font-family: monospace, monospace;
There are two different methods for creating a site-to-site VPN. In this blog post, we take you through the route-based VPN, between VMware Cloud on AWS as the local site and AWS Transit Gateway as the remote site.
There are two different methods for creating a site-to-site VPN:
- a route-based VPN
- a policy-based VPN
This article will describe the route-based VPN between VMware Cloud on AWS as the local site and AWS Transit Gateway as the remote site.
We examined the 5 API calls needed to build a route-based VPN tunnel here. This was using Python code.
Using Power Shell and PowerCLI is simpler.
We built 3 functions:
- Create route-based VPN
- Get route-based VPN info
- Delete route-based VPN
Create Route-Based VPN
Step 2 – Get the Refresh-Token, Org name and SDDC name and assign them to variables.
$RefreshToken = "62c26d4a-xxxx-xxxx-xxxx-913873b1dfe0"<br>
$OrgName = "VMC-SET-EMEA"<br>
$SDDCName = "GC-API-SDDC"<br>
Step 3 – Connect to your VMC environment.
Connect-Vmc -RefreshToken $RefreshToken
Step 4 – Get the NSX-T Proxy URL for all API calls.
Connect-NSXTProxy -RefreshToken $RefreshToken -OrgName $OrgName -SDDCName $SDDCName
Step 5 – Get the VPN Public IP of your SDDC.
On the GUI, the VPN Public IP is displayed here.
The PowerCLI output parameter is called ‘vpn_internet_ips‘, check this blog post for more details.
Step 6 – Prepare and plan the Tunnels IP addresses, BGP AS Numbers, encryption methods, DH Group and password as follows:
- <strong>PublicIP</strong> This is the VPN Public IP retrieved above<br>
- <strong>RemotePublicIP</strong> This is the remote site Public IP<br>
- <strong>BGPLocalIP</strong> This is the BGP Local IP in the 169.254.x.x range<br>
- <strong>BGPRemoteIP</strong> This is the BGP Remote IP in the 169.254.x.x range<br>
- <strong>BGPLocalASN</strong> This is the VMC BGP AS Number<br>
- <strong>RemoteBGPASN</strong> This is the remote BGP AS Number<br>
- <strong>BGPNeighborID</strong> This is the BGP Neighbor ID (arbitrary)<br>
- <strong>TunnelEncryption</strong> Tunnel encryption method<br>
- <strong>TunnelDigestEncryption</strong> Tunnel Encryption Digest<br>
- <strong>IKEEncryption</strong> Key Exchange encryption method<br>
- <strong>IKEDigestEncryption</strong> Key Exchange Digest<br>
- <strong>DHGroup</strong> Diffie Hellman Group<br>
- <strong>IKEVersion</strong> IKE Version<br>
- <strong>PresharedPassword</strong> Tunnel password
Step 7 – Choose a name for your VPN tunnel and run the function:
New-NSXTRouteBasedVPN -Name VPN-T1 `<br>
-PublicIP 52.57.x.x `<br>
-RemotePublicIP 18.19.x.x `<br>
-BGPLocalIP 169.254.62.2 `<br>
-BGPRemoteIP 169.254.62.1 `<br>
-BGPlocalASN 65056 `<br>
-RemoteBGPASN 64512 `<br>
-BGPNeighborID 65 `<br>
-TunnelEncryption AES_256 `<br>
-TunnelDigestEncryption SHA2_256 `<br>
-IKEEncryption AES_256 `<br>
-IKEDigestEncryption SHA2_256 `<br>
-DHGroup GROUP14 `<br>
-IKEVersion IKE_V1 `<br>
Successfully created Route-Based VPN.
Get Route-Based VPN info
The following function gets the route-based VPN info and displays the following:
Name : VPN-T1<br>
ID : VPN-T1<br>
Path : /infra/tier-0s/vmc/locale-services/default/l3vpns/VPN-T1<br>
RoutingConfigPath : /infra/tier-0s/vmc/locale-services/default/bgp/neighbors/65
The function can also be used with a tunnel name like:
Delete Route-Based VPN
<span style="color:blue">Remove-NSXTRouteBasedVPN -Name "VPN-T1"</span>
Successfully removed NSX-T IPSEC Tunnel: VPN-T1
Successfully removed NSX-T BGP Neighbor
Download the “Create_RB_VPN.ps1” file here.