Setup an IPSec VPN connection between your Advanced Edge Gateway and onsite router/firewall
Open vCloud Director portal
Navigate to Networking > Edges menu
Highlight your Edge Gateway and then click 'Configure Services'
Click on the VPN menu option, then IPSec VPN Sites submenu.
Click the + button to create a new IPSec VPN tunnel:
Configure the IPSec VPN settings:
Enter your configuration:
Enable | toggle selector to on |
Enable perfect forward secrecy (PFS) | toggle selector to on |
Name (Optional) | enter a name for this IPSec VPN |
Local ID | tchCloud5 for Hamilton | tcaCloud5 for Auckland |
Local Endpoint | This is usually the IP address of the Edge Gateway |
Local Subnet | This is usually the subnet that of your hosted servers |
Peer ID | Unique ID for the remote site that you are connecting to |
Peer Endpoint | IP address or FQDN for the remote site that you are connecting to |
Peer Subnet | Subnet(s) of the remote site(s) that you are peering with |
Encryption Algorithm | select the encryption algorithm that you wish to use. AES256 is the most secure |
Authentication | PSK will use the Pre-Shared Key | certificate will use an SSL cert. |
Change Shared Key (Optional) | enable this when you need to change the Pre-Shared Key |
Pre-Shared Key | enter the password that you are using for the IPSec VPN connection |
Display Shared Key (Optional) | enable this to show the Pre-Shared Key |
Diffie-Hellman Group |
Select the DH group that you are using with your IPSec VPN NOTE: The Diffie-Hellman Group must match what is configured on the remote site VPN device. |
Extension (Optional) |
|
Once you have applied all the necessary settings you just need to confirm the remote end and hopefully your VPN tunnel will be established. Our own research has found the following settings are best for the remote end. These settings are based on configuring a FortiGate FortiOS 5.x series Firewall. Some item names may differ between vendors.
This is not a comprehensive list of all options you will need to set but rather the key ones that may differ from the norm.
Phase 1 Settings:
- Mode: Main
- Authentication: Preshared Key
- IKE Version: 1
- Encryption: AES256 (or the other options if you chose them instead)
- Authentication: SHA1 (we have not tried 3DES but certainly for AES256 SHA1 is the authentication type)
- DH Group: Select the same group (Default: DH5) as above
- Key Lifetime: 28800 seconds
- Dead Peer Detection: Enabled
- Keepalive Frequency: 10
Phase 2 Settings:
- Encryption: AES256 (or the other options if you chose them instead)
- Authentication: SHA1 (we have not tried 3DES but certainly for AES256 SHA1 is the authentication type)
- Enable replay detection: Yes
- Enable Perfect forward secrecy (PFS): Yes
- DH Group: Select the same group (Default: DH5) as above
- Key Lifetime: 3600 seconds
- Autokey Keep Alive: No
All other settings will be in relationship to your particular customer network.
If you require further assistance, please contact our Service Desk by emailing support@vgrid.nz
Comments
0 comments
Please sign in to leave a comment.