Advanced Edge Gateway VPN Settings

Setup an IPSec VPN connection between your Advanced Edge Gateway and onsite router/firewall

Open vCloud Director portal

Navigate to Networking > Edges menu

Highlight your Edge Gateway and then click 'Configure Services'

Click on the VPN menu option, then IPSec VPN Sites submenu.

Click the + button to create a new IPSec VPN tunnel:

 

Enter your configuration:

Enable toggle selector to on
Enable perfect forward secrecy (PFS) toggle selector to on
Name (Optional) enter a name for this IPSec VPN
Local ID tchCloud5 for Hamilton | tcaCloud5 for Auckland
Local Endpoint This is usually the IP address of the Edge Gateway
Local Subnet This is usually the subnet that of your hosted servers
Peer ID Unique ID for the remote site that you are connecting to
Peer Endpoint IP address or FQDN for the remote site that you are connecting to
Peer Subnet Subnet(s) of the remote site(s) that you are peering with
Encryption Algorithm select the encryption algorithm that you wish to use.  AES256 is the most secure
Authentication PSK will use the Pre-Shared Key | certificate will use an SSL cert.
Change Shared Key (Optional) enable this when you need to change the Pre-Shared Key
Pre-Shared Key enter the password that you are using for the IPSec VPN connection
Display Shared Key (Optional) enable this to show the Pre-Shared Key
Diffie-Hellman Group

Select the DH group that you are using with your IPSec VPN

NOTE: The Diffie-Hellman Group must match what is configured on the remote site VPN device.

Extension (Optional)
  1. Type one of the following options:
    securelocaltrafficbyip= IP Address to re-direct the edge gateway's local traffic over the IPsec VPN tunnel. This is the default value.
    passthroughSubnets= Peer Subnet IP Address to support overlapping subnets.

 


Once you have applied all the necessary settings you just need to confirm the remote end and hopefully your VPN tunnel will be established.  Our own research has found the following settings are best for the remote end.  These settings are based on configuring a FortiGate FortiOS 5.x series Firewall.  Some item names may differ between vendors.
This is not a comprehensive list of all options you will need to set but rather the key ones that may differ from the norm.


Phase 1 Settings:

  • Mode: Main
  • Authentication: Preshared Key
  • IKE Version: 1
  • Encryption: AES256 (or the other options if you chose them instead)
  • Authentication: SHA1 (we have not tried 3DES but certainly for AES256 SHA1 is the authentication type)
  • DH Group: Select the same group (Default: DH5) as above
  • Key Lifetime: 28800 seconds
  • Dead Peer Detection: Enabled
  • Keepalive Frequency: 10


Phase 2 Settings:

  • Encryption: AES256 (or the other options if you chose them instead)
  • Authentication: SHA1 (we have not tried 3DES but certainly for AES256 SHA1 is the authentication type)
  • Enable replay detection: Yes
  • Enable Perfect forward secrecy (PFS): Yes
  • DH Group: Select the same group (Default: DH5) as above
  • Key Lifetime: 3600 seconds
  • Autokey Keep Alive: No

 

All other settings will be in relationship to your particular customer network.

 

 

If you require further assistance, please contact our Service Desk by emailing support@vgrid.nz