NSX Edge Services Gateway supports site to site IPSec VPN. You can create IPSec VPN between an ESG and any other network device (hardware/software) which supports IPSec or you can have ESG at both source and target site for this purpose.
Using IPSec VPN, you can create a secure connection between two sites and route the internal subnets between those two sites. Just ensure you don’t have an overlapping subnets behind the edge gateway. You can create more than one IPSec tunnel on ESG and number of tunnels is directly dependent on size of NSX edge.
As per VMware NSX Administration guide, Number of IPSec Tunnels that can be created per ESG is as follows:
Following are the algorithms which are supported by NSX IPSec VPN:
Triple DES (3DES192-CBC)
DH-2 (Diffie–Hellman group 2)
DH-5 (Diffie–Hellman group 5)
DH-14 (Diffie–Hellman group 14)
DH-15 (Diffie–Hellman group 15)
DH-16 (Diffie–Hellman group 16)
Lets jump into lab now and learn how to configure IPsec VPN.
In my lab I don’t have a real Site-A and Site-B, so I mimicked this by creating 2 ESG’s and placed a perimeter gateway in between the 2 ESG’s. My local and remote subnets are as follows:
- Local Endpoint: 192.168.40.1 (Uplink IP of ESG via which ESG is connected to Perimeter Gateway. This uplink is actually a transit VXLAN)
- Local Subnet: 192.168.6.0/24 (Internal VXLAN on ESG)
- Local Endpoint: 192.168.30.1
- Local Subnet: 192.168.230.0/24
In my lab, I will try to establish an IPSec VPN between Site-A and Site-B and will see if my VM which is on subnet 192.168.6.0/24 can ping other VM which is on subnet 192.168.230.0/24 and vice versa.
Lets start configuring ESG on Site-A.
Double click on the ESG (VPN-01) of Site-A and navigate to Manage > VPN > IPSec VPN
First click change option in front of Global configuration status and define a Pre-Shared key. This key needs to be same on both site.
Now click on green + button to configure IPSec VPN parameters.
I mentioned about my network topology earlier, so I used the same info here.
Now start the IPSec service and click on Publish Changes.
Lets configure the same on Site-B.
I opened the Site-B ESG (VPN-02) and navigated to IPSec VPN tab.
I entered my pre-shared key and clicked on + button to add the VPN parameters
Started VPN services and saved the settings by clicking on publish changes.
At this point, if you click on Show IPSec Statistics, you should see the tunnel status as green (if your config is correct). Mine is showing UP.
Verified the same on Site-A.
Logged into to my ESG console and ran the following command: show service ipsec to verify the IPSec VPN configuration.
Now lets test the connectivity.
I initiated ping from App01-New VM which is on Site-A and on network 192.168.6.0/24 to another VM wich is on Site-B and on network 192.168.230.0/24 and I was able to ping.
From Site-B, I was able to reach to 192.168.6.0/24 network
And that’s it. IPSec VPN is working as expected.
There are few more things on IPSec VPN which you should be knowing.
Enable/Disable IPSec VPN service
You should have your IPSec VPN configured for this task. To enable/disable IPSec VPN, select the Edge gateway where IPSec is configured and navigate to Manage > VPN > IPsec VPN tab.
If the service is started already, you will see a stop button and vice versa. Once you hit the button, you have to click on publish changes to save the settings.
Add a SSL Certificate for the IPSec VPN
The NSX IPSec VPN supports SSL certificates or PSK (Pre-Shared Key) for authentication. If you need certificate authentication instead of PSK, then you need to generate a Certificate Signing Request (CSR) and get this CSR signed by a Certificate Authority. You can even use self-signed certificate.
To generate a certificate on ESG, double-click the ESG on which IPSec VPN will be configured and navigate to Manage > Settings > Certificates.
From Actions tab, select “Generate CSR”
Punch in the your details and hit OK.
Once the CSR is generated, it can be sent to CA for signing or you can self sign it. For lab purpose you can use self-signed certs. To sign the cert, from Actions tab select “Self Sign Certificate”
Specify the number of days for which this cert will be valid and hit OK.
Configure Global IPSec Configuration
We already discussed this while configuring IPSec. Under global configuration we can choose to use PSK or Cert based Authentication. If you want to use certificate based authentication, then select the checkbox “Enable Certificate Authentication’ and select the certificate which you generated in previous step.
Make sure to click Publish Changes to apply the configuration.
Pretty straight forward task. Under IPSec VPN tab, expand Logging Policy and check mark the Enable logging box and select appropriate logging level. Make sure to Publish Changes to apply the configuration.
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable