Advanced Networking Services Guide
Table Of Contents
- vCloud Air Advanced Networking Services Guide
- Contents
- Preface
- Introducing Advanced Networking Services for vCloud Air
- Advanced Routing for vCloud Air
- Certificate and Security Group Management
- Network Security and Isolation
- Load Balancing
- Secure Access Using Virtual Private Networks
- IP Service Management: NAT and DHCP
- Index
4 Complete the following settings for the IPsec VPN connection:
Option Description
Enabled
Select the checkbox to enable the connection between the two VPN
endpoints.
Enable perfect forward secrecy
(PFS)
Select to generate unique public keys for all sessions your users initiate.
Enabling PFS ensures that vCloud Air does not create a link between the
edge gateways private key and each session key.
The compromise of a session key will not affect data other than that
exchanged in the specific session protected by that particular key.
Compromise of the server's private key cannot be used to decrypt archived
sessions or future sessions.
When PFS is enabled, IPsec VPN connections to vCloud Air experience a
slight processing overhead.
IMPORTANT The unique session keys must not be used to derive any
additional keys. Additionally, both sides of the IPsec VPN tunnel must
support PFS for it to work.
Name
(Optional) Enter a name for the connection.
Local Id
Type the external IP address of the edge gateway instance, which is the
public IP address of the edge gateway.
This will be the peer Id on the remote site.
Local Endpoint
Type the network that is the local endpoint for the connection. The local
endpoint specifies the network in vCloud Air on which the edge gateway
transmits. Typically, the external network is the local endpoint.
NOTE If you are adding an IP-to-IP tunnel using a pre-shared key, the
local Id and local endpoint IP can be the same.
Local Subnets
Type the networks to share between the sites. Use a comma separator to
type multiple subnets.
NOTE Enter a network range (not a specific IP address) by entering the IP
address using CIDR format; for example, 192.168.99.0/24.
Peer Id
Type the peer ID to uniquely identify the peer site. The peer ID is the
public IP address of the remote device terminating the VPN connection.
For peers using certificate authentication, this ID must be the common
name in the peer's certificate. For PSK peers, this ID can be any string.
VMware recommends that you use the public IP address of the VPN or a
FQDN for the VPN service as the peer ID.
When the peer IP address is from another organization VDC network,
enter the native IP address of the peer. When NAT is configured for the
peer, enter the private IP address of the peer.
Peer Endpoint
Type the IP address of the peer site, which is the public IP address of the
remote device to which you are connecting. When you leave this option
blank, the edge gateway waits for the peer device to request a connection.
NOTE When NAT is configured for the peer, enter the public IP address
that the device uses for NAT.
Peer Subnets
Enter the remote network to which the VPN connects. Use a comma
separator to type multiple subnets.
NOTE Enter a network range (not a specific IP address) by entering the IP
address using CIDR format; for example, 192.168.99.0/24.
Encryption Algorithm
Select the encryption type from the drop-down list.
NOTE The encryption type you select must match the encryption type
configured on the remote site VPN device.
Authentication
Select one of the following options:
n
PSK (Pre Shared Key)—Indicates that the secret key shared between
vCloud Air and the peer site is to be used for authentication.
n
Certificate—Indicates that the certificate defined at the global level is
to be used for authentication.
vCloud Air Advanced Networking Services Guide
64 VMware, Inc.