In Part 1 of this series, we gave a brief introduction into VMware’s vShield Edge and how vShield Edge can help providers of vCloud Powered services securely interconnect customers’ enterprise datacenters with virtual datacenters in the cloud.  In this post we will delve into the logistics of establishing single or multi-site VPNs.

Before we begin, there are some prerequisites for setting up a site-to-site VPN.

  1. Each VPN appliance needs a fixed IP address that makes appliances visible to each other.  For multi-site VPNs, this requires public IP addresses.  In the case of single-site VPNs, private addresses can be used if the appliances are on the same network or if the addresses are routable. 
  2. The vShield Edge appliance must allow the following protocols to pass:  Encapsulating Security Payload (ESP) (protocol 50), Internet Key Exchange (IKE) (UDP port 500), and UDP port 4500 for NAT traversal. 

Note:  Establishing a VPN does not automatically establish perimeter security. The vShield Edge Appliance must be configured to deny any unauthorized traffic to ensure that the remote site is fully secure. 

The use cases in this series of posts handle NAT transversal, a situation where the network address translation is interposed between the two vShield Edge gateways.

Establishing Single-Site and Multi-Site VPNs

This is the simplest use case as two VPN endpoints supported by vShield Edge means that the setup is nearly fully automated.    


1. In the vCloud Director Organization Portal, select Configure Services for the virtual datacenter’s external network.


2. Enable the site-to-site VPN and add a tunnel to another network.
3. Name the VPN, and select tunnel to “A Network in Another Organization” to prepare a multi-site VPN or “A Network in This Organization” to set up a single-site VPN.
4. A dialog will pop up asking for credentials for the remote site’s vCloud Director Organization Portal.  Enter the information and log into the remote site.  Prepare it to accept the VPN and exchange shared-secret authentication credentials.  


5. Another dialog will pop up asking to confirm the remote peer network. Once this is selected, the site-to-site VPN will be operational. Confirm that both sides are connected by checking the Operational status on the Site-to-Site VPN tab.  


In the final part of this series we will walk through establishing an Enterprise-to-Site VPN.  Log on to Partner Central and download the whitepaper to learn more. For more information and updates visit vShield Edge and vCloud Director, and follow us on Twitter @vCloud and @VMwareSP for the latest news.