VMware Cloud Director supports site-to-site policy-based and route-based IPSec VPN between an NSX edge gateway instance and a remote site.

IPSec VPN offers site-to-site connectivity between an edge gateway and remote sites which also use NSX or which have either third-party hardware routers or VPN gateways that support IPSec.

Policy-based IPSec VPN requires a VPN policy to be applied to packets to determine which traffic is to be protected by IPSec before being passed through a VPN tunnel. This type of VPN is considered static because when a local network topology and configuration change, the VPN policy settings must also be updated to accommodate the changes.

NSX edge gateways support split tunnel configuration, with IPSec traffic taking routing precedence.

VMware Cloud Director supports automatic route redistribution when you use IPSec VPN on an NSX edge gateway.

Starting with version 10.6, you can configure site-to-site route-based IPSec VPN. For route-based IPSec VPN for NSX edge gateways, VMware Cloud Director supports only static routes. Route-based IPSec VPN uses standard routing protocols and provides better scalability. It is better suited for larger and more complex networks.

Configure NSX IPSec VPN in the VMware Cloud Director Service Provider Admin Portal

You can configure site-to-site connectivity between an NSX edge gateway and remote sites. The remote sites must use NSX, have third-party hardware routers, or VPN gateways that support IPSec.

VMware Cloud Director supports automatic route redistribution when you configure IPSec VPN on an NSX edge gateway.

Prerequisites

  • If you want to configure an NSX route-based IPSec VPN tunnel, configure static routing. See Configure Static Routing on an NSX Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.
  • If you plan to use certificate authentication to secure the IPSec VPN communication, verify that your system administrator has uploaded the server certificate for the local NSX edge gateway and a CA certificate for your organization to the VMware Cloud Director certificates library.
  • If you want to restrict the number of security profiles available to your tenants, you can use the manage-config subcommand of the VMware Cloud Director cell management tool (CMT). For example, if you want to restrict the list to FIPS and Foundation, run the following CMT command. 
    /opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n networking.gatewayIpSecVpnTunnelSecurityTypeDisallowList -v PROVIDER_PREFERRED,FIPS,FOUNDATION

Procedure

  1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select Cloud Resources.
  2. From the secondary left panel, select Edge Gateways, and click the name of the target edge gateway.
  3. Under Services, click IPSec VPN, and click New.
  4. Enter a name and, optionally, a description for the IPSec VPN tunnel.
  5. Select the IPSec VPN tunnel type.
    Starting with version 10.6, VMware Cloud Director supports route-based IPSec VPN for static routes.
  6. Select a security profile for securing the transmitted data.
  7. To enable the tunnel upon creation, turn on the Status toggle.
  8. To enable logging, turn on the Logging toggle.
  9. Click Next.
  10. Select a peer authentication mode.
    Option Description
    Pre-Shared Key Choose a pre-shared key to enter. The pre-shared key must be the same on the other end of the IPSec VPN tunnel.
    Certificate Select site and CA certificates to be used for authentication.
  11. From the drop-down menu, select one of the IP addresses that are available to the edge gateway for the local endpoint.
    The IP address must be either the primary IP of the edge gateway, or an IP address that is separately allocated to the edge gateway.
  12. If you are configuring policy-based IPSec VPN, enter at least one local IP subnet address in CIDR notation to use for the IPSec VPN tunnel.
  13. Enter the IP address for the remote endpoint.
  14. If you are configuring policy-based IPSec VPN, enter at least one remote IP subnet address in CIDR notation to use for the IPSec VPN tunnel.
  15. Enter the remote ID for the peer site.
    The remote ID must match the SAN (Subject Alternative Name) of the remote endpoint certificate, if available. If the remote certificate does not contain a SAN, the remote ID must match the distinguished name of the certificate that is used to secure the remote endpoint, for example, C=US, ST=Massachusetts, O=VMware,OU=VCD, CN=Edge1.
  16. If you are configuring route-based IPSec VPN, for the Virtual Tunnel Interface (VTI), enter a valid IPv4 CIDR, IPv6 CIDR, or one of each by separating them with a comma.

    The Virtual Tunnel Interface (VTI) represents the endpoint of an IPSec tunnel on a network device.

  17. Click Next.
  18. Review your settings and click Finish.

Results

The newly created IPSec VPN tunnel is listed in the IPSec VPN view.

What to do next

  • To verify that the tunnel is functioning, select it, and click View Statisticts.

    If the tunnel is functioning, Tunnel Status and IKE Service Status both display Up.

  • Configure the remote endpoint of the IPSec VPN tunnel.
  • You can edit the IPSec VPN tunnel settings and customize its security profile as needed.

Customize the Security Profile of an IPSec VPN Tunnel in the VMware Cloud Director Service Provider Admin Portal

If you decide not to use the system-generated security profile that was assigned to your IPSec VPN tunnel upon creation, you can customize it.

Procedure

  1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select Cloud Resources.
  2. From the secondary left panel, select Edge Gateways, and click the name of the target edge gateway.
  3. Under Services, click IPSec VPN.
  4. Select the IPSec VPN tunnel and click Security Profile Customization.
  5. Configure the IKE profiles.
    The Internet Key Exchange (IKE) profiles provide information about the algorithms that are used to authenticate, encrypt, and establish a shared secret between network sites when you establish an IKE tunnel.
    1. Select an IKE protocol version to set up a security association (SA) in the IPSec protocol suite.
      Option Description
      IKEv1 When you select this option, IPSec VPN initiates and responds to IKEv1 protocol only.
      IKEv2 The default option. When you select this version, IPSec VPN initiates and responds to IKEv2 protocol only.
      IKE-Flex When you select this option, if the tunnel establishment fails with IKEv2 protocol, the source site does not fall back and initiate a connection with the IKEv1 protocol. Instead, if the remote site initiates a connection with the IKEv1 protocol, then the connection is accepted.
    2. Select a supported encryption algorithm to use during the Internet Key Exchange (IKE) negotiation.
    3. From the Digest drop-down menu, select a secure hashing algorithm to use during the IKE negotiation.
    4. From the Diffie-Hellman Group drop-down menu, select one of the cryptography schemes that allows the peer site and the edge gateway to establish a shared secret over an insecure communications channel.
    5. (Optional) In the Association Lifetime text box, modify the default number of seconds before the IPSec tunnel needs to reestablish.
  6. Configure the IPSec VPN tunnel.
    1. To enable perfect forward secrecy, toggle on the option.
    2. Select a defragmentation policy.
      The defragmentation policy helps to handle defragmentation bits present in the inner packet.
      Option Description
      Copy Copies the defragmentation bit from the inner IP packet to the outer packet.
      Clear Ignores the defragmentation bit present in the inner packet.
    3. Select a supported encryption algorithm to use during the Internet Key Exchange (IKE) negotiation.
    4. From the Digest drop-down menu, select a secure hashing algorithm to use during the IKE negotiation.
    5. From the Diffie-Hellman Group drop-down menu, select one of the cryptography schemes that allows the peer site and the edge gateway to establish a shared secret over an insecure communications channel.
    6. (Optional) In the Association Lifetime text box, modify the default number of seconds before the IPSec tunnel needs to reestablish.
  7. (Optional) In the Probe Interval text box, modify the default number of seconds for dead peer detection.
  8. Click Save.

Results

In the IPSec VPN view, the security profile of the IPSec VPN tunnel displays as User Defined.