Appendix B: Security : Network Access Security
Network Access Security
vCloud Networking and Security Edge VPN functionality allows the creation of site-to-site tunnels using IPsec. It supports NAT-T traversal for using IPsec through network address translation (NAT) devices.
Table 21. Network Access Security Use Cases
Multisite vCloud deployment
The vCloud Networking and Security VPN can connect multiple vCloud deployments. For example, an organization’s virtual datacenter at a public vCloud provider can be securely connected with the organization’s internal private vCloud. Or virtual datacenters hosted at a vCloud service provider in Europe can be connected to a vCloud service in Asia.
Because vCloud Networking and Security also provides address translation, it is possible to deploy multiple organization virtual datacenters at different providers using the same RFC 1918 address space as long as unique subnets are used.
Single-site vCloud deployment
vCloud Networking and Security VPNs can be created between different organizations in the same vCloud Director instance or different networks within the same organization.
For these deployments, the site-to-site VPN is used to secure sensitive traffic between networks over shared infrastructure.
Remote Site to vCloud VPN
A permanent secure connection from a router or firewall based VPN, for example, from Cisco or Juniper devices at a remote site to a vCloud environment with vCloud Networking and Security Edge. vCloud Networking and Security VPN is a standard IPsec implementation, and a wide range of devices can be used at the remote site (commercial or open source).
Client to vCloud VPN
Client software is generally not used with IPsec VPNs (an IPsec VPN is typically a permanent network-to-network tunnel), although clients with static IP addresses that implement pre-shared key authentication are supported.
Site-to-site IPsec VPN configuration is available to organization administrators directly from the vCloud Director web console. VPN functionality is implemented using integration with vCloud Networking and Security Edge, which provides per-tenant Layer 3 network security and routing. Preshared key mode, IP unicast traffic, and NAT-T traversal with no dynamic routing protocols are supported between the vCloud Networking and Security Edge device and peers. Behind each remote VPN endpoint, multiple subnets can be configured to connect to the network behind a vCloud Networking and Security Edge device over IPsec tunnels. These networks must have nonoverlapping address ranges.
When configuring a site-to-site VPN between different organization virtual datacenter networks in a vCloud environment (across different vCloud environments or within an organization), much of the configuration complexity is abstracted from the vCloud consumer. After the appropriate networks are selected, both ends of the VPN tunnel are configured to provide compatibility between the edge peers. In comparison, configuring remote devices to connect to a VPN based on vCloud Networking and Security Edge requires an understanding of IPsec and the supported policies to successfully establish an encrypted tunnel.
The following IKE Phase 1 parameters are used by the vCloud Networking and Security Edge VPN:
*Main mode.
*Pre-shared key authentication mode.
*3DES or AES128 encryption.
*SHA1 authentication.
*MODP Group 2 (1024 bits).
*SA lifetime of 28800 seconds (8 hours).
*Disable ISAKMP aggressive mode.
The following additional parameters for IKE Phase 2 are supported:
*Quick Mode.
*Diffie-Helman Group 2/5 (1024 bit/1536 bit, respectively).
*Perfect Forward Secrecy (PFS).
*ESP tunnel mode.
*SA lifetime of 3600 seconds (one hour).
vCloud Networking and Security Edge VPN proposes a policy that requires 3DES or AES128 (configurable, although AES is recommended), SHA1, PSK, and DH Group 2/5.
To allow IPsec VPN traffic, the following ports must be open on firewalls between the two endpoints:
*Protocol 50 ESP.
*Protocol 51 AH.
*UDP port 500 IKE.
*UDP port 4500.
The external IP address for the vCloud Networking and Security Edge device must be accessible to the remote endpoint, either directly or using NAT. In a NAT deployment, the external address of the vCloud Networking and Security Edge device must be translated into a publicly accessible address. Remote VPN endpoints then use this public address to access the vCloud Networking and Security Edge device.
It is also possible for the remote VPN endpoints to be located behind an NAT device, although on both ends a static onetoone NAT is required for the external IP address.
VPNs are used to provide secure access to an organization’s remote networks, and consumers should be aware of any security implications. A guideline for VPN configuration is to filter and restrict VPN traffic to destinations that are necessary. vCloud Director 1.5 (and later) can also apply firewall rules to VPN traffic (filtering was previously restricted only to the remote end of a VPN tunnel).
The vCloud Director IPsec VPN has a maximum of 10 sites per vCloud Networking and Security Edge device.
The following figure shows a sample configuration for site-to-site VPN connectivity.
Figure 59. Site-to-Site VPN connectivity

The following features are not currently supported in the any VPN traffic is Edge VPN implementation:
*Remote endpoints with dynamic IP addresses.
*Site-to-site VPNs at the vApp network level (available only to organization virtual datacenter networks).
*SSL VPNs. These typically support per-user tunnels as opposed to network tunnels with IPsec VPNs, work over HTTPS, and are often based on vendor specific implementations.
*IPv6 support.
*Authentication types other than pre-shared keys, for example, certificates.
*Fenced vApps (VPN can be enabled only on routed networks).