vCloud Air - Creating an IPSEC VPN Connection

This guide shows you how to create an IPsec VPN between a local vSphere instance with a vCloud Networking and Security Edge Gateway and a remote vCloud Air instance. The goal behind this architecture is flexibility and security. For example, say you have an internal SharePoint application that you want to make available to customers on the Internet, but you don’t want to compromise your firewalls to give them access to port 80. You can create a different SharePoint Server in vCloud Air and, using the VPN, still make it part of the same farm in the local vSphere environment. The Internet traffic stays in vCloud Air, while the VPN traffic goes through the IPsec tunnel so that the SharePoint Server can talk to the local application.

Watch the video

1. Review the Architecture Diagram

This architecture diagram gives an overview of what is being built.



Key points about the diagram are as follows:

  • There is a vSphere instance on the left, which includes a routed network that goes through a vCloud Networking and Security Edge Gateway
  • There are a number of virtual machines connected to this Edge device, which we want to connect to the virtual machines in vCloud Air. To do this, we have to create an IPsec VPN between the Edge Gateway in vCloud Air and the Edge Gateway in the local environment.
  • Another router sits between the local Edge device and the Internet, which creates some address translation issues. This scenario is fairly typical. In vCloud Air, the Edge Gateway sits with an interface right on the Internet, but this usually isn’t the case in on-premises environments.

2. Set Up the vCloud Air VPN Endpoint


To set up the network on the vCloud Air side, you need to open the firewalls, create the VPN endpoint, and designate peer networks. You can use the vCloud Director UI for these tasks. To access the vCloud Director UI:

  1. If you’re not already logged in, go to https://vchs.vmware.com/login and log in to vCloud Air.
  2. From the Dashboard, click the desired virtual data center.
  • In this example, we use the SHAREPOINT virtual data center.



3. Click the Gateways tab, and then click Manage in vCloud Director.



Open the Firewalls
The first thing you need to do is open the firewalls to allow IPsec traffic through. Taking a look at the diagram, you can see that means ports 50, 51, 500, and 4500.

  1. On the Administration screen of the vCloud Director UI, go to the Edge Gateways tab, click the gateway, and then select Edge Gateway Services.



  2. In the Configure Services: window, click the Firewall tab and then create or modify the firewalls, as needed.
  • Here you can see firewall rules that were set up previously for another purpose that are more open than typical.
  • Because these rules allow traffic to flow in and out between the Edge Gateway, they already accommodate IPsec traffic. So, for this example, the firewalls do not need modification, but in your case, you may want to add more specific rules.



Create the VPN

The next task is to create the VPN between the local and remote networks. Remember that when you create a VPN, everything is configured from one’s own point-of-view. So here, because you are in vCloud Air, local refers to the vCloud Air environment instead of the vSphere environment. Returning to the diagram, for creating the VPN in this example, the local network is 192.168.109.0 in vCloud Air, and you want to connect to the 10.0.10.0 network in the vSphere client.

  1. Still in the Configure Services: window, move to the VPN tab and click the Add button.



  2. In the VPN Configuration window, name the VPN.
  • In this example, the VPN is named Sharepoint-vSphere. This name can serve as a reminder that you want it to connect to the local vSphere instance.

3. Choose to establish the VPN to a remote network, and then verify the local network.

  • In this case, the local network is 192.168.109.0.



Designate Peer Networks

The final task for setting up the network on the vCloud Air side is to designate peer networks. Again, when you create a VPN, everything is configured from one’s own point-of-view. Because you’re in vCloud Air, peer refers to the vSphere environment. The peer network is the one you’re trying to reach. Back on the diagram, it’s the 10.0.10.0 network in the vSphere client.

  1. Returning to the VPN Configuration window, enter the full peer network address and set the local endpoint.
  • In this example, the full peer network address is 10.0.10.0/24.
  • Here, the local endpoint is a designated Internet-based network.



