For those of you who don’t know yet, NSX-T backed VMware on AWS is now available for general comsuption. The switch introduces few enhancements that are worth mentioning. Namely DFW, Security Groups,Route Based IPSEC VPN with Redundancy, Direct Connect Private VIF for all traffic, Connectivity from Overlay to Management Infrastructure, vCenter Management Appliance access from connected VPC, DNS Zones,Port Mirroring and IPFIX.
In this blog post, we are going to go through the configuration of a Route Based IPsec VPN. With Route Based VPN we can configure BGP to run over IPSEC so networks are automatically advertised and learned between the VMware Cloud on AWS SDDC and on-prem. This simplifies operations and also prevents manual errors in configuration updates every time a network change needs to be made. In addition, Route Based IPSEC VPN provides redundancy where multiple VPNs can be setup to on-prem and BGP can be leveraged to configure active/passive paths.
Log in to the VMC Console at https://vmc.vmware.com.
Click Add VPN.
Enter a route-based VPN name.
Select the local IP address of the IPsec VPN from the drop-down menu.
Enter the remote public IP address of your on-premises gateway.
(Optional) Enter the remote private IP address if the on-premises gateway is configured behind NAT.
Enter the BGP neighbor parameters.
|IP Address||Enter the remote IP address.|
|BGP Neighbor As||Enter the AS attribute for BGP to use.|
|BGP Secret||Set a secret password for BGP neighbor authentication.|
Accept the default setting. The same local AS is used for all the VPN connections. Any changes affect all the VPN connections.
Local and remote networks are discovered using BGP advertisements.
Enter the VTI subnet CIDR block.
Configure the advanced VPN parameters.
Choose a network of size of /30 from the 169.254.0.0/16 subnet. The second and third IP addresses in this range are configured as the remote and local VTI (VPN Tunnel interfaces). For example, in the VTI CIDR block 169.254.111.0/30 (address range 169.254.111.0-169.254.111.3), the local (SDDC) interface is 169.254.111.2/30 and the remote (on-prem) interface 169.254.111.1/30.
Click Save, wait for a minute or so and you vpn should be up!
I hope this post was helpful and thank you for reading.
How useful was this post?
Click on a star to rate it!
Average rating / 5. Vote count:
My name is Amine El Badaoui and I currently live in Aylesbury, a small town in the south east of England
I have been working in the IT industry for few years now and specialise in VMware virtualisation, data centre infrastructure and cloud technologies. Over the years I have obtained numerous industry certifications from Microsoft, Netapp and VMware.I currently work as a VMware Product Engineer @ https://www.rackspace.com/
This blog represents my random technical notes and thoughts. The thoughts expressed here do not reflect my current employer in anyway.