This guide shows you how to create an IPsec VPN between a local vSphere instance with a vCloud Networking and Security Edge Gateway and a remote vCloud Air instance. The goal behind this architecture is flexibility and security. For example, say you have an internal SharePoint application that you want to make available to customers on the Internet, but you don’t want to compromise your firewalls to give them access to port 80. You can create a different SharePoint Server in vCloud Air and, using the VPN, still make it part of the same farm in the local vSphere environment. The Internet traffic stays in vCloud Air, while the VPN traffic goes through the IPsec tunnel so that the SharePoint Server can talk to the local application.
Watch the video
This architecture diagram gives an overview of what is being built.
Key points about the diagram are as follows:
To set up the network on the vCloud Air side, you need to open the firewalls, create the VPN endpoint, and designate peer networks. You can use the vCloud Director UI for these tasks. To access the vCloud Director UI:
3. Click the Gateways tab, and then click Manage in vCloud Director.
Open the Firewalls
The first thing you need to do is open the firewalls to allow IPsec traffic through. Taking a look at the diagram, you can see that means ports 50, 51, 500, and 4500.
Create the VPN
The next task is to create the VPN between the local and remote networks. Remember that when you create a VPN, everything is configured from one’s own point-of-view. So here, because you are in vCloud Air, local refers to the vCloud Air environment instead of the vSphere environment. Returning to the diagram, for creating the VPN in this example, the local network is 192.168.109.0 in vCloud Air, and you want to connect to the 10.0.10.0 network in the vSphere client.
3. Choose to establish the VPN to a remote network, and then verify the local network.
Designate Peer Networks
The final task for setting up the network on the vCloud Air side is to designate peer networks. Again, when you create a VPN, everything is configured from one’s own point-of-view. Because you’re in vCloud Air, peer refers to the vSphere environment. The peer network is the one you’re trying to reach. Back on the diagram, it’s the 10.0.10.0 network in the vSphere client.
2. Enter the local ID.
3. Enter the peer ID.
4. Enter the peer IP.
Peer ID vs. Peer IP: What’s the Difference?
To better understand the difference between the peer ID and peer IP, let’s review the architecture diagram. The peer ID is the internal address shown in the red box, but the peer IP is the external address shown in the blue box. This is because you can get to the external address (peer IP), but the peer ID is the actual gateway. In other words, the peer IP is how you get to the peer ID. Again, you can see on the diagram that the ID is the actual outside interface on the Edge Gateway, but the IP that vCloud Air needs to use to get to the gateway is whatever is translated through the external router.
5. Select the Show Key box and copy the shared key.
With the VPN configured in the virtual data center inside vCloud Air, it’s now time to configure it in the vSphere environment. This is basically the same process in reverse. To set up the network on the on-premises side, you start by using a shortcut to prepopulate the peer settings and then move to configuring the VPN.
Gather the Peer Settings
An especially helpful shortcut in this process is to gather the peer settings from vCloud Air:
Configure the VPN
Now it’s time to move to the remote side—the vSphere on-premises instance. Just like the vCloud Air side, you use the vCloud Director UI to configure the VPN endpoint here.
4. Retrieve the addresses for the local network and peer network from the gathered peer settings that were listed in vCloud Air.
5. Select the local endpoint and retrieve the local ID address from the gathered peer settings that were listed in vCloud Air.
6. Retrieve the addresses for the peer ID and peer IP from the gathered peer settings that were listed in vCloud Air.
7. Select the Show Key box, but instead of letting the key auto-generate, paste the shared key that you copied earlier on the other side.
8. Click OK to create the VPN.
Finally, you can verify that the IPsec VPN has been created successfully by comparing the VPN status in both the vSphere on-premises instance and the vCloud Air instance.
2. Switch to the same tab of the VMware Cloud Providers and verify that the VPN status matches.
VPN tab, vSphere network
VPN tab, VMware Cloud Providers