VMWare Cloud - это платформа для размещения виртуальных машин (https://cloud.vmware.com). Часто такую используют крупные провайдеры, предоставляя ресурсы в Дата-Центре.
Мы можем разместить свои сервера в ДЦ.
А чтобы соединить подсеть ДЦ с внутренней подсетью, нам необходимо подключиться по IPSec.

Настраиваем Route Based VPN

Juniper SRX 650

1) Создание туннельного интерфейса, зоны безопасности и статического маршрута на сеть VDC:

set interfaces st0 unit 10 description "To cloud Tunnel"
set interfaces st0 unit 10 family inet address 10.2.252.25/30
set security zones security-zone vpn interfaces st0.10
set routing-options static route 10.240.0.0/16 next-hop 10.2.252.26

2) Настройка IKE phase 1:

set security ike proposal PRP-IKE-EDGE authentication-method pre-shared-keys
set security ike proposal PRP-IKE-EDGE dh-group group14
set security ike proposal PRP-IKE-EDGE authentication-algorithm sha1
set security ike proposal PRP-IKE-EDGE encryption-algorithm aes-128-cbc
set security ike proposal PRP-IKE-EDGE lifetime-seconds 28800

set security ike policy ike-policy-cloud mode main
set security ike policy ike-policy-cloud proposals PRP-IKE-EDGE
set security ike policy ike-policy-cloud pre-shared-key ascii-text [PASSWORD]

set security ike gateway ike-gate-cloud ike-policy ike-policy-cloud
set security ike gateway ike-gate-cloud address [IP EDGE Cloud]
set security ike gateway ike-gate-cloud external-interface lo0.0
set security ike gateway ike-gate-cloud local-address [IP Juniper]

3) Настройка IKE phase 2:

set security ipsec proposal PRP-IPS-EDGE protocol esp
set security ipsec proposal PRP-IPS-EDGE authentication-algorithm hmac-sha1-96
set security ipsec proposal PRP-IPS-EDGE encryption-algorithm aes-128-cbc
set security ipsec proposal PRP-IPS-EDGE lifetime-seconds 3600

set security ipsec policy ipsec-policy-cloud perfect-forward-secrecy keys group14
set security ipsec policy ipsec-policy-cloud proposals PRP-IPS-EDGE

set security ipsec vpn ipsec-vpn-cloud bind-interface st0.10
set security ipsec vpn ipsec-vpn-cloud ike gateway ike-gate-cloud
set security ipsec vpn ipsec-vpn-cloud ike proxy-identity local 10.10.0.0/16 remote 10.240.0.0/16 service any
set security ipsec vpn ipsec-vpn-cloud ike ipsec-policy ipsec-policy-cloud
set security ipsec vpn ipsec-vpn-cloud establish-tunnels immediately

set security zones security-zone vpn address-book address net-cloud-10_240_0_0-16 10.240.0.0/16

set security policies from-zone trust to-zone vpn policy trust-vpn-cloud match source-address net-imh
set security policies from-zone trust to-zone vpn policy trust-vpn-cloud match destination-address net-cloud-10_240_0_0-16
set security policies from-zone trust to-zone vpn policy trust-vpn-cloud match application any
set security policies from-zone trust to-zone vpn policy trust-vpn-cloud then permit

set security policies from-zone vpn to-zone trust policy vpn-trust-cloud match source-address net-cloud-10_240_0_0-16
set security policies from-zone vpn to-zone trust policy vpn-trust-cloud match destination-address net-imh
set security policies from-zone vpn to-zone trust policy vpn-trust-cloud match application any
set security policies from-zone vpn to-zone trust policy vpn-trust-cloud then permit

Настройки со стороны VMWare Cloud

Проверка

SRX> show security ike security-associations | match 92.X.149.136 
5687084 UP     2bd01e30587976f3  ce200e6e99fbe13e  Main           92.X.149.136

SRX> show security ipsec security-associations | match 92.X.149.136 
  131094 ESP:aes-cbc-128/sha1 c3621395 2600/ unlim - root 500 92.246.149.136 

SRX> show interfaces st0.10 terse    
Interface               Admin Link Proto    Local                 Remote
st0.10                  up    up   inet     10.2.252.25/30  


SRX> ping 10.2.252.26 
PING 10.2.252.26 (10.2.252.26): 56 data bytes
64 bytes from 10.2.252.26: icmp_seq=0 ttl=64 time=3.375 ms
64 bytes from 10.2.252.26: icmp_seq=1 ttl=64 time=3.264 ms
64 bytes from 10.2.252.26: icmp_seq=2 ttl=64 time=3.199 ms
64 bytes from 10.2.252.26: icmp_seq=3 ttl=64 time=3.245 ms