SITES (sites – Array)
|
|
|
|
|
enabled
|
Boolean
|
No
|
Enables the connection between the two VPN
endpoints
By default,
enabled is set to
true.
|
|
name
|
String
|
Yes
|
A name for the connection
|
|
description
|
String
|
No
|
A description for the connection
|
|
localId
|
String
|
Yes
|
The external IP address of the edge gateway
instance, which is the public IP address of the edge gateway
This value will be the
peer ID on the remote site.
|
|
localIp
|
String
|
Yes
|
The network that is the local endpoint for the
connection
The local endpoint
specifies the network in vCloud Air on which the edge gateway transmits.
Typically, the external network is the local endpoint.
Note
If you are adding an
IP-to-IP tunnel using a pre-shared key, the local ID and local endpoint IP
address can be the same.
|
|
peerId
|
String
|
Yes
|
The peer ID to uniquely identify the peer site
The peer ID is the
public IP address of the remote device terminating the VPN connection.
For peers using
certificate authentication, this ID must be the common name in the peer's
certificate. For PSK peers, this ID can be any string. VMware recommends that
you use the public IP address of the VPN or an FQDN for the VPN service as the
peer ID.
When the peer IP address
is from another organization VDC network, specify the native IP address of the
peer. When NAT is configured for the peer, enter the private IP address of the
peer.
|
|
peerIp
|
String
|
Yes
|
The IP address of the peer site,
which is the public IP address of the remote device to which you are connecting
When you leave this
setting empty, the edge gateway waits for the peer device to request a
connection.
Note
When NAT is
configured for the peer, enter the public IP address that the device uses for
NAT.
|
|
encryptionAlgorithm
|
String
|
No
|
The encryption type
Note
The encryption type
you set must match the encryption type configured on the remote site VPN
device.
|
|
mtu
|
Integer
|
No
|
The maximum transmission
value for the data packets
The MTU value cannot be
higher than the MTU value set on the edge gateway interface.
By default,
mtu is the MTU value of
the interface on which the tunnel is configured.
|
|
enablePfs
|
Boolean
|
No
|
Generates unique public keys for
all sessions your users initiate
Enabling PFS ensures
that
Advanced
Networking Services does not create a link between the edge gateway private
key and each session key.
The compromise of a
session key does affect data other than that exchanged in the specific session
protected by that particular key. Compromise of the server's private key cannot
be used to decrypt archived sessions or future sessions. When PFS is enabled,
IPsec VPN connections to
vCloud Air
experience a slight processing overhead.
Note
The unique session
keys must not be used to derive any additional keys. Additionally, both sides
of the IPsec VPN tunnel must support PFS for it to work.
By default,
enablePfs is set to
true.
|
|
dhGroup
|
String
|
No
|
The cryptography scheme
(Diffie-Hellman Group) that allows the peer site and the edge gateway for
Advanced
Networking Services to establish a shared secret over an insecure
communications channel
If you set PSK as the
authentication type, set the cryptography scheme that will allow the peer site
and the edge gateway in
Advanced
Networking Services to establish a shared secret over an insecure
communications channel.
Note
The Diffie-Hellman
Group must match what is configured on the remote site VPN device.
|
|
localSubnets |
subnets
|
Array | String
|
Yes
|
The networks to share between the
sites
Use a comma separator to
specify multiple subnets.
Note
Specify a network
range (not a specific IP address) by setting the IP address using CIDR format;
for example, 192.168.99.0/24.
|
|
peerSubnets |
subnets
|
Array | String
|
Yes
|
The remote network to which the
VPN connects
Use a comma separator to
specify multiple subnets.
Note
Specify a network
range (not a specific IP address) by setting the IP address using CIDR format;
for example, 192.168.99.0/24.
|
|
psk
|
String
|
No
|
Sets PSK (pre-shared key) as the
authentication type
Set an alphanumeric
string between 32 and 128 characters, which includes at least one uppercase
letter, one lowercase letter, and one number.
Indicates that the
secret key shared between
vCloud Air and
the peer site is used for authentication.
Note
The shared key must
match the key that is configured on the remote site VPN device. VMware
recommends that you configure a shared key when anonymous sites will connect to
the VPN service.
Setting
psk is not required
when the value is set to
any.
|
|
certificate
|
String
|
No
|
Associates a certificate with the
IPsec VPN
Specify the ID of the
certificate. If necessary, submit a GET request to the
certificate object to
obtain the certificate ID.
|
|
authenticationMode
|
String
|
Yes
|
The authentication mode
Set the mode as one of
the following options:
■
|
psk — Indicates that
the secret key shared between
vCloud Air and
the peer site is used for authentication.
|
■
|
certificate — Indicates
that the certificate defined at the global level is used for authentication.
|
|
|
extension
|
String
|
Yes
|
Sets one of the following options:
■
|
securelocaltrafficbyip=IPAddress to re-direct the edge gateway local
traffic over the IPsec VPN tunnel
This is the default
value.
|
■
|
passthroughSubnets=PeerSubnetIPAddress to support overlapping subnets
|
To disable this option,
set
extension as
securelocaltrafficbyip=0.
|