This table lists the IPSec S2S VPN tunnel parameters for vCloud Director version 9.7. Parameters that are hard-wired in the Edge properties and cannot be changed are marked in red.
| Name | Default Value | Recommended Value | Options | Description |
| Enabled | off |
Turn on / off the tunnel |
||
| Enabled perfect forward secrecy (PFS) | off | on | Generation of a new key for the 2nd phase of IKE. With PFS enabled, the DH group will be the same as in the 1st phase. | |
| Name | Tunnel name | |||
| Local Id |
Edge Gateway ID. As a rule - its external IP address |
|||
| Local Endpoint | Edge external IP address from which to connect | |||
| Local Subnets |
List of LANs in the cloud accessible through the tunnel |
|||
| Peer Id |
ID of the remote router. As a rule - its external IP address |
|||
| Peer Endpoint | The external IP address of the remote router from which you are connecting | |||
| Peer Subnets | List of remote networks accessible through the tunnel | |||
| Encryption Algorithm | AES(AES128) | AES256 | AES(AES128), AES256,AES-CGM, 3DES | Encryption algorithms. 3DES is deprecated and is not recommended |
| Authentication | PSK | PSK | PSK, Certificate | How to authenticate parties when raising a tunnel |
| Diffie-Hellman Group | DH5 | DH14 | DH2, DH5, DH14, DH15, DH16 | Encryption Public Key Size |
| Digest Algorithm | SHA1 | SHA-256 | SHA1, SHA-256 | Package Integrity Control Hash Algorithm |
| IKE Option | IKEv1 | IKEv2 | IKEv1, IKEv2, IKEFlex | Key Exchange Protocol Version * |
| IKE Responder only | Off | Off | When turned on, Edge will not initiate a connection, but will wait for a connection from a remote side. ** | |
| Session Type | Policy based | Policy based | Policy based, Route based | Tunnel type*** |
| IKE Phase 1 Mode | Main | Main | Main | 1st phase IKE mode. Immutable parameter. |
| IKE Phase 1 Lifetime | 28800 | 28800 | 28800 | Key change time of the 1st phase of IKE. Immutable parameter |
| IKE Phase 2 Tunnel Mode | ESP | ESP | ESP | Tunnel mode 2nd phase IKE. Immutable parameter |
| IKE Phase 2 Lifetime | 3600 | 3600 | 3600 | Key change time of the 2-nd phase of IKE. Immutable parameter |
* - IKEFlex - non-standard version of the protocol that is not supported by most network devices
** - Configuration can be useful when the remote endpoint of the tunnel does not have direct Internet access and there is no way to correctly configure NAT
*** - Route Based Type allows assigning your own IP address to the tunnel. This option is supported by a number of network devices, such as Juniper SRX, and allows implementing various fault tolerance schemes using dynamic routing.
