Connect Onprem Datacenter to VMware Cloud on AWS (via IPsec VPN ) Part-2
By default all incoming communications are blocked by the SDDC firewall and to access the vCenter you should at least open port 443 towards vCenter.
in order to open a firewall rule :
1) Login to vmc.vmware.com
2) select the sddc
3) go to network tab
4) In the management Gateway section expand firewall rule and select add rule
Fill in the details as below
in source section you can type the subnet of your onprem management machines, or type "Any" to access the vCenter from anywhere.
Similar way you can open an ICMP traffic for vCenter as well.
now we will start with the actual IPsec configuration and as I mentioned earlier in Part-1 that I am using a pfsense router, I will configure my ipsec on that however you can use any other vendor/hardware router which can support IPSEC VPN or NSX to configure this .
The configuration is very simple and VMware has provided a specific list of Phase-1 and Phase-2 supported settings for onprem ipsec vpn to avoid any kind of error.
Lets configure it on the pfsense first
open the management page of the pfsense appliance (default username : admin, default password : pfsense) and selected IPSEC from VPN menu at the top.
in the Tunnels tab clicked on "+ Add P1" button at the bottom.
Only fill the details which are highlighted here. Remote gateway is the public IP of the vmc management gateway, you can get that from the network diagram of network tab in vmc.
you should type in a pre-shared key in Pre-shared key section and make a note of it. rest everything you can keep as default.
once you click on Save it will give you an option to edit phase 2 settings.
In Phase 2 edit the following parameters
Remote Network - which is the VMC management network in my case it is 10.0.0.0/16 (Default)
Local Network - it is your onprem Management network in my case 192.168.10.0/24 (refer my network diagram in Part-1)
Encryption Algorithm - AES and 256 bits (configurable, but make sure to match it on the VMC side)
Has Algorithm - SHA1
PFS key group - 2 (configurable, but make sure to match it on the VMC side)
Lifetime - 3600 (default)
Click Save and you are done with the onprem side configuration.
Let's switch to the vmc side
and open desired sddc and select network tab, in the vpn section of management gateway, click create vpn.
Fill in the details to match with the onprem settings.
Remote Gateway Public IP - This is the public IP Address of on-prem Gateway.
Remote gateway private IP - This is the public IP of your pfsense (this is not required if the router on which you have configured ipsec at your onprem is public facing, since in my case I have set it up behind an ISP router I am using this option)
Remote Networks - This is your on-prem private network that you want to be allowed over the VPN.
Diffie Hellman - Default is 2 on pfSense, so you will need to adjust this on VMC (configurable, but make sure to match it with the on-prem side)
Pre-shared key - This is the shared key that you had created in Step 2 and made a note.
And if everything goes well , the ipsec vpn will show as connected and will indicate it with a green dot.
Note : if the vpn connection is not getting connected automatically go to the pfsense page on your onprem side and click status at the top, select ipsec and click connect, it should change in to established state, once vpn is established refresh the ipsec vpn at VMC end by clicking the refresh button next to the name of ipsec vpn.
once everything is done, to open the vmc vCenter page from your on-prem machine using ip-sec tunnel there are 2 ways.
1) Using Private IP
Get the private IP of your vmc vCenter : you can do it by logging in to vmc.vmware.com select the sddc click on support tab and at the bottom you can find the private IP, you can use this ip to open vCenter page from your onprem machine.
2) Using FQDN (There are two steps involved in this)
a) update the onprem DNS with the private IP of vmc
b) Update the DNS ip in the vmc sddc page to your
onprem dns. you can do it by logging in to
vmc.vmware.com select the sddc, click on network
tab and expand DNS section in Management
Gateway ,click on Edit and type in your on-prem
DNS address in DNS 1.
Okay so we are all set now and you can start using your vmc vCenter from any of your onprem machine whose subnet is allowed in the remote network list of VPN.