Configure IPSec VPN tunnels in Cloud Director 10.x 1

Configure IPSec VPN tunnels in Cloud Director 10.x

This is a quick blog post on how to configure IPSec VPN tunnels in Cloud Director with a NSX-T backed Edge node. To get this working, we need to configure the remote endpoint with the matching IPSec VPN configurations as in Cloud Director.

Requirements

In order to configure a site to site IPSec VPN tunnel in Cloud Director, you need to have the following requirements in place. These settings need to be matched with the remote endpoint configuration to perform a successful negotiation and have an active IPSec tunnel.
For more information on configuring IPSec VPN tunnels, you can have a look at the documentation at VMware.

Make sure to have the following information:

  • Pre-shared Key or Certificate
  • Local Endpoint IP Address
  • Local Endpoint Networks
  • Remote Endpoint IP Address
  • Remote Endpoint Networks
  • IKE Security Profile Settings
  • Tunnel Security Profile Settings

Configure IPSec VPN tunnel

To configure IPSec VPN tunnel in Cloud Director, login to Cloud Director as tenant and click on Networking –> Edge Gateways and click on the Edge that will be used for the IPSec VPN Tunnel.

IPSec VPN Tunnel
Select the Edge node to configure the IPSEC VPN Tunnel

Click on NEW to open the “Add IPSec VPN Tunnel” wizard.

Cloud Director
Click on NEW

In the General Settings, we need to enter a Name. (I have configured other options as default)

IPSec VPN Tunnel Security Settings
Enter the Name

In this example, I’m using the Pre-Shared Key as authentication mode.

Note:

Keep in mind that the Pre-Shared Key need to match the Pre-Shared Key in the remote endpoint
Authentication Mode Cloud DIrector
Enter the Pre-Shared Key

Next step is to configure the Endpoint Configuration. Enter a public IP Address that is available on the Edge as Local Endpoint IP Address and configure an local IP subnet in the Networks field, that you would like to use for the IPSec VPN tunnel.

As for the Remote Endpoint section, we need to enter the public IP Address from the remote endpoint in the Remote Endpoint IP Address and configure a remote IP subnet in the Networks field.

Cloud DIrector
Endpoint Configuration
Configure the Endpoint Configuration
Overview Cloud Director
Review the settings and click on Finish

When we check the statistics of the IPSec VPN tunnel, you will see that the tunnel is down. This is because of the IKE and Tunnel Security Settings that has not yet been configured with the correct settings. We will configure these settings in the next steps.

Statistics IPSec VPN Tunnel
The IPSec VPN tunnel is down.

In the IPSec VPN view, select the IPsec VPN tunnel and click on Security Profile Configuration to configure the settings.

Configure Security Profile Customization
Click on Security Profile Customization.

Enter the Customize Security Profile with the desired security settings that has been agreed with the remote endpoint.

Note:

Keep in mind that the security settings need to match the security settings in the remote endpoint
Security Profile
Enter the Security Profile Settings

After a few minutes, you will see that the tunnel and IKE status will be shown as “Up” in the statistics of the IPSec VPN tunnel.

Statistics IPSec VPN Tunnel
Tunnel and IKE status is UP.

We now have succesfully configured an IPSec VPN tunnel between Cloud Director and a remote endpoint (in my case a Palo Alto endpoint).

Final Words

When the IPSec VPN tunnel is up and running, you should be able to communicate between the local endpoint networks and the remote endpoint networks. If you are still unable to communicate between the local and remote subnet, you should check the firewall settings on the virtual or physical network.

Leave a Comment