The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
Configuring IPsec VPN within VMware vCloud Hybrid Service to a remote network (2051370)
Configuring IPsec VPN tunnel within the VMware vCloud Hybrid Service environment is important for a secure tunnel connection to your on-premise infrastructure.
This article provides steps to configure the vShield Edge Gateway's IPsec parameters.
- From the vCloud Hybrid Service portal. select the appropriate Virtual Datacenter.
- Under Related Links, click vCloud Director URL and navigate to the URL.
- Log into the vCloud Director interface as an Organization Administrator.
- Click Administration in the top menu.
- Click Virtual Datacenters in the Administration pane on the left.
- Click the Virtual Datacenter name in the pane on the right.
- The pane on the right has a row of tabs along the top. Click the Edge Gateways tab.
- In the list of Edge Gateways, click one to select it.
- Right-click the Edge Gateway and choose Edge Gateway Services.
- Click the VPN tab.
To enable and configure VPN and Public IPs:
- On the Configure Services window, select Enable VPN.
- Click Configure Public IPs.
- The external interface of the Edge Gateway is listed, along with its IP address. This IP address will also be used as your Public IP address. If multiple IP addresses appear, select one IP address.
- Enter the IP address in the Public IP field.
- Click OK.
To configure a site-to-site VPN tunnel:
- Within the Configure Services Screen, click Add.
- Populate the required fields. This table provides guidance for each field:
Field Action Name Enter the name of the VPN tunnel. Description Enter a description of the VPN tunnel. Enable this VPN configuration Ensure that this is selected. Local Networks Click the network you want to designate as the internal network for the VPN Peer Networks The Peer Networks is the remote network for the VPN. In CIDR format, enter the remote subnet address (for example, 192.168.2.0/24). Local Endpoint Select the external interface of the Edge Gateway. Local ID Enter an IP address or hostname in conjunction with the vShield Edge firewall. Typically this is the external IP address of the Edge Gateway. Peer ID Enter the IP address of the remote device terminating the VPN tunnel. It is typically a public IP address. If peer is NAT'd, it should be the private (internal) peer IP address. Peer IP Enter the Public IP address (outside) of the remote device with which you are establishing the VPN. Encryption Protocol Select AES-256, AES, 3DES. The Encryption Protocol reflects what is configured on the remote site VPN device. Shared Key Enter the shared secret configured on each VPN endpoint. The shared secret must be an alphanumeric string between 32 and 128 characters. It must include at least one uppercase letter, one lowercase letter, and one number. MTU Configure the appropriate MTU size
- Click OK.
The VPN tunnel can take up to 5 to 10 minutes to properly establish a secure connection. A green check mark appears in the Status Row on the Configure Services VPN tab.
This image shows a VPN logical example:
If a firewall is between the tunnel endpoints, you must configure it to allow these IP protocols and UDP ports:
- IP Protocol ID 50 (ESP)
- IP Protocol ID 51 (AH)
- UDP Port 500 (IKE)
- UDP Port 4500
Request a Product Feature
To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.