At a first glance, the site to site VPN peer settings of VMware’s vCloud Director looks confusing; there’s no clear separation of the IPSec phases, some of the IKE parameters are missing, etc. I’ll clear the picture in this article.

First of all, you can only create route-based VPN (“tunnel” action can’t be set in the FW policies) but you can’t create a Virtual Tunnel Interface (VTI; this will be important later).

Now let’s see how the VPN peer settings look like:

In these settings:

• Local Id & Endpoint: the IP address of the NSX Edge gateway comes to these settings.
• Local / Peer subnets: Since you can’t create a VTI and use static/dynamic routing, you have to specify the subnets for each side here (i.e. you can’t just set 0.0.0.0/0 on both sides). On the other hand, you should do some summarization to avoid creating numerous P2 proposals on the other end (e.g. for 4-4 subnets on each side, you’ll need to create 16 (!) P2 proposals on a FortiGate).
• Encryption Algorithm applies to both Phase 1 and 2.
• You can’t select a hash algorithm, it’s fixed SHA1.
• Also, you can’t change lifetime settings, their fixed values are 28.800s for Phase 1 and 3.600s for Phase 2.
• The DH group applies to Phase 1 as well as to PFS.
• The rest is obvious. 😄