The NSX Data Center for vSphere edge gateways in a VMware Cloud Director environment support site-to-site Internet Protocol Security (IPsec) to secure VPN tunnels between organization virtual data center networks or between an organization virtual data center network and an external IP address. You can configure the IPsec VPN service on an edge gateway.

Setting up an IPsec VPN connection from a remote network to your organization virtual data center is the most common scenario. The NSX software provides an edge gateway IPsec VPN capabilities, including support for certificate authentication, preshared key mode, and IP unicast traffic between itself and remote VPN routers. You can also configure multiple subnets to connect through IPsec tunnels to the internal network behind an edge gateway. When you configure multiple subnets to connect through IPsec tunnels to the internal network, those subnets and the internal network behind the edge gateway must not have address ranges that overlap.

Note: If the local and remote peer across an IPsec tunnel have overlapping IP addresses, traffic forwarding across the tunnel might not be consistent depending on whether local connected routes and auto-plumbed routes exist.

The following IPsec VPN algorithms are supported:

  • AES (AES128-CBC)
  • AES256 (AES256-CBC)
  • Triple DES (3DES192-CBC)
  • AES-GCM (AES128-GCM)
  • DH-2 (Diffie-Hellman group 2)
  • DH-5 (Diffie-Hellman group 5)
  • DH-14 (Diffie-Hellman group 14)
Note: Dynamic routing protocols are not supported with IPsec VPN. When you configure an IPsec VPN tunnel between an edge gateway of the organization virtual data center and a physical gateway VPN at a remote site, you cannot configure dynamic routing for that connection. The IP address of that remote site cannot be learned by dynamic routing on the edge gateway uplink.

As described in the IPSec VPN Overview topic in the NSX Administration Guide, the maximum number of tunnels supported on an edge gateway is determined by its configured size: compact, large, x-large, quad large.

To view the size of your edge gateway configuration, navigate to the edge gateway and click the edge gateway name.

Configuring IPsec VPN on an edge gateway is a multi-step process.

Note: If a firewall is between the tunnel endpoints, after you configure the IPsec VPN service, update the firewall rules to allow the following IP protocols and UDP ports:
  • IP Protocol ID 50 (ESP)
  • IP Protocol ID 51 (AH)
  • UDP Port 500 (IKE)
  • UDP Port 4500

Navigate to the IPsec VPN Screen on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal

In the IPsec VPN screen, you can begin configuring the IPsec VPN service for an NSX Data Center for vSphere edge gateway.

Procedure

  1. Open Edge Gateway Services.
    1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
    2. From the secondary left panel, select Edge Gateways.
    3. Click the radio button next to the name of the target edge gateway, and click Services.
  2. Navigate to VPN > IPsec VPN.

What to do next

Use the IPsec VPN Sites screen to configure an IPsec VPN connection. At least one connection must be configured before you can enable the IPsec VPN service on the edge gateway. See Configure the IPsec VPN Site Connections for the NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.

Configure the IPsec VPN Site Connections for the NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal

Use the IPsec VPN Sites screen in the VMware Cloud Director tenant portal to configure settings needed to create an IPsec VPN connection between your organization virtual data center and another site using the edge gateway IPsec VPN capabilities.

When you configure an IPsec VPN connection between sites, you configure the connection from the point of view of your current location. Setting up the connection requires that you understand the concepts in the context of the VMware Cloud Director environment so that you configure the VPN connection correctly.

  • The local and peer subnets specify the networks to which the VPN connects. When you specify these subnets in the configurations for IPsec VPN sites, enter a network range and not a specific IP address. Use CIDR format, such as 192.168.99.0/24.
  • The peer ID is an identifier that uniquely identifies the remote device that terminates the VPN connection, typically its public IP address. For peers using certificate authentication, this ID must be the distinguished name set in the peer certificate. For PSK peers, this ID can be any string. An NSX best practice is to use the public IP address of the remote device or FQDN as the peer ID. If the peer IP address is from another organization virtual data center network, you enter the native IP address of the peer. If NAT is configured for the peer, you enter the peer's private IP address.
  • The peer endpoint specifies the public IP address of the remote device to which you are connecting. The peer endpoint might be a different address from the peer ID if the peer's gateway is not directly accessible from the Internet, but connects through another device. If NAT is configured for the peer, you enter the public IP address that the devices uses for NAT.
  • The local ID specifies the public IP address of the edge gateway of the organization virtual data center. You can enter an IP address or hostname along with the edge gateway firewall.
  • The local endpoint specifies the network in your organization virtual data center on which the edge gateway transmits. Typically the external network of the edge gateway is the local endpoint.

