vCloud Director Edge Gateway VPN Settings

Bryce -

The vCloud Director (vCD) 8.0.2 based environment delivered by vGRID includes a more powerful Edge Gateway that can operate as a full firewall and VPN endpoint device.  This will allow customers to configure a VPN tunnel directly into their private network at vGRID providing seamless access to hosted virtual servers.  The details in the vCD web ui are not clear on how the remote site should be configured so the purpose of this article is to provide some guidance.  Different vendors have different settings for their VPN devices so we cannot provide detailed information for every brand of Firewall or VPN concentrator you might be using.  We have tried to keep the information for the customer end as generic as possible so you can hopefully see where it might relate to your brand of device.

To set up the Edge Gateway log into the vCloud Director environment using your URL and login details.  It should look like this:

First-Pic-Editted.png

1. Go to the Administration Tab

2. Select the Virtual Datacenters section and open your Virtual Datacenter.

3. Select the Edge Gateways Tab which will show you the Edge Gateway for your account.

4. Right click the Edge Gateway to bring up the context menu and select Edge Gateway Services.... which will open a modal window that looks like this.

Modal_Window.PNG

 

 Select the VPN tab and from here you can configure VPN tunnels.  You can determine the Edge Gateway public IP address by clicking the "Confiigure Public IPs" button.  It is important you know this address as you will need it to configure your VPN settings.  First tick the "Enable VPN" check box and then click the Add... button at the bottom which will bring up the VPN details window.

 

VPN-window-Editted.png

These details are for your reference

 

 

You can disable tunnels here if you only want them offline temporarily.   

You can create tunnels between vCloud Director environments but for most purposes you should select "a remote network".

 

 

This is the Internal network that your VM's connect to.  Usually there will only be one option.  Make sure you select it.   

 

 

This is the network at the other end of the tunnel.

 

 

 

 

Local Endpoint with be tchCloud5 for Hamilton or tcaCloud5 in Auckland.

Local ID is usually just the IP address of the Edge Gateway and Peer ID is the IP address of the remote Firewall or VPN concentrator.

 

 

Peer IP is the IP address of the remote Firewall or VPN concentrator that this tunnel will be talking to.

 

 

You can select AES256, AES or 3DES.  AES256 is most secure.

The shared key is automatically populated.  You can use the supplied password (tick the "Show Key" box to display it to copy) or overwrite it with your own.  This must be at least 32 characters long which can cause problems with some older VPN capable firewalls.

 

 

It is best to leave this at 1500.  Change at your own peril.

Once you have applied all the necessary settings you just need to confirm the remote end and hopefully your VPN tunnel will be established.  Our own research has found the following settings are best for the remote end.  These settings are based on configuring a FortiGate FortiOS 5.x series Firewall.  Some item names may differ between vendors.  This is not a comprehensive list of all options you will need to set but rather the key ones that may differ from the norm.

Phase 1 Settings

Mode: Main

Authentication: Preshared Key

IKE Version: 1

Encryption: AES256 (or the other options if you chose them instead)

Authentication: SHA1 (we have not tried 3DES but certainly for AES256 SHA1 is the authentication type)

DH Group: 2

Key Lifetime: 28800 seconds

Dead Peer Detection: Enabled

Keepalive Frequency: 10

 

Phase 2 Settings

Encryption: AES256 (or the other options if you chose them instead)

Authentication: SHA1 (we have not tried 3DES but certainly for AES256 SHA1 is the authentication type)

Enable replay detection: Yes

Enable Perfect forward secrecy (PFS): Yes

DH Group: 2

Key Lifetime: 3600 seconds

Autokey Keep Alive: No

All other settings will be in relationship to your particular customer network.  The Peer IP will be the IP address of the Edge Gateway and the Peer subnet will be that internal network (172.17.254.0/24 in the example above).

 

Hopefully this provides enough information to help you configure a successful VPN Tunnel.

 

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk