Guide
TrainingSupportCommunity

Create IPsec tunnels in VMware SD-WAN

Suggest Edits

Before you begin:

  1. Prepare for SD-WAN setup.

  2. Configure IPsec credentials in ​SIA​.

These are the high-level steps that are required to set up IPsec tunnels between VMware SD-WAN and ​SIA​.

To create IPsec tunnels in VMware SD-WAN:

  1. Configure ​SIA​ as a non SD-WAN destination.

  2. Configure a tunnel between a branch and ​SIA​.

  3. Configure tunnel settings at the Edge.

  4. Configure your business policy.

  5. Verify that traffic is flowing through the tunnel.

🚧

If your organization uses ​ETP Client​, make sure you disable the client in policies that are associated with the IPsec tunnel locations.

Configure ​SIA​ as a non SD-WAN destination

Before creating the tunnels, you must configure ​SIA​ as a non SD-WAN destination. For detailed instructions, see the VMware SD-WAN documentation.

To configure ​SIA​ as a non SD-WAN destination:

  1. Log in to VMware SD-WAN Orchestrator (VCO) as an enterprise user.

  2. From the navigation menu, select Configure > Network Services.

  3. In the Non SD-WAN Destinations via Edge area, click New. A dialog appears.

  4. In the Service Name field, enter a name for this destination.

  5. From the Service Type menu, select Generic IKEv2 Router (Route Based VPN).

  6. Click Next.

  7. In the Primary VPN Gateway IP address field, enter primary.ipsec.akaetp.net

  8. Click Advanced and specify the security settings:

    1. For Encryption, select AES 256.

    2. For DH Group, select 14 or above.

    3. For Hash, select SHA-256.

  9. Select the checkbox for the Secondary VPN Gateway to create a secondary tunnel. Enter the secondary.ipsec.akamaetp.net FQDN in the IP address field.

  10. Select Keep Tunnel Active.

  11. Select Tunnel settings are same as Primary VPN Gateway checkbox to apply the advanced tunnel security settings to the secondary tunnel.

  12. Click Save Changes.

Next step:

Configure a tunnel between a branch and ​SIA​

Configure a tunnel between a branch and ​SIA​

Before you begin:
Configure ​SIA​ as a non SD-WAN destination

Complete this procedure to create a tunnel between a branch and ​SIA​.

To configure a tunnel between a branch and ​SIA​:

  1. In the SD-WAN Orchestrator, select Configure > Profiles.

  2. Select a profile where you want to configure Cloud VPN and under Device, go to Cloud VPN.

  3. Toggle Cloud VPN to on.

  4. Under Branch to Non SD-WAN Destination via Edge, select the check box.

  5. In the proceeding menu, select the service you created for ​SIA​ in Configure ​SIA​ as a non SD-WAN destination.

  6. Click Save Changes.

Next step:

Configure tunnel settings at the Edge.

Configure tunnel settings at the Edge

Complete this procedure to configure tunnel settings at the Edge level. These settings are prioritized over the settings that are inherited from a profile. For detailed instructions, see the VMware SD-WAN Administration Guide

To configure tunnels settings at the Edge:

  1. In the SD-WAN Orchestrator, select Configure > Edges.

  2. Select the edge that contains the Non SD-WAN destination settings you configured in Configure ​SIA​ as a non SD-WAN destination.

  3. Navigate to Cloud VPN and go to the Branch to Non SD-WAN Destination via Edge area.

  4. In the Action column, click the plus sign icon. The Add Tunnel dialog appears.

  5. Complete these fields:

    1. In the Public WAN Link menu, select the name of the WAN that you want to use for the primary tunnel.

    2. In the Local Identification Type menu, select User FQDN and in the provided field, enter the user FQDN (IKE Identifier) that you defined in ​SIA​. For more information, see Configure IPsec credentials in ​SIA​.

    3. In the PSK field, enter the PSK that you generated and also provided in ​SIA​.

    4. In the Destination Primary Public IP, enter primary.ipsec.akaetp.net

    5. In the Destination Secondary Public IP, enter secondary.ipsec.akamaetp.net

  6. Click Save Changes.

  7. Repeat steps 4 to 6 for the secondary tunnel. Make sure you select the name of the WAN that you want to use for the secondary tunnel. Provide the primary IPsec FQDN for the primary destination and the secondary IPsec FQDN for the secondary destination.

Next steps:

  1. Verify that the tunnels are available as a network service. From the navigation menu, go to Monitor > Network Services. Review the tunnels that are configured under Non SD-WAN Destinations via Gateway.

  2. Configure your business policy.

Configure your business policy

Before you begin:
Configure tunnel settings at the Edge

A business policy defines how an application behaves, controls bandwidth utilization, mitigates network errors, and more. For more on a business policy, see the VMware SD-WAN documentation.

To configure a business policy:

  1. Create an object group for TCP ports 80 and 443.

    1. From the Orchestrator navigation menu, select Configure > Object Groups.

    2. Click the Port Groups tab and select Actions > New.

    3. In the window, enter a name and description for the port group.

    4. Select TCP as the protocol for two port fields.

    5. Enter ports 80 and 443.

    6. Click Create.

  2. Create a business policy on the Edge profile:

    1. From the navigation menu, select Configure > Profiles.

    2. Click a profile.

    3. Under the Business Policy tab, click New Rule.

    4. Enter a rule name.

    5. In the Match section, complete these steps for the Destination:

      1. Select the Object Group tab and then select HTTP/HTTPS as the Port Group.

      2. Select the Define tab, and then select Internet.

    6. In the Action section, select Internet Backhaul as the Network Service and then select Non SD-WAN Destination via Edge / Cloud Security Service. From the menu that appears, select the ​SIA​ service you configured as a non SD-WAN destination in Configure ​SIA​ as a non SD-WAN destination.

    7. Click OK.

Next steps:

  1. Make sure the rule you created is associated with the business policy. For the profile, click the Business Policy tab to confirm that the rule appears.
  2. Verify that traffic is flowing through the tunnel.

Verify that traffic is flowing through the tunnel

Before you begin:
Configure your business policy

Complete this procedure to confirm that traffic is flowing through the tunnels you created.

To verify that traffic is flowing through the tunnel:

  1. In the Orchestrator menu, select Test & Troubleshoot > Remote Diagnostics.

  2. Select the Edge where the policy was applied.

  3. Go to the List Active Flows section and in the Segment menu, select a segment.

  4. In the Destination Port field, enter port 443 or 80.

  5. Click Run. If traffic uses the configured policy, the Route column shows Internet Backhaul. The Business Policy also shows the rule you created in Configure your business policy.

Updated about 2 years ago