Versions Compared

Old Version 1

changes.mady.by.user Eugene Burhovetsky

Saved on

compared with

New Version 2

changes.mady.by.user Eugene Burhovetsky

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In this article, we’ll cover the configuration of an IPsec VPN in vCloud Director with NSX-T.

IPSec VPN offers site-to-site connectivity between an edge gateway and remote sites which also use NSX-T Data Center or which have either third-party hardware routers or VPN gateways that support IPSec.

Policy-based IPSec VPN requires a VPN policy to be applied to packets to determine which traffic is to be protected by IPSec before being passed through a VPN tunnel. This type of VPN is considered static because when a local network topology and configuration change, the VPN policy settings must also be updated to accommodate the changes.

For this example, we’ll be using an Org_Network of 192.168.10.0/24 and an External IP of 203.23.220.50

Table of Contents

Restrictions

  • You cannot use same Public IP as IPsec local endpoint and use it in DNAT rule without specific port (DNAT 1:1). If you have only 1 Public IP use port DNAT(Port Forwarding)!

  • If you already have problem configuration (DNAT 1:1 and Public IP as IPsec local endpoint) you can faced with random problem of IPsec. For fixing issue delete DNAT 1:1 (or migrate to port DNAT), delete IPsec from Edge config, create IPsec with same config

Accessing the Edge

You can access your NSX-T edge from two locations.

  1. Under ‘Data Centers’ while browsing your VDC, select 'Edges' under the Networking dropdown on the left hand side. Then click on your DC_XXXXXX to open NSX-T.

...

2. Navigate to the Networking page from the top menu, then select 'Edge Gateways'. Click on the VDC edge for the DC you wish to edit.

...

Prior to testing your VPN, you’ll need to allow traffic between your subnet networks.

  1. Navigate to IP Sets under Security and create an IP Set for your remote site’s subnet. You’ll also need to make a IP Set or Static Group for your Org_VDC network.

  2. Navigate to Firewall under Services and setup 2 new rules, One to allow inbound traffic to the VDC and the other to allow outbound traffic.

Be sure to also configure NAT rules to direct traffic to the appropriate VM’s in your environment.

...

When testing your new VPN, the NSX-T provides statistics on the current status on the connection, allowing insight into any issues you may face when connecting to the service. You can find these in IPSec VPN under Services, then click on ‘View Statistics’.

VPN Settings

...

Field 

...

Description 

...

Required 

...

Options/Example 

...

Enable VPN 

...

Ensure that this is Enabled. 

...

Yes 

...

On / Off 

...

Perfect Forward Security 

...

Ensure that this is enabled. PFS will ensure the same key will not be generated again, so forcing a new diffie-hellman key exchange 

...

Yes 

...

On / Off 

...

Encryption Algorithm 

...

The Encryption Protocol reflects what is configured on the remote site VPN device 

...

Yes 

...

AES-256, AES, 3DES 

...

DH Group 

...

The cryptography scheme that will allow the peer site and the NSX Edge to establish a shared secret over an insecure communications channel. 

...

Yes 

...

DH2, DH5, DH14, DH15, DH16 

...

Name 

...

 Enter the name of the VPN tunnel 

...

Yes 

...

e.g. VPN1 

...

Local ID 

...

 This is used to describe the Local Endpoint. Generally the Local Public IP is used. 

...

Yes 

...

e.g. 119.252.64.10 

...

Local IP 

...

 Select the Uplink Interface IP of the Edge Gateway. (Available on the ?Overview? tab of the VDC) 

...

Yes 

...

e.g. 119.252.64.10 

...

Local Subnets 

...

Enter the network(s) you want to designate as the internal network for the VPN. Subnets should be entered in CIDR format with comma as a separator. 

...

Yes 

...

e.g. 192.168.1.0/24, 192.168.2.0/24 

...

Peer ID 

...

 This is used to describe the Remote Endpoint. Generally the Remote Public IP is used. 

...

Yes 

...

e.g. 202.191.5.100 

...

Peer IP 

...

 Enter the Public IP address (outside) of the remote device with which you are establishing the VPN. 

...

Yes 

...

e.g. 202.191.5.100 

...

Peer Subnets 

...

Enter the network(s) you want to designate as the remote network for the VPN. Subnets should be entered in CIDR format with comma as a separator. 

...

Yes 

...

e.g. 10.0.1.0/24 

...

Pre-Shared Key 

...

 Indicates that the secret key shared between NSX Edge and the peer site is to be used for authentication. The secret key can be a string with a maximum length of 128 bytes. 

...

Yes 

...

MySecretKey1234 

...

Extension 

...

securelocaltrafficbyip=IPAddress to re-direct Edge?s local traffic over the IPSec VPN tunnel. This is the default value 
passthroughSubnets=PeerSubnetIPAddress to support overlapping subnets 

...

No 

securelocaltrafficbyip= 

  

passthroughSubnets= 

...

Customize the Security Profile of an IPSec VPN Tunnel

If you decide not to use the system-generated security profile that was assigned to your IPSec VPN tunnel upon creation, you can customize it. Select the IPSec VPN tunnel and click Security Profile Customization.

You can configure:

  • IKE profiles - IKE protocol version, Digest, Diffie-Hellman Group, Association Lifetime

  • IPSec VPN tunnel - Perfect forward secrecy, Defragmentation policy, Digest, Diffie-Hellman Group, Association Lifetime

  • Probe Interval - default number of seconds for dead peer detection