VMware Cloud Director Edge Gateway - VPN changes

With the release of vCloud Director 9.0, there was a change to the default VPN parameters - primarily the Diffie-Hellman (DH) Group default selection has changed from 2 to 14.


All existing VPN's retain their configuration parameters and should work normally.  However, if any changes are made to an existing VPN configuration or the VPN configuration is removed and/or a new configuration added, then the new DH Group parameter will be applied.

Your VPN endpoint device will need to have DH Group 14 selected to allow negotiation, otherwise the tunnel cannot establish.


Fortunately most VPN endpoint devices can support multiple encryption parameters, so we would recommend that you add support for DH Group 14 to your existing configurations to avoid disruption in the future.  Please do not remove DH Group 2 if you tunnel is currently working as this will also stop your tunnel from being able to establish. 


We have done testing and have found that an Edge Gateway redeployment does not seem to cause the change in parameters, but any editing of the VPN configuration or attempts to disable a VPN tunnel will cause the DH Group to change from 2 to 14.


This setting cannot be seen in the vCloud Director GUI, so it is not apparent that this has happened.  Our support desk staff can check for you, but if you configure your VPN endpoint device for both DH Group possibilities the tunnel should work just fine.


If you have any queries, please feel free to contact our friendly support team at support@vgrid.nz