The L2 VPN server is the destination NSX edge to which the L2 VPN client is going to connect.

As described in the NSX Administration Guide, you can connect multiple peer sites to this L2 VPN server.

Note: Changing site configuration settings causes the edge gateway to disconnect and reconnect all existing connections.

Prerequisites

  • Verify that the edge gateway has a routed organization virtual data center network that is configured as a subinterface on the edge gateway.
  • Navigate to the L2 VPN Screen.
  • If you want to bind a service certificate to the L2 VPN connection, verify that the server certificate has already been uploaded to the edge gateway. See Add a Service Certificate to the Edge Gateway.
  • You must have the listener IP of the server, listener port, encryption algorithm, and at least one peer site configured before you can enable the L2 VPN service.

Procedure

  1. On the L2 VPN tab, select Server for the L2 VPN mode.
  2. On the Server Global tab, configure the L2 VPN server's global configuration details.
    Option Action
    Listener IP Select the primary or secondary IP address of an external interface of the edge gateway.
    Listener Port Edit the displayed value as appropriate for the needs of your organization.

    The default port for the L2 VPN service is 443.

    Encryption Algorithm Select the encryption algorithm for the communication between the server and the client.
    Service Certificate Details Click Change server certificate to select the certificate to be bound to the L2 VPN server.

    In the Change Server Certificate window, turn on Validate Server Certificate, select a server certificate from the list, and click OK.

  3. To configure the peer sites, click the Server Sites tab.
  4. Click the Add () button.
  5. Configure the settings for an L2 VPN peer site.
    Option Action
    Enabled Enable this peer site.
    Name Enter a unique name for the peer site.
    Description (Optional) Type a description.

    User ID

    Password

    Confirm Password

    Enter the user name and password with which the peer site is to be authenticated.

    User credentials on the peer site must be the same as the credentials on the client side.

    Stretched Interfaces Select at least one subinterface to be stretched with the client.

    The subinterfaces available for selection are those organization virtual data center networks configured as subinterfaces on the edge gateway.

    Egress Optimization Gateway Address (Optional) If the default gateway for virtual machines is the same across the two sites, enter the gateway IP addresses of the subinterfaces for which you want the traffic locally routed or blocked over the L2 VPN tunnel.
  6. Click Keep.
  7. Click Save changes.

What to do next

Enable the L2 VPN service on this edge gateway. See Enable the L2 VPN Service on an NSX Data Center for vSphere Edge Gateway.