In this article, we’ll cover the configuration of an IPsec VPN in vCloud Director with NSX-T.
For this example, we’ll be using an Org_Network of 192.168.10.0/24 and an External IP of 203.23.220.50
Accessing the Edge
You can access your NSX-T edge from two locations.
Under ‘Data Centers’ while browsing your VDC, select 'Edges' under the Networking dropdown on the left hand side. Then click on your DC_XXXXXX to open NSX-T.
2. Navigate to the Networking page from the top menu, then select 'Edge Gateways'. Click on the VDC edge for the DC you wish to edit.
Configuration
You can find IPSec VPN under Security on your NSX-T edge. Click ‘New’ to start the VPN setup wizard.
On the first page you’ll be asked for a name for your VPN and a brief description. You can also find the default configuration settings for the VPN here. These can not be changed as part of this wizard however once the VPN is created, all settings can be adjusted.
On step 2, provide a Pre-shared key or certificate for authentication.
Step 3 is the configuration of your VPN endpoints. In this context, Local is the Zettagrid side.
Input one of the external IP’s of your edge and one of your Org_VDC Networks. Then specify the remote connection details.
You’ll have an opportunity to review your settings before saving.
Once saved, you can select your VPN from the list and click 'Security Profile Customization' to make further modifications to the VPN connection settings.
Firewall Rules
Prior to testing your VPN, you’ll need to allow traffic between your subnet networks.
Navigate to IP Sets under Security and create an IP Set for your remote site’s subnet. You’ll also need to make a IP Set or Static Group for your Org_VDC network.
Navigate to Firewall under Services and setup 2 new rules, One to allow inbound traffic to the VDC and the other to allow outbound traffic.
Be sure to also configure NAT rules to direct traffic to the appropriate VM’s in your environment.
Statistics / Troubleshooting
When testing your new VPN, the NSX-T provides statistics on the current status on the connection, allowing insight into any issues you may face when connecting to the service. You can find these in IPSec VPN under Services, then click on ‘View Statistics’.
VPN Settings
Field | Description | Required | Options/Example |
Enable VPN | Ensure that this is Enabled. | Yes | On / Off |
Perfect Forward Security | Ensure that this is enabled. PFS will ensure the same key will not be generated again, so forcing a new diffie-hellman key exchange | Yes | On / Off |
Encryption Algorithm | The Encryption Protocol reflects what is configured on the remote site VPN device | Yes | AES-256, AES, 3DES |
DH Group | The cryptography scheme that will allow the peer site and the NSX Edge to establish a shared secret over an insecure communications channel. | Yes | DH2, DH5, DH14, DH15, DH16 |
Name | Enter the name of the VPN tunnel | Yes | e.g. VPN1 |
Local ID | This is used to describe the Local Endpoint. Generally the Local Public IP is used. | Yes | e.g. 119.252.64.10 |
Local IP | Select the Uplink Interface IP of the Edge Gateway. (Available on the ?Overview? tab of the VDC) | Yes | e.g. 119.252.64.10 |
Local Subnets | Enter the network(s) you want to designate as the internal network for the VPN. Subnets should be entered in CIDR format with comma as a separator. | Yes | e.g. 192.168.1.0/24, 192.168.2.0/24 |
Peer ID | This is used to describe the Remote Endpoint. Generally the Remote Public IP is used. | Yes | e.g. 202.191.5.100 |
Peer IP | Enter the Public IP address (outside) of the remote device with which you are establishing the VPN. | Yes | e.g. 202.191.5.100 |
Peer Subnets | Enter the network(s) you want to designate as the remote network for the VPN. Subnets should be entered in CIDR format with comma as a separator. | Yes | e.g. 10.0.1.0/24 |
Pre-Shared Key | Indicates that the secret key shared between NSX Edge and the peer site is to be used for authentication. The secret key can be a string with a maximum length of 128 bytes. | Yes | MySecretKey1234 |
Extension | securelocaltrafficbyip=IPAddress to re-direct Edge?s local traffic over the IPSec VPN tunnel. This is the default value | No | securelocaltrafficbyip=
passthroughSubnets= |