Configuration for Policy-Based NSD Via Gateway

This section provides step-by-step procedures on how to achieve connectivity between a Gateway and a VMware Cloud Gateway.

Overview

The following topology illustrates the Integration of Arista VeloCloud SD-WAN and VMware Cloud on AWS, which uses IPSec connectivity between the Arista VeloCloud SD-WAN Gateway and the VMware Cloud to Router.

Figure 1. Integration of Arista VeloCloud SD-WAN and VMware Cloud on AWS

Perform the following steps to configure Policy Based NSD through Gateway to VMware Cloud on AWS Gateway

  1. Log into the VMware Cloud Console based on the URL for your SDDC organization.
    On the Cloud Services Platform, select VMware Cloud on AWS.
  2. Find the Public IP used for VPN connectivity by selecting the Networking and Security tab. The VPN Public IP displays below the Overview pane.
    Figure 2. Networking and Security Overview
  3. Determine the networks/subnets for traffic encryption selection and note them down. These should originate from Segments in Networking/Security in the VMware Cloud. Locate them by selecting Segments, under Network.
  4. Log into the Orchestrator and verify the Edges are present with a green status icon displayed next to them.
    Figure 3. Edges Overview
  5. Go to the Configure tab and select Network Services, and then under Non-VeloCloud Sites, select the New button.
    Figure 4. Network Services
  6. Provide a name for the Non VeloCloud Site, select the type, in this case, Generic Firewall (Policy Based VPN), and Enter the Public IP from the VMC obtained in Step 2, and select Next.
    Figure 5. New Non-VeloCloud Site
  7. Select Advanced, and under the Primary VPN Gateway:
    1. Change to the desired PSK.
    2. Ensure encryption set to AES 256.
    3. Change DH group to 5.
    4. Enable PFS to 5.
    5. Enter the site-subnets captured in Step 3.
    6. Select the check box to Enable Tunnels.
    7. Select Save Changes.
      Figure 6. Tunnel to VMC
  8. Select View IKE/IPSec Template and copy the information into a text file, and then close the window.
    Figure 7. IKE IPSec Configuration
  9. Select Configure > Profiles in the left pane.
    Figure 8. Configuration Profiles
  10. Navigate to the profile for the associated Edge and select the appropriate Profile.
  11. Select the correct profile and perform the below steps:
    1. Go to the Device tab, under Cloud VPN and Branch to Non-VeloCloud Site, select the check box next to Enable.
    2. From the menu, select the NVS Network Service created in Step 5).
    3. Select Save Changes at the top of the screen.
      Figure 9. Configure Segments
    The tunnel should be ready on the Orchestrator.
  12. Log into the VMware Cloud Console.
  13. Go to Networking and Security and select the VPN tab. In the VPN area, select Policy Based VPN, and select Add VPN
    Figure 10. Single CSE
  14. Provide a name for the Policy Based VPN and configure the following:
    1. Select a name that starts with To_SDWAN_Gateway so the VPN can be easily identified during troubleshooting and future support).
    2. Select the Public IP.
    3. Enter the remote Public IP.
    4. Specify the remote networks located on the Orchestrator.
    5. Select the Local Networks.
    6. Under Tunnel Encryption, select AES 256.
    7. Under Tunnel Digest Algorithm, select SHA1.
    8. Make sure Perfect Forward Secrecy is set to Enabled.
    9. Enter the PSK, to match Step 7A.
    10. Under IKE Encryption, select AES 256.
    11. Under IKE Digest Algorithm, select SHA 1.
    12. Under IKE Type, select IKEv2.
    13. Under Diffie Hellman, select Group 5.
    14. Select Save.
      Figure 11. Policy Based VPN
  15. Once the configuration completes, the tunnel automatically activates and proceeds to negotiate the IKE Phase 1 and Phase 2 parameters with the peer, which is the Gateway.
    Figure 12. Gateway
  16. Once the tunnel displays green, verify that the tunnel displays green in the Orchestrator (go to Monitor > Network Services)).
    Figure 13. Network Services
  17. Start a ping from a client connected at each end towards the opposite client, and verify ping reachability.
    Figure 14. Client Connection Status
    The tunnel configuration completed and verified.