VMware Cloud Director supports the following types of site-to-site VPN:
A remote network offering IPsec VPN endpoint capability
Depending on the type of connection required, you'll need to complete IP addressing for both ends, together with a shared secret, and indicate which VDC networks are allowed to connect to the VPN link.
Configuring edge gateway IPsec VPN settings
IKE Phase 1 and Phase 2
IKE is a standard method for arranging secure, authenticated communications.
Phase 1 parameters
Phase 1 sets up mutual authentication of the peers, negotiates cryptographic parameters, and creates session keys. The supported Phase 1 parameters are:
Phase 2 parameters
IKE Phase 2 negotiates an IPsec tunnel by creating keying material for the IPsec tunnel to use (either by using the IKE phase 1 keys as a base or by performing a new key exchange). The supported IKE Phase 2 parameters are:
AES/AES256/AES-GCM (Will match the Phase 1 setting)
Configuring the edge gateway firewall
When the VPN tunnel is up and running, you'll need to create firewall rules on the edge gateway for any traffic passing over the tunnel
Key points to note:
Source as the source IP range for your external VDC/data center network
Destination as the destination IP range for your VDC network
Source as the source IP range for your VDC network
Destination as the destination IP range for your data center/VDC network
Validating the tunnel
When you've configured both ends of the IPsec tunnel, the connection should start without any issues.
To verify the tunnel status:
For better understanding, follow the pictures, we used Fortigate as Customer side: