Advanced Networking Services Guide
Table Of Contents
- vCloud Air Advanced Networking Services Guide
- Contents
- Preface
- Introducing Advanced Networking Services for vCloud Air
- Advanced Routing for vCloud Air
- Certificate and Security Group Management
- Network Security and Isolation
- Load Balancing
- Secure Access Using Virtual Private Networks
- IP Service Management: NAT and DHCP
- Index
You can deploy an edge gateway agent behind a NAT device. In this deployment, the NAT device translates
the VPN address of an edge gateway instance to a publicly accessible address facing the Internet. Remote
VPN routers use this public address to access the edge gateway instance. You can place remote VPN routers
behind a NAT device as well. You must provide the VPN native address and the VPN Gateway ID to set up
the tunnel. On both ends, static one-to-one NAT is required for the VPN address.
You can have a maximum of 64 tunnels across a maximum of 10 sites.
NOTE When you configure an IPsec VPN tunnel between a vCloud Air edge gateway and a physical
gateway VPN at a remote site, you cannot configure dynamic routing using BGP for that connection.
The following IPsec VPN algorithms are supported:
n
3DES192-CBC
n
AES128-CBC
n
AES128-CBC
n
AES128-CBC
n
AES128-CBC
n
DH-2
n
DH-5
For IPsec VPN configuration examples, see NSX Edge VPN Configuration Examples in the NSX
Administration Guide.
See also About Setting up an IPsec VPN Connection in the vCloud Air Networking Guide.
About Setting up an IPsec VPN Connection
Using the edge gateway, you can set up a tunnel between a local subnet and a peer subnet.
NOTE If you connect to a remote site via IPsec VPN, the IP address of that site cannot be learned by
Dynamic Routing on the uplink of the edge gateway.
1 Specify Global IPsec VPN Configuration on page 62
You can specify on a global level how your IPsec VPN connection to vCloud Air uses certificate
authentication and a pre-shared key.
2 Set up an IPsec VPN Connection to a Remote Site on page 63
This procedure provides the steps to create an IPsec VPN connection between vCloud Air and a
remote site. In this procedure, you configure the vCloud Air side of the connection.
Specify Global IPsec VPN Configuration
You can specify on a global level how your IPsec VPN connection to vCloud Air uses certificate
authentication and a pre-shared key.
vCloud Air uses a pre-shared key with an IPsec VPN connection to authenticate the other peer. Even when
the connection is encrypted, you need to know that the peer you are establishing a connection with is the
one it should be. Encrypting the connection ensures confidentiality in the connection and a pre-shared key
authenticates the other party.
Prerequisites
You must import server certificates, CA certificates, or CRLs before you can enable certificate authentication.
vCloud Air Advanced Networking Services Guide
62 VMware, Inc.