looking to find some information surrounding the VPN feature through VCD. The documentation for establishing VPN tunnels seems to be very lacking. In our testing we have found it hard to see enabling this feature without expecting many support calls around this topic. Referencing the vShield 5.0 administration guides reveal features that are not exposed through VCD. Some of the areas we have found to be under documented are as follows:
- Establishing an VPN connection from the VCD interface terminology is confusing we had to perform trial and error to understand what these terms represented
- Peer IP Address : seems to be Remote Peer IP
- Peer Gateway: seems to be Remote network
- Peer Subnet Mask: seems to be Remote network mask
VCD appears to be missing fields for the following typical VPN options that seemed to be hard coded for VCD
- Phase 1/ISAKMP:
Trial and error to determine these values could not find reference to these options within VCD documentation
- SHA-1
- DH Group2
- SA Lifetime 28800 seconds
- Phase 2/IPSEC:
Trial and error to determine these values could not find reference to these options within VCD documentation
- SHA-1
- SA Lifetime 3600 seconds
- PFS Enabled with DH Group 2
- Proxy IDs for interesting traffic
- Corresponding to VCD Entries, network-to-network
- FW rule requirement - Permit traffic from remote network to local network, or traffic sourced from remote network is dropped by VShield firewall by default. FW rules must be put in place to allow traffic from remote network to VCD org however the rule only accepts host entries, so multiple entries areneeded, for example if I want to give my entire local site (172.26.5.0/24) access to an Exchange server it appears we would require 254 allow rules. Managing the rule on the vShield edge directly seems to allow for defining network ranges but not through VCD interface is there some type of work around for this??
thanks!!