How to setup an Edge Gateway site-to-site VPN tunnel in Performance Cloud VMware (NSX-T)

TABLE OF CONTENTS

• Summary
• Overview
• Requirements
• Important Notes
• Procedure
• Test traffic through site-to-site IPSEC VPN
• Troubleshooting

Summary

This guide will show you one of the ways to configure a site-to-site IPSEC VPN tunnel in Edge Gateway.

Overview

Edge Gateway is flexible and allows you to use different settings. For example, we will be using a pfSense firewall appliance that will represent the on-premises firewall (customer’s office). However, the same configuration steps apply for other types of firewall devices.

Please ensure that the Performance Cloud VMware network is not overlapping your on-premises network as you will not be able to set up the site-to-site IPSEC VPN tunnel.

Please adjust the VPN tunnel configuration according to your settings and your needs. 

In this example, the on-premises network will be represented with a subnet of 192.168.100.0/24 & 173.46.148.12 for the WAN IP address and Performance Cloud VMware will be represented with a subnet of 10.0.0.0/24 & 173.46.155.69 for the WAN IP address.
 

Requirements

To configure firewall rules, IP Sets are required. If you haven't created your IP Sets yet, please follow this article for guidelines.

Important Notes

“Fully qualified domain names” (FQDN) are not supported for the IPSec VPN tunnel configuration. If there is a need to connect a remote endpoint using a FQDN, the workaround would be to deploy a NVA (Network Virtual Appliance).

Procedure

1. Login to the Performance Cloud VMware portal using your credentials.

2. Click on your virtual datacenter

3. Go to Networking > Edges and click on your edge gateway.

4. Go to the IPSec VPN section and click on NEW 

5. Enter a name and a description for the IPSec VPN tunnel. Then, click on NEXT.

6. Enter a strong Pre-Shared Key and click on NEXT.

 7. Enter the network configuration: WAN IP addresses, local & remote networks.

Enter the remote IP address for the remote ID.
Then, click on NEXT.
 

8. Review the VPN Tunnel configuration and click on FINISH.

9. Select the VPN tunnel and click on SECURITY PROFILE CUSTOMIZATION.

10. Review the active security profile and update it as required according to your on-premises configuration. Then, click on SAVE.

11. Go to the Firewall section and click on EDIT RULES.

12. In the new window, click on NEW ON TOP
 

13. Edit fields of the new firewall rule as following:
 

• Name: Name your firewall rule (Example: VPN-S_CLOUD-D_MAINOFFICE)
   
• Source: Click on the pencil to select the source for this firewall rule. Then, click on KEEP.
  
  In this example, the IP Set named CLOUD-LAN is selected.
  
  
  
  
• Destination: Click on the pencil to select the destination for this firewall rule. Then, click on KEEP.
  
  In this example, the IP Set named MAIN_OFFICE-LAN is chosen.
  
  
  
  
• Action: Choose between Allow or Drop
  
  
  Then, click on SAVE.
  
  
  

14. Repeat the previous step to create additional rules for the traffic to allow and block.

For this example, we've allowed all traffic into the VPN tunnel, but it could be more restricted for added security or as needed.


 

15. You can monitor the VPN tunnel status from the portal.

Go to the IPSec VPN section, select your VPN Tunnel and click on VIEW STATISTICS.

If you require logs or support to configure site-to-site VPN on Edge Gateway, please contact our cloud support team.
 

Set up the site-to-site IPSEC VPN on the on-premises device
 

1. Log in to your on-premises firewall (pfSense in this example)

2. Create a new tunnel and configure the same settings used on the Edge Gateway

3. You can confirm if the tunnel is up on the on-premises firewall (pfSense in this example).

4. Make sure the on-premises firewall (pfSense in this example) permits traffic through the tunnel. For this example, we allowed “any-any” in the VPN tunnel, but this could be more restricted, depending on your requirements.

Test traffic through site-to-site IPSEC VPN

1. You can now test traffic from Performance Cloud VMware to on-premises.

2. You can now test traffic run on-premises to Performance Cloud VMware

3. Note: If the VPN tunnel is UP and both the Edge Gateway firewall and on-premises firewall rules are properly configured but traffic won’t go through (ping for example), you will also need to verify the firewall directly in the virtual machine (Windows firewall for example).

Troubleshooting

Some common misconfiguration issues that can cause an IPSEC VPN tunnel to fail are as follows: 

• Some third-party VPN solutions offer an aggressive negotiation mode. NSX Data Center for vSphere supports only the standard negotiation mode (main mode).