You can configure site-to-site connectivity between an NSX-T Data Center edge gateway and remote sites. The remote sites must use NSX-T Data Center, have third-party hardware routers, or VPN gateways that support IPSec.

VMware Cloud Director supports automatic route redistribution when you configure IPSec VPN on an NSX-T Data Center edge gateway.

Prerequisites

If you plan to use certificate authentication to secure the IPSec VPN communication, verify that your system administrator has uploaded the server certificate for the local NSX-T Data Center edge gateway and a CA certificate for your organization to the VMware Cloud Director certificates library.

Procedure

  1. From the top navigation bar, select Resources and click Cloud Resources.
  2. In the left panel, click Edge Gateways, and click the name of the target edge gateway.
  3. Under Services, click IPSec VPN.
  4. To configure an IPSec VPN tunnel, click New.
  5. Enter a name and, optionally, a description for the IPSec VPN tunnel.
  6. To enable the tunnel upon creation, toggle on the Status option.
  7. (Optional) To enable logging, toggle on the Logging option.
  8. Select a peer authentication mode.
    Option Description
    Pre-Shared Key Choose a pre-shared key to enter. The pre-shared key must be the same on the other end of the IPSec VPN tunnel.
    Certificate Select site and CA certificates to be used for authentication.
  9. Enter one of the IP addresses that are available to the edge gateway for the local endpoint.
    The IP address must be either the primary IP of the edge gateway, or an IP address that is separately allocated to the edge gateway from the external network .
  10. Enter at least one local IP subnet address in CIDR notation to use for the IPSec VPN tunnel.
  11. Еnter the IP address for the remote endpoint.
  12. Enter at least one remote IP subnet address in CIDR notation to use for the IPSec VPN tunnel.
  13. Enter the remote ID for the peer site.
    The remote ID must match the SAN (Subject Alternative Name) of the remote endpoint certificate, if available. If the remote certificate does not contain a SAN, the remote ID must match the distinguished name of the certificate that is used to secure the remote endpoint, for example, C=US, ST=Massachusetts, O=VMware,OU=VCD, CN=Edge1.
  14. Click Next.
  15. Review your settings and click Finish.
  16. To verify that the tunnel is functioning, select it and click View Statisticts.
    If the tunnel is functioning, Tunnel Status and IKE Service Status both display Up.

Results

The newly created IPSec VPN tunnel is listed in the IPSec VPN view. The IPSec VPN tunnel is created with a default security profile.

What to do next

  • Configure the remote endpoint of the IPSec VPN tunnel.
  • You can edit the IPSec VPN tunnel settings and customize its security profile as needed.