Configuring Vpns; Get The Status Of Vpn Service - VMware VSHIELD APP 1.0 - API Programming Manual

Configuring VPNs

vShield Edge agents support site‐to‐site IPSec VPN between a vShield Edge appliance and remote sites. On
both ends, static one‐to‐one NAT is required for the VPN address.
Figure 5-1. vShield Edge Providing VPN Access from a Remote Site to a Secured Port Group
At this time, vShield Edge agents support pre‐shared key mode, IP unicast traffic, and no dynamic routing
protocol between the vShield Edge and remote VPN routers. Behind each remote VPN router, you can
configure multiple subnets to connect to the internal network behind a vShield Edge through IPSec tunnels.
These subnets and the internal network behind a vShield Edge must have non‐overlapping address ranges.
You can deploy a vShield Edge agent behind a NAT device. In this deployment, the NAT device translates the
vShield Edge agent's VPN address into a public accessible address facing the Internet; remote VPN routers use
this public address to access the vShield Edge.
Remote VPN routers can be located behind a NAT device as well. You must provide both the VPN native
address and the NAT public address to set up the tunnel.
All VPN settings configured by using REST requests appear under the vShield Edge > VPN tab for the
appropriate vShield Edge in the vShield Manager user interface and vSphere Client plug‐in.
For the VPN schema, see "VPN Schema" on page 83.

Get the Status of VPN Service

You can determine if the VPN service on a vShield Edge is running or stopped by requesting the service status.
Example 5-32. Getting the Status of VPN Service
Request:
GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/vpn/ipsec/service
Example:
GET /api/1.0/network/network-244/vpn/ipsec/service HTTP/1.1
Authorization: Basic YWRtaW46ZGVmYXVsdA==
Host: localhost:9998
VMware, Inc.
Chapter 5 vShield Edge Management
39