Networking Guide
Table Of Contents
- VMware vCloud Air Networking Guide
- Contents
- About this Networking Guide
- Overview of Gateways and Networks
- About Managing Gateways and Networks
- Network Security and Secure Access
- Network Connectivity for Virtual Machines
- Direct Connect for vCloud Air
- Features of Direct Connect
- Reasons to Order Direct Connect
- Direct Connect Service Overview
- Direct Connect with Cross Connect
- Direct Connect for Network Exchange
- Direct Connect Use Cases
- About the Ordering and Provisioning Workflow
- Work with Your Provider to Set up Connection
- Order Direct Connect to vCloud Air
- Work with VMware to Complete Order
- View Direct Connect in vCloud Air
- Route Traffic Through Direct Connect
- Index
About IPsec VPN
Internet Protocol Security (IPsec) is a protocol suite for securing the IP packets of a communication session.
vCloud Air supports using IPsec to create a secure VPN connection between your vCloud Air service and a
remote site, such as your on-premises data center.
The gateway supports the following IPsec functionality for IPsec VPN connections between sites:
n
Certificate authentication using pre-shared key mode
n
IP unicast traffic (but not dynamic routing) between the gateway and remote VPN routers
n
The ability to configure multiple subnets per remote VPN router to connect an IPsec VPN to a gateway
network on the gateway's inside interface
NOTE The VPN router subnets and the gateway network cannot have overlapping IP address ranges.
They must use different subnets because the IPsec VPN connection requires they have different local
endpoint IP addresses.
n
A maximum of 64 IPsec VPN connections across a maximum of 10 sites
n
Deploying a gateway behind a NAT device to translate the gateway's VPN IP address to a public IP
address accessible from the Internet
Remote VPN routers use the public IP address to access the gateway.
n
Deploying remote VPN routers behind a NAT device
When deploying a remote VPN router behind a NAT device, configure the IPsec VPN connection using
the VPN native IP address and the VPN Gateway ID. On both sides of the connection, configure static
one-to-one NAT for the VPN IP address.
Related Information
See “Set up an IPsec VPN Connection to a Remote Site,” on page 32 in this guide for the steps to set up an
IPsec VPN connection in vCloud Air.
See also Create a VPN Tunnel to a Remote Network in vCloud Director Administrator's Guide
See also Enable VPN for an Organization Virtual Datacenter Network in vCloud Director Administrator's
Guide
About Setting up an IPsec VPN Connection
You can configure an IPsec VPN connection between networks within vCloud Air and between a remote
site and vCloud Air. Setting up an IPsec VPN connection from a remote network to vCloud Air is the most
common scenario.
Using vCloud Director, you configure an IPsec VPN connection for vCloud Air as part of configuring
gateway services. When you configure an IPsec VPN connection between sites, you configure the connection
from the point of view of your current location. Setting up the connection requires that you understand how
to configure the following values so that you configure the VPN connection correctly:
n
Peer Networks: specifies the remote networks to which the VPN connects. When you configure this
setting, enter a network range and not a specific IP address. Enter the IP address using CIDR format; for
example, 192.168.99.0/24.
n
Local Endpoint (LEP): specifies the network in vCloud Air on which the gateway transmits. Typically,
the external network is the local endpoint.
Chapter 3 Network Security and Secure Access
VMware, Inc. 31