IPSec VPN

Owned by Tran Dai Quan
Jun 14, 2023
4 min read

Overview

IPsec VPN, which offers site-to-site connectivity between an HI GIO and remote sites which also have third-party hardware routers or VPN gateways that support IPSec.

On HI GIO, you can create VPN tunnels between:

  • Organization virtual data center networks on the same organization

  • Organization virtual data center networks on different organizations

  • Between an organization virtual data center network and an external network

Procedure

I. Prepare VPN’s parameter:

Fulfill IPSec parameters.

II. Create IPSec VPN

  1. In the top navigation bar, click Networking and click the Edge Gateways tab.

2. Click the edge gateway.

3. Under Services, click IPSec VPN.

4. To configure an IPSec VPN tunnel, click New.

5. Enter a Name, a description (optional) for the IPSec VPN tunnel.

6. To enable the tunnel upon creation, toggle on the Status option.

*** NOTE: For Security Profile – we keep it is Default and configure it later once VPN tunnel has created.

7. Click NEXT to select Authentication mode.

8. Select a peer authentication mode and NEXT.

HI GIO supported 02 option for Authentication Mode:

Option

Description

Pre-Shared Key

Choose a pre-shared key to enter. The pre-shared key must be the same on the other end of the IPSec VPN tunnel.

Certificate

Select site and CA certificates to be used for authentication.

9. On Endpoint Configuration windows, we put some parameter (follow IPSec parameters on prepare step):

  • IP address [Local Endpoint]: Enter public IP (HI GIO’s public IP).

  • Networks [Local Endpoint]: Enter at least one local (HI GIO’s network) IP subnet address to use for the IPSec VPN tunnel.

  • IP address [Remote Endpoint]: Enter public IP (remote site, ex: Office’s public IP).

  • Networks [Remote Endpoint]: Enter at least one remote IP (ex: Office’s network) subnet address to use for the IPSec VPN tunnel.

10. Enter the remote ID (optional) for the peer site.

*** NOTE: In case we use Certificate for Authentication mode:

The remote ID must match the SAN (Subject Alternative Name) of the remote endpoint certificate, if available. If the remote certificate does not contain a SAN, the remote ID must match the distinguished name of the certificate that is used to secure the remote endpoint, for example, C=US, ST=Massachusetts, O=VMware,OU=VCD, CN=Edge1.

11. Click Next.

12. Review your settings and click Finish.

The newly created IPSec VPN tunnel is listed in the IPSec VPN view. The IPSec VPN tunnel is created with a default security profile.

13. To verify that the tunnel is functioning, select it and click View Statistics.

If the tunnel is functioning, Tunnel Status and IKE Service Status both display Up.

 

III. Configure the Security Profile of IPSec VPN Tunnel

Once IPSec VPN tunnel has created. We can change the IPSec VPN configuration by security profile, it must be fit with remote site.

  1. In the top navigation bar, click Networking and click the Edge Gateways tab.

  2. Click the edge gateway.

3. Under Services, click IPSec VPN.

4. Select the IPSec VPN tunnel and click Security Profile Customization.

5. Change configures of VPN tunnel as you prepared (IPSec parameters).

*** NOTE: Keep in mind that the security settings need to match the security settings in the remote site.

IV. Setup firewall rule for VPN tunnel.

  1. Preparing IP set for firewall rule (can use dynamic\static group also). More detail

IP set detail:

 

 

2. Create 02 the firewall rules (Edge gateway firewall) for IPsec tunnel:

+ HI GIO to Local (remote site)

+ And Local (remote site) to HI GIO

If we used Distributed firewall, we also need to create firewall rules to allow VPN’s traffic (remote site to HI GIO).

*** Please also set firewall rule on remote router for VPN traffic.

VALIDATE: Tunnel static is UP with Traffic

Â