NSX – Configure IPSec VPN service to enable site to site communication

What a pita this has been, the process is reasonably straight forward but trying to do this in a nested environment is a pain!! The settings below should be done of both ESGs (in my (hands on) lab I created two ESGs with a directly connected “Internal” Logical Switch and an “Internet” Logical Switch and used a DLR to act as the Internet Router.

Something like this:

10.10.100.0/24 >Site 1 ESG Internal (10.10.100.1) > Site 1 ESG Internet (10.10.10.1) > Internet DLR (10.10.10.254) > Internet DLR (20.20.20.254) > Site 2 ESG Internet (20.20.20.1) > Site 2 ESG Internal (20.20.200.1) > 20.20.200.0/24

Enable IPSec VPN Service

You must enable the IPSec VPN service for traffic to flow from the local subnet to the peer subnet

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Edges.

3. Double-click an NSX Edge.

4. Click the Manage tab and then click the VPN tab.

5. Click IPSec VPN.

6. Click Enable.

Specify Global IPSec VPN Configuration

This enables IPSec VPN on the NSX Edge instance.

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Edges.

3. Double-click an NSX Edge.

4. Click the Manage tab and then click the VPN tab.

5. Click IPSec VPN.

6. Click Change next to Global configuration status.

7. Type a global pre-shared key for those sites whose peer endpoint is set to any and select Display shared key to display the key.

8. Select Enable certificate authentication and select the appropriate certificate.

9. Click OK

Configure IPSec VPN Parameters

You must configure at least one external IP address on the NSX Edge to provide IPSec VPN service.

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Edges.

3. Double-click an NSX Edge.

4. Click the Monitor tab and then click the VPN tab.

5. Click IPSec VPN.

6. Click the Add icon.

7. Type a name for the IPSec VPN.

8. Type the IP address of the NSX Edge instance in Local Id. This will be the peer Id on the remote site.

9. Type the IP address of the local endpoint. If you are adding an IP to IP tunnel using a pre-shared key, the local Id and local endpoint IP can be the same.

10. Type the subnets to share between the sites in CIDR format. Use a comma separator to type multiple subnets.

11. Type the Peer Id to uniquely identify the peer site. For peers using certificate authentication, this ID must be the common name in the peer’s certificate. For PSK peers, this ID can be any string. VMware recommends that you use the public IP address of the VPN or a FQDN for the VPN service as the peer ID.

12. Type the IP address of the peer site in Peer Endpoint. If you leave this blank, NSX Edge waits for the peer device to request a connection.

13. Type the internal IP address of the peer subnet in CIDR format. Use a comma separator to type multiple subnets.

14. Select the Encryption Algorithm.

15. In Authentication Method, select one of the following:

  • PSK (Pre Shared Key): Indicates that the secret key shared between NSX Edge and the peer site is to be used for authentication. The secret key can be a string with a maximum length of 128 bytes.
  • Certificate: Indicates that the certificate defined at the global level is to be used for authentication.

16. Type the shared key in if anonymous sites are to connect to the VPN service.

17. Click Display Shared Key to display the key on the peer site.

18. In Diffie-Hellman (DH) Group, select the cryptography scheme that will allow the peer site and the NSX Edge to establish a shared secret over an insecure communications channel.

19. Edit the default MTU if required.

20. Select whether to enable or disable the Perfect Forward Secrecy (PFS) threshold. In IPsec negotiations, Perfect Forward Secrecy (PFS) ensures that each new cryptographic key is unrelated to any previous key.

21. Click OK.

NSX Edge creates a tunnel from the local subnet to the peer subnet.

All of this work and all going well you should get something like the following when you click “Show IPsec Statistics:

Leave a Reply

Your email address will not be published. Required fields are marked *