All Posts

So The final cut: VMware claims that they support Edge to "Generic IKEv1/2 Router" VPN, but they NEVER define the word "Generic". I have been configuring generic IKEv1 and v2 IPsec VPNs on Cisco ASA and ISR for the past 9 years. We connected to various peers, some Cisco, some IBM, Palo Alto, Juniper. We even connected to software peers like pfSense. Never have I asked what the other side was. We agree on the VPN version, share parameters, PSK, subnets, and before you know it, a VPN is up and running with end to end connectivity. No fuss. Yet, I have failed to connect to the Edge. I only managed to connect to a Gateway, albeit, with many many limitations.

Ok guys so here is the 101 after I got our first site online for production: Never compare the Edge with a Cisco router (even the smallest one). The VMware Edge (and the entire VMware SASE solution) is immature. It cannot function as a full fledged router. The amount of limitations is staggering You CAN configure trunks, assign which VLAN is untagged, which VLANs are allowed on a switched trunk interface, BUT, you CANNOT NAT/PAT where you like. You ARE LIMITED to NAT/PAT between a LAN destination and (what SASE considers to be) a WAN. You definitely CANNOT nest NAT/PAT, and you CANNOT reroute/PAT traffic between VLANs. Believe me, I tried. I escalated this to support who stated that this feature is simply NOT SUPPORTED The DHCP server feature, although does support SOME common options, DOES NOT SUPPORT option 121. Again I asked tech support, and they confirmed it. What all my might and knowledge on the subject, I could not get the Edge-to-Cisco ISR VPN tunnel to work. I have been doing this for the past 9 years (VPN from Cisco ASA/ISR to various platforms, HW and SW), but I have finally met me arch nemesis. Tech support were as usual, no help and I got the "we will check and come back" thing. They never came back. Please make sure you know the product's abilities and limitations BEFORE you sign the contract. Hope this helps some of you Best regards, Talal

The secondary IP addresses and sub-interfaces ended up not being the solution. Here is the bottom line: Switched Ports (like you mentioned before) do not support Overlay. They are used for LAN only. In order to terminate multiple WAN links on a single interface, the interface must be routed, and, at the Edge level, multiple User-Defined WAN links must be created and then linked to that routed interface. The exact method had been lost to me since the deprecation of the old GUI after the Orchestrator upgrade to SD-WAN software version 5.2. Once I figure it out, I will publish a walkthrough