Configure an IPSec VPN
- Tahir Kulelija
- Nicholas Power
The NSX Advanced Edge supports site-to-site IPSec VPN between an NSX Edge instance and remote sites. Behind each remote VPN router, you can configure multiple subnets to connect to the internal network behind an NSX Edge through IPSec tunnels. These subnets and the internal network behind a NSX Edge must have address ranges that do not overlap. The number of tunnels needed is defined by the number of local subnets multiplied by the number of peer subnets. For example, if there are 10 local subnets and 10 peer subnets you need 100 tunnels. The maximum number of tunnels supported is determined by the ESG size, as shown below.
| Number of IPSec Tunnels per NSX Edge | |
|---|---|
| NSX Edge | Number of IPSec Tunnels |
| Compact | 512 |
| Large | 1600 |
| X-Large | 6000 |
IPSec VPN Configuration
To enable a IPSec VPN for your VMware VDC:
- Click on the ?IPSec VPN? tab of your vDC
- Click ?Add a VPN?, enter you VPN details, click ?Save?
- Click ?Save Config? to commit your new VPN configuration into NSX
VPN Settings
| Field | Description | Required | Options/Example |
|---|---|---|---|
| Enable VPN | Ensure that this is Enabled. | Yes | On / Off |
| Perfect Forward Security | Ensure that this is enabled. PFS will ensure the same key will not be generated again, so forcing a new diffie-hellman key exchange | Yes | On / Off |
| Encryption Algorithm | The Encryption Protocol reflects what is configured on the remote site VPN device | Yes | AES-256, AES, 3DES |
| DH Group | The cryptography scheme that will allow the peer site and the NSX Edge to establish a shared secret over an insecure communications channel. | Yes | DH2, DH5 |
| Name | Enter the name of the VPN tunnel | Yes | e.g. VPN1 |
| Local ID | This is used to describe the Local Endpoint. Generally the Local Public IP is used. | Yes | e.g. 119.252.17.1 |
| Local IP | Select the Uplink Interface IP of the Edge Gateway. (Available on the ?Overview? tab of the VDC) | Yes | e.g. 119.252.17.1 |
| Local Subnets | Enter the network(s) you want to designate as the internal network for the VPN. Subnets should be entered in CIDR format with comma as a separator. | Yes | e.g. 192.168.1.0/24, 192.168.2.0/24 |
| Peer ID | This is used to describe the Remote Endpoint. Generally the Remote Public IP is used. | Yes | e.g. 1.1.1.1 |
| Peer IP | Enter the Public IP address (outside) of the remote device with which you are establishing the VPN. | Yes | e.g. 1.1.1.1 |
| Peer Subnets | Enter the network(s) you want to designate as the remote network for the VPN. Subnets should be entered in CIDR format with comma as a separator. | Yes | e.g. 10.0.1.0/24 |
| Pre-Shared Key | Indicates that the secret key shared between NSX Edge and the peer site is to be used for authentication. The secret key can be a string with a maximum length of 128 bytes. | Yes | MySecretKey1234 |
| Extension | securelocaltrafficbyip=IPAddress to re-direct Edge?s local traffic over the IPSec VPN tunnel. This is the default value passthroughSubnets=PeerSubnetIPAddress to support overlapping subnets | No | securelocaltrafficbyip= passthroughSubnets= |
VPN Status
In this release of the NSX Advanced Networking there is no status indicator in the MyAccount UI that tells you if an IPSec Tunnel is up or down. This will need to be confirmed at the peer end or by attempting to ping the remote network from a machine at the local end.