Description
This KB article steps through the process to stand up a Site-to-Site VPN between Lumen Private Cloud on VMware Cloud Foundation™ (CPC on vCF) and Lumen Cloud (CLC).
Prerequisites
- CPC on vCF account
- CLC account
- Local Endpoint (Public IP for IPsec VPN on the CPC on vCF side)
- Local Subnets in CIDR format (local networks to be accessible to IPsec VPN on the CPC on vCF side)
- Peer Endpoint (Public IP for IPsec VPN on the CLC side)
- Peer subnets in CIDR format (local networks to be accessible to IPsec VPN on the CLC side)
- Firewall ports IP Protocol ID 50 (ESP), UDP Port 500 (IKE), and UDP Port 4500 are configured on both ends
Steps
Login to your Lumen Private Cloud on VMware Cloud Foundation environment.
Once logged in, click Edges in the menu on the left side of the screen, select the Edge Gateway, then click Configure Services. A popup will appear.
In the Edge Gateway popup, click on the VPN tab, select IPsec VPN Sites, then click the + button to add a new configuration.
In the Edit IPsec VPN page:
- Enabled: (Checked)
- Enable perfect forward secrecy (PFS): (Checked)
- Name: (Preferred name)
- Local Id: (Preferred name)
- Local Endpoint: (Public IP for IPsec VPN on the CPC on vCF side)
- Local Subnets: (Local networks to be accessible to IPsec VPN on the CPC on vCF side)
- Peer Id: (preferred name)
- Peer Endpoint: (Public IP for IPsec VPN on the CLC side)
- Peer Subnets: (Local networks to be accessible to IPsec VPN on the CLC side)
- Encryption Algorithm: AES256
- Authentication: PSK
- Change Shared Key: (Default)
- Pre-Shared Key: (Your Pre-Shared Key)
- Display Shared Key: (Default)
- Diffie-Hellman Group: DH2
- Extension: (Default)
- Digest Algorithm: Sha1
- IKE Option: IKEv1
- IKE Responder Only: (Default)
- Session Type: Policy Based Session
Click KEEP
In the IPsec VPN Configuration page, click Save changes.
In the IPsec VPN Configuration page, click the Activation Status tab, then click the slider to enable the IPsec VPN Service Status. Click Save changes.
Login to your Lumen Cloud environment.
In the left pane, click Network, then select Site-To-Site VPN.
In the Site-to-Site VPN page, click on the + site to site vpn button.
In the Create Site-to-Site VPN page, select your Control Portal Site (CLC data center), then click on the add network block button.
In the Select Destination Network or Subnet page, select your network, subnet size and starting ip address, then click add network block.
In Create Site-to-Site VPN page, in the Your Site section, enter your Site Name, Device Type and VPN Peer IPv4 Address, then click on the add network block button.
Upon clicking the add network block button above, a new field appears named Tunnel Encrypted Subnets. Enter your local network subnet block (on the CPC on vCF side). Click next: phase 1.
In the Phase 1 (IKE) page, enter as follows:
- IKE Protocol: IKEv1
- Protocol Mode: Main
- Encryption Algorithm: AES-256
- Hashing Algorithm: SHA1 (96)
- Pre-Shared Key: Same pre-shared key you used previously
- Diffie-Hellman Group: Group 2
- Lifetime Value: 8 hours
- DPD State: On
- NAT-T State: Default
Click next: phase 2
In the Phase 2 (IPSEC) page, enter as follows:
- IPSEC Protocol: ESP
- Encryption Algorithm: AES-256
- Hashing Algorithm: SHA1 (96)
- PFS Enabled: On, Group 2
- Lifetime Value: 1 hour
Click finish
Once completed, you will be presented with the summary page.
To test the Site-To-Site VPN, try pinging the gateway of a tunneled subnet of the other side i.e. ping from a VM in CLC on the 10.100.67.0/24 network to the gateway on the CPC on vCF side - 10.23.30.1.