The standard iland secure cloud deployment provides you with a built-in VMWare NSX Edge firewall appliance and one its features is the IPSec VPN Tunnel. To build a VPN Tunnel from the iland cloud back to your production or remote offices, you need to ensure that both firewalls are configured correctly and that firewall rules are created on both sides to allow the VPN traffic. The article breaks down these steps and provides you with detailed instructions on configuring the VPN Tunnel and firewall rules on on the NSX Edge, and some considerations to keep in mind for configuring the other end of the tunnel.
Setting up the VPN Tunnel can be an exercise that requires planning, especially if you are working with other parties.
Here is the information you will need and some of the considerations you need to be aware about:
Once you have all of this information together, you can begin to configure your IPsec VPN tunnel. For the purposes of this guide, we will start with the NSX Edge in the iland Cloud environment.
Note: It goes without saying that each Enterprise firewall is different, and has different settings available. For a full list of the recommended settings for configuring an IPsec tunnel to work properly with the NSX Edge and your device, please see this list of Recommended and Default Settings for the NSX Edge.
1. Navigate to the Networking page of the Console from your Organization level. Once it loads you will see a list of Edges available in your Organization. Select the NSX Edge you want to modify.
2. Select the gateway you want to work with from the list, and you will be brought to the configuration page for that gateway. Open the Actions Drop-Down Menu and select "IPSec VPN".
3. In the window that allows you to manage your IPSec VPN Tunnels click the "Create New Tunnel" button.
Note: If you have already configured tunnels either during deployment or on your own, you should see all the existing tunnels listed in the top panel. You can edit any of these configurations from this window at any time, however, for the purposes of this guide, we will create a new VPN tunnel.
4. On the first page of the wizard, you will be asked for a name and a description for this specific tunnel. Make sure the "Enabled" box is checked. Then, click Next.
5. The second page of the wizard allows you to choose internal networks in your iland Cloud environment. Click the checkbox next to the local subnets in your iland Cloud environment you want available to this particular tunnel. Then, enter the Peer Subnets you want to be able to access your iland Cloud environment from on your office or production network. Then, click Next.
6. The next page of the wizard allows you to configure the following:
When you have finished, click "Next".
7. The last page will allow you to configure the following settings:
When you have finished entering the settings, click "Submit" to continue.
8. You will be brought back to the IPsec VPN management window. Click the "Enabled" button to enable the VPN service now that a tunnel has been configured, if it is not already checked.
9. Click "Submit" and the button will change to a spinning wheel. Once the button turns green, the configuration changes have been applied, and the configuration of the VPN Tunnel on the NSX Edge is completed.
The configuration of your local firewall will depend on the model and the specific version. However, here a few things to keep in mind:
Here are some guides for setting up the your end of the VPN tunnel from popular firewall appliances:
These are the settings for the NSX Edge IPSec VPN Tunnel, as recommended in VMware's knowledge base:
Note: The Security Association timers are not adjustable by iland - they are predetermined by VMware.
IKE Phase I Parameters:
Phase 1 sets up mutual authentication of the peers, negotiates cryptographic parameters, and creates session keys. The Phase 1 parameters used by NSX Edge are:
IKE Phase II Parameters:
IKE Phase 2 negotiates an IPSec tunnel by creating keying material for the IPSec tunnel to use (either by using the IKE phase one keys as a base or by performing a new key exchange). The IKE Phase 2 parameters supported by NSX Edge are:
There are a few limitations and restrictions of the IPSec VPN services on the NSX Edge. Here are some of the more important ones:
1. Create firewall rules on the NSX Edge. To set the firewall rules up on the NSX Edge, please follow our dedicated article:
2. Create equivalent firewall rules on your local firewall appliance.
If you encounter any issues with the IPSec VPN Tunnel once it has been configured, please try the following steps to troubleshoot the connection: