| Table of Contents | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Summary
As Zettagrid have been upgrading our core VMware networking backend from NSX-V to NSX-T we have found a few customer requirements that are not supported in NSX-T as they are in NSX-V. This is our solution for those customers still needing to connect a VPN from a Dynamic IP address using Peer ID as the remote CPE identifier over IP address. This is mostly used when the remote side is connecting from a source that dose not have a Static IP. e.g. Mobile services using 4G/5G networks.
...
Connected to two new Networks called VPN_EXTERNAL and VPN_INTERNAL refer to above Network diagram
Scope and Responsibilities
As this is a change we need to be done Zettagrid will do the following
...
Once the VPN is all moved, Zettagrid will then schedule a time to migrate the customers vDC from NSX-V to NSX-T
VPN Appliance User Manual.
Remote access
If not already configured Configure remote access to appliance so customers can log onto it.
NSX-V Edge
Create new DNAT rule in Edge Gateway, Set Original port as something other then 443 if you already have HTTPS web servers. Original IP will be your external IP of vDC you can get this by pressing select.
...
Create new Firewall rule, with Src IP being your admin/management IP you want to administer the Firewall from, Destination IP is Original IP from above, and Service being the Original IP also from above.
...
NSX-T
Create IP Set for your Admin IP, and the VPN Appliance
...
And then the Firewall Rule
...
Logging in
You should now be able to log into the Appliance from your Administrative IP, via the external Port and IP, e.g. if external IP is 119.252.85.10 and your mapping 9443 to 443 then the URL would look like https://119.252.85.10:8443
Using the username/password supplied by Zettagrid you should be able to login and see the base dashboard.
...
Troubleshoot VPN
The following process should also be done on the remote side of the VPN
Confirm VPN Status
Go to, VPN → IPSEC → Status Overview
If VPN is up Status will have a Green Arrow. If down the a red X
Down
...
Up
...
Confirm VPN Settings
Go to VPN → IPSEC → Tunnel Settings
...
Phase 1 Details (IKE)
Select Edit
...
And then compare with remote end the following settings.
IKE Key Exchange Version
My Identifier, should be Peer IP configured on the remote VPN
Peer Identifier, should be Peer ID configured on remote VPN
Pre-Shared Key, should match configuration on remote VPN
Phase 1 proposal (Algorithms) should match what is configured on remote VPN
Encryption algorithm
Hash algorithm
DH Key group
Dead Peer Detection should match DPD configuration on remote VPN
Lifetime should match configuration on remote VPN
 |  |  |
Phase 2 (IPSEC)
Select Edit under Phase 2
...
Local Network, will be remote network configured on the remote VPN
Remote Network, will be local network configured on the remote VPN
Phase 2 proposal (SA/Key Exchange) should match what is configured on remote VPN
Should be ESP for both sides
Encryption algorithms
Hash algorithms
PFS key group
Lifetime
 |  |
Restart VPN
First try resetting IKE, but selecting the Disconnect button on the Status Overview page
...
You can also restart IPSEC from the same page but this will reset all VPN tunnels not just one of them.
...
Configure New VPN
For any New VPN’s you can clone one of the existing tunnels and make appropriate changes or build up from start following the OPNsense documentation.
...
Ensure to set ‘My Identifier’ in Phase 1 proposal as the public IP address of the Appliance.
If you have a new Internal subnet you will need to add a route back to this via the NSX Edge
Update any NSX Firewall rules allowing traffic from the vDC to the new remote VPN to go out and in the VPN_INTERNAL Interface of the NSX Edge
Security Updates
To check for and apply any Security updates for the appliance go to System → Firmware → Updates
...