Skip to main content
Skip table of contents

How to create a site-to-site vpn tunnel


This article describes how you can create a site-to-site VPN tunnel in Copaco VMware Cloud.


  • An active Copaco VMware Cloud subscription;

  • An account with administrator permissions on the Copaco VMware Cloud environment;

  • An an Organization Network.

Getting Started

  1. Login to the customer tenant environment from Copaco VMware Cloud.

  2. Click Edges, select the Edge gateway rule and click Services.


  3. Go to the VPN tab and enable IPsec VPN Service Status.


  4. Go to the IPsec VPN Sites tab and press the + button.


  5. Enable the configuration by toggling the Enabled.

  6. Specify the details and Click Keep.


    • Name: The name for the VPN tunnel

    • Local ID: The IP Address of your Edge Gateway in Copaco VMware Cloud

    • Local Endpoint: Same IP address as your Local ID (You can click Select)

    • Local Subnets: The private subnet that you have defined for your VMware cloud network

    • Peer Id: This is the IP address of the on-premise firewall

    • Peer Endpoint: This is the same address as you used for the peer Id

    • Peer Subnets: This is the subnet that you use in your on-premise environment

    • Extension: Leave this field empty

    • Encryption Algorithm: Choose what Algorithm you want to use. We support AES, AES256, AES-GCM, 3DES. (which algorithm you need to use depends on your on-premise firewall model)

    • Authentication: Here you can choose which authentication method you want to use; PSK or certificate. ( make sure that you use the same method on both sides.)

    • Pre-Shared key: Here you need to define a pre-shared key (make sure that you use the same PSK on both sides.

    • Diffie-Hellman Group: Here you can define which DH group you want to use. We support DH5, DH 14, DH 15 and DH16. ( which algorithm you need to use depends on your on-premise firewall model)\

    • Digest Algorithm: Here you can define which Digest Algorithm you want to use. We support SHA1 and SHA-256

    • IKE Option: Here you can define which IKE version you want to use. We support IKEv1, IKEv2, IKEFlex

    • IKE Responder Only: Here you can define if you want to enable or disable IKE Reponder Only

    • Session Type: Leave this by default to Policy Based Session

  7. Now you need to configure the on-premise side. You need to use the following settings:


    Phase 1:

    > IKE Version: Ikev1

    Authentication Algorithm: sha1

    > SA Lifetime: 28800 seconds


    Phase 2:

     > Authentication Algorithm: sha1

    SA Lifetime: 3600 seconds

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.