IPSec VPN

Overview

IPsec VPN offers site-to-site connectivity between an HI GIO and remote sites with third-party hardware routers or VPN gateways that support IPSec.

On HI GIO, you can create VPN tunnels between:

Organization virtual data center networks in the same organization
Organization virtual data center networks in different organizations
Between an organization's virtual data center network and an external network

Procedure

I. Prepare VPN’s parameters:

Fulfill IPSec parameters.

II. Create IPSec VPN

Step 1: In the top navigation bar, click Networking and click the Edge Gateways tab.

Step 2: Click the edge gateway.

Step 3: Under Services, click IPSec VPN.

Step 4: To configure an IPSec VPN tunnel, click New.

Step 5: Enter a Name and a description (optional) for the IPSec VPN tunnel.

Step 6: To enable the tunnel upon creation, toggle on the Status option.

For the Security Profile – we keep it as Default and configure it later once the VPN tunnel has been created.

Step 7: Click NEXT to select Authentication mode.

Step 8: Select a peer authentication mode and NEXT.

HI GIO supported 02 option for Authentication Mode:

Option	Description
Pre-Shared Key	Choose a pre-shared key to enter. The pre-shared key must be the same on the other end of the IPSec VPN tunnel.
Certificate	Select site and CA certificates to be used for authentication.

Step 9: On Endpoint Configuration windows, we put some parameters (follow IPSec parameters in the prepare step):

IP address [Local Endpoint]: Enter public IP (HI GIO’s public IP).

Networks [Local Endpoint]: Enter at least one local (HI GIO’s network) IP subnet address for the IPSec VPN tunnel.

IP address [Remote Endpoint]: Enter public IP (remote site, ex: Office’s public IP).

Networks [Remote Endpoint]: Enter at least one remote IP (ex: Office’s network) subnet address for the IPSec VPN tunnel.

Step 10: Enter the remote ID (optional) for the peer site.

The remote ID must match the SAN (Subject Alternative Name) of the remote endpoint certificate, if available. If the remote certificate does not contain a SAN, the remote ID must match the distinguished name of the certificate that is used to secure the remote endpoint, for example, C=US, ST=Massachusetts, O=VMware, OU=VCD, CN=Edge1.

Step 11: Click Next.

Step 12: Review your settings and click Finish.

The newly created IPSec VPN tunnel is listed in the IPSec VPN view. The IPSec VPN tunnel is created with a default security profile.

Step 13: To verify that the tunnel is functioning, select it and click View Statistics.

If the tunnel is functioning, Tunnel Status and IKE Service Status both display Up.

III. Configure the Security Profile of the IPSec VPN Tunnel

Once the IPSec VPN tunnel has been created. We can change the IPSec VPN configuration by security profile, it must be fit with remote site.

Step 1: In the top navigation bar, click Networking and click the Edge Gateways tab.

Step 2: Click the edge gateway.

Step 3: Under Services, click IPSec VPN.

Step 4: Select the IPSec VPN tunnel and click Security Profile Customization.

Step 5: Change the configures of the VPN tunnel as you prepared (IPSec parameters).

IV. Setup firewall rule for VPN tunnel.

Step 1: Preparing IP set for firewall rule (can use dynamic\static group also). More detail

IP set detail:

Step 2: Create 02 the firewall rules (Edge gateway firewall) for the IPsec tunnel:

+ HI GIO to Local (remote site)

+ And Local (remote site) to HI GIO

If we used Distributed firewall, we also need to create firewall rules to allow VPN’s traffic (remote site to HI GIO).

*** Please also set the firewall rules for VPN traffic on the remote routers.

VALIDATE: Tunnel static is UP with Traffic

End.

Document for HI GIO Gen2