VMware Communities
TalalTayyaroğlu
Enthusiast
Enthusiast
‎08-22-2023 04:42 AM
Jump to solution

VPN to Non-SD-WAN destination (NSD) directly from Edge?

Good day,

As I have explained before, we are migrating from a Cisco ISR/ASR based network to VMware SD-WAN edge based one.

On the current Cisco routers (configured with static public IP addresses), we have terminated VPN tunnels (IKEv1 and 2) to some sites (customers and our own DC).

Now we will have 620n Edges at our DC to a hub and spoke topology will be possible between branches and DC.

However, we will still need to terminate the VPN tunnels FROM THE SAME AFOREMENTIONED IP ADDRESSES (which of course will be configured on the new Edges replacing the Cisco routers). This is critical because our customers are not exactly flexible and the downtime expected if we change the public IP addresses where these tunnels are terminated on our side (in case we terminate the tunnels on a Gateway).

My question is, is it possible to create a tunnel towards a non SDWAN destination (another Cisco router/ASA for example) directly from the Edge without the need to use a Gateway?

Reply
0 Kudos
1 Solution

Accepted Solutions
TalalTayyaroğlu
Enthusiast
Enthusiast
‎09-08-2023 01:03 PM
Jump to solution

So The final cut: VMware claims that they support Edge to "Generic IKEv1/2 Router" VPN, but they NEVER define the word "Generic".

I have been configuring generic IKEv1 and v2 IPsec VPNs on Cisco ASA and ISR for the past 9 years. We connected to various peers, some Cisco, some IBM, Palo Alto, Juniper. We even connected to software peers like pfSense. Never have I asked what the other side was. We agree on the VPN version, share parameters, PSK, subnets, and before you know it, a VPN is up and running with end to end connectivity. No fuss.

Yet, I have failed to connect to the Edge.

I only managed to connect to a Gateway, albeit, with many many limitations.

View solution in original post

Reply
0 Kudos
6 Replies
khirom
Enthusiast
Enthusiast
‎08-22-2023 08:50 AM
Jump to solution

Hi,

These documents might be helpful.

Configure a Non SD-WAN Destinations via Edge
https://docs.vmware.com/en/VMware-SD-WAN/5.1/VMware-SD-WAN-Administration-Guide/GUID-7122D54E-2A8E-4...

VMware SD-WAN Edge using Non SD-WAN Destination (NSD) via Edge may periodically experience a Dataplane Service failure (89644)
https://kb.vmware.com/s/article/89644

I have tested the connection between VMware SD-WAN Edge (Branch Edge) and the public cloud using NSD via Edge, but have not tried a VPN connection to Cisco ISR/ASR.

Reply
TalalTayyaroğlu
Enthusiast
Enthusiast
‎08-22-2023 08:52 AM
Jump to solution

Good day @khirom 

Thanks. I have indeed managed to find the settings, BUT I confirmed (after talking to our partner) that VMware does not support DH group24 (max=group21) so I am pretty much screwed.

Many thanks for your support though

Reply
TalalTayyaroğlu
Enthusiast
Enthusiast
‎09-08-2023 01:03 PM
Jump to solution

So The final cut: VMware claims that they support Edge to "Generic IKEv1/2 Router" VPN, but they NEVER define the word "Generic".

I have been configuring generic IKEv1 and v2 IPsec VPNs on Cisco ASA and ISR for the past 9 years. We connected to various peers, some Cisco, some IBM, Palo Alto, Juniper. We even connected to software peers like pfSense. Never have I asked what the other side was. We agree on the VPN version, share parameters, PSK, subnets, and before you know it, a VPN is up and running with end to end connectivity. No fuss.

Yet, I have failed to connect to the Edge.

I only managed to connect to a Gateway, albeit, with many many limitations.

Reply
0 Kudos
khirom
Enthusiast
Enthusiast
‎10-03-2023 02:11 AM
Jump to solution

Sorry, I wrote in the wrong thread.I leave the following as is.

This may not be correct.
It may be better to try the NSD via Gateway settings in the old UI instead of the new UI.
The parameters available in the new UI and the old UI are different.
Here is what I consider to be a good procedure
1. Confirm VPN establishment with the parameters available in the old UI.
2. After confirming, adjust the parameters to the stronger cryptographic strength in the new UI.
If the old UI is not available, contact support and they may be able to enable it.

Reply
0 Kudos
TalalTayyaroğlu
Enthusiast
Enthusiast
‎10-10-2023 12:04 PM
Jump to solution

Hello @khirom 

After the latest Orchestrator update, I can no longer access the Legacy Orchestrator since the button to access it has been removed.

Also since VMware are shifting their focus on the new UI, it would be better to learn to use it.

I have been using it solely since we migrated to this platform

Tags (1)
Reply
0 Kudos
khirom
Enthusiast
Enthusiast
‎10-18-2023 02:55 PM
Jump to solution

Hi,
I configured  IPsec VPN between AWS and VMware SD-WAN Edge using NSD via Edge.
It was amazingly easy.
However, I have not yet had success with FW.
It seems that SD-WAN Edge is the Initiator and NAT-T is used.

Reply
0 Kudos