NSX Edge Gateway supports Site-Site VPN between NSX Edge and remote sites. In a nutshell, the original packet will be authenticated and encrypted, and it will be encapsulated with an Encapsulation Security Payload (ESP) header, trailer, and authentication data. The following screenshot depicts initial IPsec VPN configuration:
Since we already have a topology shared earlier, the requirement is to establish an IPsec tunnel between Site-B and the remote site (192.168.5.0/24). Let's get started.
Following is the procedure for configuring IPsec:
Log in to the vSphere web client.
1.
Click Networking & Security and then click NSX Edges.
2.
Double-click an NSX Edge.
3.
Click the Monitor tab and then click the VPN tab.
4.
Click IPSec VPN.
5.
Click the add icon.
6.
Type a name for the IPsec VPN.
7.
Type the IP address of the NSX Edge instance in Local Id. This will be the Peer Id 8. on the remote site.
Type the IP address of the local endpoint.
9.
If you are adding an IP-to-IP tunnel using a pre-shared key, the local ID and local endpoint IP can be the same.
Type the subnets to share between the sites in CIDR format. Use a comma 10. separator to type multiple subnets.
Type the Peer Id to uniquely identify the peer site. For peers using certificate 11. authentication, this ID must be the common name in the peer's certificate. For
PSK peers, this ID can be any string. VMware recommends that you use the public IP address of the VPN or a FQDN for the VPN service as the peer ID.
Type the IP address of the peer site in Peer Endpoint. If you leave this blank, 12. NSX Edge waits for the peer device to request a connection.
Type the internal IP address of the peer subnet in CIDR format. Use a comma 13. separator to type multiple subnets.
Select the Encryption Algorithm.
14.
Pre-Shared Key (PSK): This indicates that the secret key shared between NSX Edge and the peer site is to be used for authentication. The secret key can be a string with a maximum length of 128 bytes. NSX IPsec VPN supports symmetric keys. Certificate: This indicates that the certificate defined at the global level is to be used for authentication.
Type in the shared key if anonymous sites are to connect to the VPN service.
15.
In Diffie-Hellman (DH) Group, select the cryptography scheme that will allow 17. the peer site and the NSX Edge to establish a shared secret over an insecure
communications channel.
Edit the default MTU if required.
18.
Select whether to enable or disable the Perfect Forward Secrecy (PFS) threshold.
19. In IPsec negotiations, PFS ensures that each new cryptographic key is unrelated to any previous key.
Click OK.
20.
Enable VPN.
21.
As per our topology, we have updated our IPsec configuration in the Edge. Once 22. we configure the partner device, the IPsec tunnel will get established:
The IKE phase 1 parameters used by the NSX Edge include:
Main mode
AES / AES 256 preferred / TripleDES / SHA-1
MODP (DH) group 2 (MODP1024 bits) Pre-shared secret [Configurable]
SA lifetime of 28800 seconds (eight hours) with no kilobytes rekeying ISAKMP aggressive mode disabled
The IKE phase 2 parameters supported by NSX Edge include:
AES / AES 256 Preferred / TripleDES / [Will match the Phase 1 setting]
SHA-1
ESP tunnel mode
MODP (DH) group 2 (MODP1024 bits) Perfect forwarding secrecy for rekeying
SA lifetime of 3600 seconds (one hour) with no kilobytes rekeying
Selectors for all IP protocols and all ports between the two networks using IPv4 subnets
L2 VPN
L2 VPN allows us to configure a tunnel between two sites. As I said earlier, virtual machines will be on the same subnet irrespective of where they are moving. As per our topology, we need to establish a L2-VPN between Site-C and remote site 192.168.5.0/24. In our example, we are taking Site-C as the L2 VPN server, and the remote site is the L2 VPN client. The L2 VPN server is the source NSX Edge server to which destination L2 VPN Client is getting connected.
Prerequisites
The internal IP address assigned to the L2 VPN server and client must be different. They can be on the same subnet.
Click Networking & Security and then click NSX Edges.
2.
Double-click an NSX Edge.
3.
Click the Manage tab and then click the VPN tab.
4.
Click L2 VPN, select Server, and click Change.
5.
Expand Server Details.
6.
In Listener IP, type the primary or secondary IP address of an external interface 7. of the NSX Edge. In our example, the IP would be 192.168.9.1.
The default port for the L2 VPN service is 443. Edit this if required.
8.
Select the encryption method.
9.
Select the internal interface of the NSX Edge that is being stretched .This interface 10. must be connected to a DV port group or logical switch.
Type a description.
11.
Expand User Details and type the username and password.
12.
In server certificates, do one of the following:
13. 1. Select Use System Generated Certificate to use a self signed certificate for authentication.
Select the signed certificate to be used for authentication.
2.
Click OK:
14.
Listener IP: 192.168.9.1
To configure the L2-VPN client, all we need to update is the server address to which the client is supposed to be connected, and the internal interface that needs to be stretched.
Apart from these details, the rest of the configuration is the same, and the L2 tunnel will be up and running after that
L2VPN Service Status: Enabled Server Address: 192.168.9.1 Server Port: 443
Internal Interface: Internal Interface-B User Id: vpn-user