NSX-T vDC VPN to AWS routed based

AWS only supports Route based VPN’s and NSX-T T1’s only support Policy based. How ever it just seems to work as long as you don’t have more then 1 prefix on the AWS side. This also works with NSX-V.

1 AWS to NSX-T T1
2 AWS Config.
- 2.1 Create Virtual private Gateway
- 2.2 Attach it to VPC
- 2.3 Create Customer Gateway
- 2.4 Create VPN connection
- 2.5 Download Generic config
- 2.6 Propagate ZG route
3 Zettagrid vCloud Config
- 3.1 Create New IPSec VPN
- 3.2 Update Security
- 3.3 VPN Status
4 Troubleshooting

AWS to NSX-T T1

AWS Config.

This assumes you have a working EC2 instance with in an existing VPC and you know how to setup your own security rules to allow traffic to it.

Do these steps in order to avoid AWS config agro

Create Virtual private Gateway

Attach it to VPC

Create Customer Gateway

This is the AWS config for your remote IPSEC Peer IP, ignore BGP ASN just leave that as whatever it has given you, its not used.

Create VPN connection

Select your

VPG
Customer gateway
Set Static IP
- Add route to your ZG prefix
Leave Local/Remote IP’s as 0.0.0.0/0

Download Generic config

so you can see Pre Shared Key, and confirm other settings if needed

Propagate ZG route

back into your Route table.

confirm its worked.

Zettagrid vCloud Config

Create New IPSec VPN

Pre shared key is in downloaded settings file from AWS

Remote IP end point is in downloaded settings file from AWS

Update Security

these need to match AWS defaults, you can change on AWS under Site to Site VPN settings if you wish as the defaults are pretty rubbish. they are

#1: Internet Key Exchange Configuration

  - IKE version              : IKEv1
  - Authentication Method    : Pre-Shared Key
  - Pre-Shared Key           : xxxx
  - Authentication Algorithm : sha1
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Diffie-Hellman           : Group 2

#2: IPSec Configuration

  - Protocol                 : esp
  - Authentication Algorithm : hmac-sha1-96
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 3600 seconds
  - Mode                     : tunnel
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2


recommend configuring DPD on your endpoint as follows:
  - DPD Interval             : 10
  - DPD Retries              : 3

VPN Status

Troubleshooting

If the VPN is not working follow the following steps.

Check NSX Firewall rules ensure you are permitting traffic in both ways.
1. 192.168.60.0/24 → 172.31.0.0/16
2. 172.31.0.0/16 → 192.168.60.0/24
Check AWS Security and or NEtwork ACL’s to ensure your permitting traffic
1. By Default they won’t.
If VPN is up then go back to top of this and review all settings.