2. Enter the local ID.

  • The local ID is the IP address generally located outside of the Edge Gateway. This is where you want to terminate the VPN connection.
  • You can get this IP address by looking at the allocated IP addresses on the outside edge.
  • In this example, the IP address that was assigned during the creation of the virtual data center is 69.194.137.230.

3. Enter the peer ID.

  • The peer ID is the IP address of the remote device that is terminating the VPN. It is an internal address.
  • In this example, the peer ID is 10.0.1.150.

4. Enter the peer IP.

  • The peer IP is the external address that lets you get to the internal peer ID.
  • In this example, the peer IP is 68.108.102.47.



Peer ID vs. Peer IP: What’s the Difference?

To better understand the difference between the peer ID and peer IP, let’s review the architecture diagram. The peer ID is the internal address shown in the red box, but the peer IP is the external address shown in the blue box. This is because you can get to the external address (peer IP), but the peer ID is the actual gateway. In other words, the peer IP is how you get to the peer ID. Again, you can see on the diagram that the ID is the actual outside interface on the Edge Gateway, but the IP that vCloud Air needs to use to get to the gateway is whatever is translated through the external router.



5. Select the Show Key box and copy the shared key.

3. Set Up the On-Premises vSphere VPN Endpoint


With the VPN configured in the virtual data center inside vCloud Air, it’s now time to configure it in the vSphere environment. This is basically the same process in reverse. To set up the network on the on-premises side, you start by using a shortcut to prepopulate the peer settings and then move to configuring the VPN.

Gather the Peer Settings

An especially helpful shortcut in this process is to gather the peer settings from vCloud Air:

  1. Back on the Administration screen for the vCloud Air instance, go to the Edge Gateways tab, click the gateway, and then select Edge Gateway Services.



  2. In the Configure Services: window, click the VPN tab, and then click the Peer Settings button.



  3. In the VPN Peer Settings window, note that the settings reflect what they need to be on the remote side.


Configure the VPN

Now it’s time to move to the remote side—the vSphere on-premises instance. Just like the vCloud Air side, you use the vCloud Director UI to configure the VPN endpoint here.

  1. On the Administration screen of the vCloud Director UI, go to the Edge Gateways tab, click the gateway, and then select Edge Gateway Services.
  2. In the Configure Services: Sharepoint Gateway window, go to the VPN tab, and then click the Add button.



  3. In the VPN Configuration window, name the VPN and choose to establish it to a remote network.
  • In this example, the VPN is named Sharepoint-vCHS.

4. Retrieve the addresses for the local network and peer network from the gathered peer settings that were listed in vCloud Air.

  • Remember that we are now on the vSphere side, so we are actually going the other way.
  • In this example, the local network is now 10.0.10.0, and the peer network is 192.168.109.0/24. (Again, the peer network is the one we’re trying to reach.)

5. Select the local endpoint and retrieve the local ID address from the gathered peer settings that were listed in vCloud Air.

  • In this example, the local endpoint—which is the name of the external network—is called Internet.
  • The local ID is 10.0.1.150.


6. Retrieve the addresses for the peer ID and peer IP from the gathered peer settings that were listed in vCloud Air.

  • In vCloud Air, the Edge Gateway sits directly on the Internet with no router between.
  • This means that the peer ID and peer IP usually are exactly the same because you can get directly to the gateway without worrying about address translations.
  • In this example, the peer ID is 69.194.137.230, and the peer IP used to actually get there is also 69.194.137.230.


7. Select the Show Key box, but instead of letting the key auto-generate, paste the shared key that you copied earlier on the other side.



8. Click OK to create the VPN.

4. Verify the VPN Connection


Finally, you can verify that the IPsec VPN has been created successfully by comparing the VPN status in both the vSphere on-premises instance and the vCloud Air instance.

  1. Return to the VPN tab of the vSphere network and note that the VPN status is clear.
  • The status column has a green checkmark to show that there are no outstanding issues.

2. Switch to the same tab of the vCloud Air network and verify that the VPN status matches.



VPN tab, vSphere network



VPN tab, vCloud Air network