This page describes how to use the VPN feature that enables you to create site-to-site VPNs between virtual datacenters and other virtual datacenters, or other entities.
For details of the VPN feature and how to configure it, see:
This feature is available in datacenters:
Using VMware with NSX-V (and the NSX-NAT or NSX-gateway plugin)
Using VMware with NSX-T (requires NAT-IPs as endpoints).
To manage VPNs:
Go to MyCloud view → Virtual datacenters
Select a virtual datacenter
Go to Network → VPN
Support for VPNs is per VDC, which means you need to create a separate VPN site for each connected virtual datacenter. Both sites of a VPN must have the same encryption and authentication settings, and inverse local and remote network configurations.
The following table describes VPN functionality in the providers. You can further configure the NSX-T options using Abiquo configuration properties.
AWS | VMware NSX-V | VMware NSX-T | Azure | |
---|---|---|---|---|
Encryption | AES | AES, | AES_128, | AES128_SHA1, AES128_SHA256, AES256_SHA1, |
Perfect forward secrecy enabled | always enabled | optional | optional | always disabled |
DH group | DH2 | DH2, DH5, DH14 | DH2,DH5,DH14,DH15,DH16,DH19,DH20,DH21 | DH2, DH14 |
Authentication | PSK (mandatory) | PSK (mandatory) | PSK (mandatory) | PSK (mandatory) |
Create a VPN
To connect private cloud with public cloud, define the VPN site in private cloud first.
In Azure you can create a VPN using a dummy address for the local gateway (site 1) and edit it after you create the Azure VPN site
In NSX-T you can delete and re-create a site instead of editing it
Azure may automatically select a compatible encryption type
In AWS you must supply the IP address of site 1 and you cannot edit it, so you must create site 1 first and the VPN site in AWS will always be site 2
To create a VPN site in a virtual datacenter:
We recommend that you check that the private networks for your VPN sites (local and remote) have different IP address ranges. If necessary create a new private network, and you may also decide to make it the default network for the virtual datacenter. See Manage networks
In NSX-T, for the VPN endpoint, obtain a NAT IP for the virtual datacenter.
You don’t need to create any NAT rules to create a VPN. Tip: check if your provider allows SNAT and DNAT traffic to VMs in the VDC from the internet or from IP/network addresses or NSX-T groups.
For more details see Manage NAT for virtual datacentersCreate a firewall to allow traffic to the VMs in your VPN. See Manage firewalls
Obtain the values of the remote endpoint and network. They don’t need to exist when you create the VPN, but if you need to change them, you will need to delete the site and recreate it.
Go to myCloud view → Virtual datacenters and select a virtual datacenter
Go to Networks → VPN
To create the VPN site, click the + add button and enter the VPN details. For full details see the Create VPN reference table below
Go to your other VDC or provider and create the remote VPN site.
To create the VPN site for site2 in another VDC:
Select the virtual datacenter
Add another VPN site using the same encryption and authentication settings, and the remote network configuration of the first VPN site as the local values.
To check the status of your VPN in a virtual datacenter:
Go to myCloud → Virtual datacenters → select the virtual datacenter
Go to Networks → VPN
Beside the VPN details, click Check
Create VPN reference table
This table describes all of the fields for creating a VPN.
Button | Action |
---|---|
Name | Name of the VPN |
Encryption algorithm | Select the encryption algorithm |
Perfect forward secrecy enabled | Select to enable perfect forward secrecy to protect your session keys |
DH group | Diffie-Hellman group for the VPN |
Authentication | Select for PSK authentication (Preshared key authentication), which is mandatory in the providers |
Preshared key | Enter preshared key to use for this session. |
Local endpoint | NAT IP in the VDC or an automatically generated address in public cloud |
Local networks | Select VDC networks. We recommend that you do not use the default private network addresses for both sides of a VPN |
Remote endpoint | NAT IP in the remote VDC |
Remote networks | Add network addresses using CIDR notation. Click x beside a network to remove it from the VPN configuration |