

The configuration will look like this (If desired, a configuration file for the VPN tunnel can be generated by our cloud support.):
#
# Internet Key Exchange Configuration
# Phase 1
# Configure the IKE SA as outlined below
IKE version: ikev2
Connection initiation mode: initiator
Authentication method: psk
Pre shared key: ****************
Authentication algorithm: sha1
Encryption algorithm: aes256
SA life time: 28800 seconds
Phase 1 negotiation mode: Not applicable for ikev2
 DH group: DH2

 

# IPsec_configuration
# Phase 2
# Configure the IPsec SA as outlined below
Protocol: ESP
Authentication algorithm: sha1
Sa life time: 3600 seconds
Encryption algorithm: aes256
Encapsulation mode: Tunnel mode
Enable perfect forward secrecy: true
 Perfect forward secrecy DH group: DH2

 

# Peer configuration
Peer address: 74.115.204.13 # Peer gateway public IP.
Peer id: 74.115.204.13
 Peer subnets: [ 10.0.0.0/2 ]

 

# IPsec Dead Peer Detection (DPD) settings
DPD enabled: true
DPD interval: 30 seconds
 DPD timeout: 150 seconds

 

# Local configuration
Local address: 173.46.148.12 # Local gateway public IP.
Local id: 173.46.148.12
 Local subnets: [ 192.168.100.0/24 ]

 

11. Ensure that the traffic coming from the on-premises network will be permitted to go through the VPN and reach the Performance Cloud powered by VMware network. To do so, go to the Firewall tab and click “+” to create a new rule.

 

PCv2 site to site vpn_12

 

  • Configure a rule to permit traffic from the on-premises network to the Performance Cloud powered by VMware network and click Save changes.

 

PCv2 site to site vpn_13

 

  • Also, make sure to permit traffic from your Performance Cloud powered by VMware network to reach the on-premises network. If you have a rule previously created firewall rule permitting your Performance Cloud powered by VMware network to reach any destination, it will be fine. Otherwise, you will need to create a new rule. Here are 2 examples:

 

PCv2 site to site vpn_14

PCv2 site to site vpn_15

 

12. Note: You can monitor VPN tunnel status in the Edge Gateway if you go to Statistics IPsec VPN. A checkmark represents an UP tunnel. An X represents a DOWN tunnel.

 

PCv2 site to site vpn_16

PCv2 site to site vpn_17

 

If you require logs or support to configure site-to-site VPN on Edge Gateway, please contact our cloud support team. 

Set up the site-to-site IPSEC VPN on the on-premises device

1. Log in to your on-premises firewall (pfSense in this example)

 

2. Create a new tunnel and configure the same settings used on the Edge Gateway

 

PCv2 site to site vpn_18

PCv2 site to site vpn_19

PCv2 site to site vpn_20

PCv2 site to site vpn_21

 

3. You can confirm if the tunnel is up on the on-premises firewall (pfSense in this example).

 

PCv2 site to site vpn_22

 

4. Make sure the on-premises firewall (pfSense in this example) permits traffic through the tunnel. For this example, we allowed “any-any” in the VPN tunnel, but this could be more restricted, depending on your requirements.

 

PCv2 site to site vpn_23

Test traffic through site-to-site IPSEC VPN

1. You can now test traffic from Performance Cloud powered by VMware to on-premises.

 

PCv2 site to site vpn_24

 

2. You can now test traffic run on-premises to Performance Cloud powered by VMware

 

PCv2 site to site vpn_25

 

3. Note: If the VPN tunnel is UP and both the Edge Gateway firewall and on-premises firewall rules are properly configured but traffic won’t go through (ping for example), you will also need to verify the firewall directly in the VM (Windows firewall for example).