About
Virtual Data Center is include NSX Edge. One of NSX Edge features is IPsec VPN. Client can have one and more tunnel VPN established on Zettagrid to many sites. IPsec VPN use Policy-Based IPSec VPN.
In a policy-based IPSec VPN, you explicitly configure the subnets behind the NSX Edge on the local site that require secure and encrypted communication with the remote subnets on the peer site. When the local IPSec VPN site originates traffic from unprotected local subnets to the protected remote subnets on the peer site, the traffic is dropped.
The local subnets behind an NSX Edge must have address ranges that do not overlap with the IP addresses on the peer VPN site. If the local and remote peer across an IPsec VPN tunnel has overlapping IP addresses, traffic forwarding across the tunnel might not be consistent.
You can deploy an NSX Edge agent behind a NAT device. In this deployment, the NAT device translates the VPN address of an NSX Edge instance to a publicly accessible address facing the Internet. Remote VPN sites use this public address to access the NSX Edge instance.
In this article, will explain to you how to setup IPsec VPN tunnel on Zettagrid site, not on On-premise site. Configuration are made on Zettagrid site must be match to On-premise site. How to setup tunnel on On-premise site will depend on what hardware will used.
Preparation
Before using this guide, please ensure these following:
- You have subscribe to Virtual Data Center and access to vCloud Director
- IPsec configuration understanding
- Topology or know what connection you want to established
Guide
1. Go to your vCloud Director, next Edges
2. Next, select the Gateway name DC_XXXXXX.
3. Next, select IPSec VPN.
4. Next, select New to create VPN.
5. In General Settings fill the column Name, Description, and leave Security Profile in Default and then next.
6. Next, enter the Pre-Shared Key > Next
7. You can fill the form with your configuration and keep.
Note : Đ¢his remote ID uniquely identifies the peer site and depends on the authentication mode for the tunnel. If you do not set it, the remote ID defaults to the remote IP address.
8. Next, make sure the configuration and finish.
9. Currently the encryption uses the default settings, if you want to define a specific Encryption, you can go to Security Profile Customization
10. Customize to your needs and Save
11. After created the tunnel, go to Edges>DC_XXXX and create new IP Sets from your Networks Remote Endpoint and Save.
12. To allow communication between local networks, go to Firewall and add 2 new rules:
Source: Networks Remote Endpoint > Destination: Networks Local Endpoint
Source: Networks Local Endpoint > Destination: Networks Remote Endpoint
Note:
After you configure IPsec on Cloud Director, you must config with same configuration on network device on your site.