Articles in this section

Configure IPsec VPN

Updated

Table of Contents


    Overview

    This article will guide you through configuring an IPsec VPN on the NSX Edge gateway managing your DR environment.

     

    Navigate to the IPsec VPN Screen

    1. Open Edge Gateway Services.
      1. From the top navigation bar, select Networking, and click the Edge Gateways tab.
      2. Click the radio button next to the name of the target edge gateway, and click Services.
    2. Navigate to VPN -> IPsec VPN.
     

    Configure the IPsec VPN Site Connections

    1. On the IPsec VPN tab, click IPsec VPN Sites.
    2. Click the Add (Create button) button.

    3. Configure the IPsec VPN connection settings.

      OptionAction
      EnabledEnable this connection between the two VPN endpoints.
      Enable perfect forward secrecy (PFS)

      Enable this option to have the system generate unique public keys for all IPsec VPN sessions your users initiate.

      Enabling PFS ensures that the system does not create a link between the edge gateway private key and each session key.

      The compromise of a session key will not affect data other than the data exchanged in the specific session protected by that particular key. Compromise of the server's private key cannot be used to decrypt archived sessions or future sessions.

      When PFS is enabled, IPsec VPN connections to this edge gateway experience a slight processing overhead.

      Important: The unique session keys must not be used to derive any additional keys. Also, both sides of the IPsec VPN tunnel must support PFS for it to work.
      Name(Optional) Enter a name for the connection.
      Local ID

      Enter the external IP address of the edge gateway instance, which is the public IP address of the edge gateway.

      The IP address is the one used for the peer ID in the IPsec VPN configuration on the remote site.

      Local Endpoint

      Enter the network that is the local endpoint for this connection.

      The local endpoint specifies the network in your organization's virtual data center on which the edge gateway transmits. Typically, the external network is the local endpoint.

      If you add an IP-to-IP tunnel using a pre-shared key, the local ID and local endpoint IP can be the same.

      Local Subnets

      Enter the networks to share between the sites and use a comma as a separator to enter multiple subnets.

      Enter a network range (not a specific IP address) by entering the IP address using CIDR format. For example, 192.168.99.0/24.

      Peer ID

      Enter a peer ID to uniquely identify the peer site.

      The peer ID is an identifier that uniquely identifies the remote device that terminates the VPN connection, typically its public IP address.

      For peers using certificate authentication, the ID must be the distinguished name in the peer's certificate. For PSK peers, this ID can be any string. An NSX best practice is to use the remote device's public IP address or FQDN as the peer ID.

      If the peer's IP address is from another organization's virtual data center network, you enter the native IP address of the peer. If NAT is configured for the peer, you enter the peer's private IP address.

      Peer Endpoint

      Enter the IP address or FQDN of the peer site, which is the public-facing address of the remote device to which you are connecting.

      Note: When NAT is configured for the peer, enter the public IP address that the device uses for NAT.
      Peer Subnets

      Enter the remote network to which the VPN connects and use a comma as a separator to enter multiple subnets.

      Enter a network range (not a specific IP address) by entering the IP address using CIDR format. For example, 192.168.99.0/24.

      Encryption Algorithm

      Select the encryption algorithm type from the drop-down menu.

      Note: The encryption type you select must match the encryption type configured on the remote site VPN device.
      Authentication

      Select an authentication. The options are:

      • PSK

        Pre Shared Key (PSK) specifies that the secret key shared between the edge gateway and the peer site is to be used for authentication.

      • Certificate

        Certificate authentication specifies that the certificate defined at the global level is to be used for authentication. This option is not available unless you have configured the global certificate on the IPsec VPN tab's Global Configuration screen.

      Change Shared Key(Optional) When you are updating the settings of an existing connection, you can turn on this option on to make the Pre-Shared Key field available so that you can update the shared key.
      Pre-Shared Key

      If you selected PSK as the authentication type, type an alphanumeric secret string which can be a string with a maximum length of 128 bytes.

      Note: The shared key must match the key that is configured on the remote site VPN device. A best practice is to configure a shared key when anonymous sites will connect to the VPN service.
      Display Shared Key(Optional) Enable this option to make the shared key visible on the screen.
      Diffie-Hellman Group

      Select the cryptography scheme that allows the peer site and this edge gateway to establish a shared secret over an insecure communications channel.

      Note: The Diffie-Hellman Group must match what is configured on the remote site VPN device.
      Extension

      (Optional) Type one of the following options:

      • securelocaltrafficbyip=IPAddress to redirect the edge gateway local traffic over the IPsec VPN tunnel.

        This is the default value.

      • passthroughSubnets=PeerSubnetIPAddress to support overlapping subnets.
    4. Click Keep.
    5. Click Save Changes.
     

    Enable the IPsec VPN Service

    1. On the IPsec VPN tab, click Activation Status.
    2. Click IPsec VPN Service Status to enable the IPsec VPN service.
    3. Click Save Changes.
     

    Specify Global IPsec VPN Settings

    1. Open Edge Gateway Services.
      1. From the top navigation bar, select Resources, and click the Cloud Resources tab.
      2. In the left panel, click Edge Gateways.
      3. Click the radio button next to the name of the target edge gateway, and click Services.
    2. On the IPsec VPN tab, click Global Configuration.
    3. (Optional) Set a global pre-shared key:
      1. Enable the Change Shared Key option.

      2. Enter a pre-shared key.

        The global pre-shared key (PSK) is shared by all the sites whose peer endpoint is set to any. If a global PSK is already set, changing the PSK to an empty value and saving it has no effect on the existing setting.
      3. (Optional) Optionally enable Display Shared Key to make the pre-shared key visible.
      4. Click Save Changes.
    4. Configure certification authentication:
      1. Turn on Enable Certificate Authentication.
      2. Select the appropriate service certificates, CA certificates, and CRLs.
      3. Click Save Changes.
     
    Powered by Zendesk