Configuring an IPsec VPN - NSX-T
- Eugene Burhovetsky
- Daniel Santini
In this article, we’ll cover the configuration of an IPsec VPN in vCloud Director with NSX-T.
IPSec VPN offers site-to-site connectivity between an edge gateway and remote sites which also use NSX-T Data Center or which have either third-party hardware routers or VPN gateways that support IPSec.
Policy-based IPSec VPN requires a VPN policy to be applied to packets to determine which traffic is to be protected by IPSec before being passed through a VPN tunnel. This type of VPN is considered static because when a local network topology and configuration change, the VPN policy settings must also be updated to accommodate the changes.
For this example, we’ll be using an Org_Network of 192.168.10.0/24 and an External IP of 203.23.220.50
Restrictions
You cannot use same Public IP as IPsec local endpoint and use it in DNAT rule without specific port (DNAT 1:1). If you have only 1 Public IP use port DNAT(Port Forwarding)!
If you already a have (DNAT 1:1 and Public IP as IPsec local endpoint) you can be faced with random problem of IPsec no longer working. To fix this issue delete DNAT 1:1 (or migrate to port forwarding DNAT), then delete IPsec from Edge configuration, create a new IPsec with same config
Accessing the Edge
You can access your NSX-T edge from two locations.
Under ‘Data Centers’ while browsing your VDC, select 'Edges' under the Networking dropdown on the left hand side. Then click on your DC_XXXXXX to open NSX-T.
2. Navigate to the Networking page from the top menu, then select 'Edge Gateways'. Click on the VDC edge for the DC you wish to edit.
Configuration
You can find IPSec VPN under Security on your NSX-T edge. Click ‘New’ to start the VPN setup wizard.
On the first page you’ll be asked for a name for your VPN and a brief description. You can also find the default configuration settings for the VPN here. These can not be changed as part of this wizard however once the VPN is created, all settings can be adjusted.
On step 2, provide a Pre-shared key or certificate for authentication.
Step 3 is the configuration of your VPN endpoints. In this context, Local is the Zettagrid side.
Input one of the external IP’s of your edge and one of your Org_VDC Networks. Then specify the remote connection details.
You’ll have an opportunity to review your settings before saving.
Once saved, you can select your VPN from the list and click 'Security Profile Customization' to make further modifications to the VPN connection settings.
Firewall Rules
Prior to testing your VPN, you’ll need to allow traffic between your subnet networks.
Navigate to IP Sets under Security and create an IP Set for your remote site’s subnet. You’ll also need to make a IP Set or Static Group for your Org_VDC network.
Navigate to Firewall under Services and setup 2 new rules, One to allow inbound traffic to the VDC and the other to allow outbound traffic.
Be sure to also configure NAT rules to direct traffic to the appropriate VM’s in your environment.
Statistics / Troubleshooting
When testing your new VPN, the NSX-T provides statistics on the current status on the connection, allowing insight into any issues you may face when connecting to the service. You can find these in IPSec VPN under Services, then click on ‘View Statistics’.
Customize the Security Profile of an IPSec VPN Tunnel
If you decide not to use the system-generated security profile that was assigned to your IPSec VPN tunnel upon creation, you can customize it. Select the IPSec VPN tunnel and click Security Profile Customization.
You can configure:
IKE profiles - IKE protocol version, Digest, Diffie-Hellman Group, Association Lifetime
IPSec VPN tunnel - Perfect forward secrecy, Defragmentation policy, Digest, Diffie-Hellman Group, Association Lifetime
Probe Interval - default number of seconds for dead peer detection
Â