Prerequisites

Procedure

  1. On the IPsec VPN tab, click IPsec VPN Sites.
  2. Click the Add (Create button) button.
  3. Configure the IPsec VPN connection settings.
    Option Action
    Enabled Enable this connection between the two VPN endpoints.
    Enable perfect forward secrecy (PFS) Enable this option to have the system generate unique public keys for all IPsec VPN sessions your users initiate.

    Enabling PFS ensures that the system does not create a link between the edge gateway private key and each session key.

    The compromise of a session key will not affect data other than the data exchanged in the specific session protected by that particular key. Compromise of the server's private key cannot be used to decrypt archived sessions or future sessions.

    When PFS is enabled, IPsec VPN connections to this edge gateway experience a slight processing overhead.

    Important: The unique session keys must not be used to derive any additional keys. Also, both sides of the IPsec VPN tunnel must support PFS for it to work.
    Name (Optional) Enter a name for the connection.
    Local ID Enter the external IP address of the edge gateway instance, which is the public IP address of the edge gateway.

    The IP address is the one used for the peer ID in the IPsec VPN configuration on the remote site.

    Local Endpoint Enter the network that is the local endpoint for this connection.

    The local endpoint specifies the network in your organization virtual data center on which the edge gateway transmits. Typically, the external network is the local endpoint.

    If you add an IP-to-IP tunnel using a pre-shared key, the local ID and local endpoint IP can be the same.

    Local Subnets Enter the networks to share between the sites and use a comma as a separator to enter multiple subnets.

    Enter a network range (not a specific IP address) by entering the IP address using CIDR format. For example, 192.168.99.0/24.

    Peer ID Enter a peer ID to uniquely identify the peer site.

    The peer ID is an identifier that uniquely identifies the remote device that terminates the VPN connection, typically its public IP address.

    For peers using certificate authentication, the ID must be the distinguished name in the peer's certificate. For PSK peers, this ID can be any string. An NSX best practice is to use the remote device's public IP address or FQDN as the peer ID.

    If the peer IP address is from another organization virtual data center network, you enter the native IP address of the peer. If NAT is configured for the peer, you enter the peer's private IP address.

    Peer Endpoint Enter the IP address or FQDN of the peer site, which is the public-facing address of the remote device to which you are connecting.
    Note: When NAT is configured for the peer, enter the public IP address that the device uses for NAT.
    Peer Subnets Enter the remote network to which the VPN connects and use a comma as a separator to enter multiple subnets.

    Enter a network range (not a specific IP address) by entering the IP address using CIDR format. For example, 192.168.99.0/24.

    Encryption Algorithm Select the encryption algorithm type from the drop-down menu.
    Note: The encryption type you select must match the encryption type configured on the remote site VPN device.
    Authentication Select an authentication. The options are:
    • PSK

      Pre Shared Key (PSK) specifies that the secret key shared between the edge gateway and the peer site is to be used for authentication.

    • Certificate

      Certificate authentication specifies that the certificate defined at the global level is to be used for authentication. This option is not available unless you have configured the global certificate on the IPsec VPN tab's Global Configuration screen.

    Change Shared Key (Optional) When you are updating the settings of an existing connection, you can turn on this option on to make the Pre-Shared Key field available so that you can update the shared key.
    Pre-Shared Key If you selected PSK as the authentication type, type an alphanumeric secret string which can be a string with a maximum length of 128 bytes.
    Note: The shared key must match the key that is configured on the remote site VPN device. A best practice is to configure a shared key when anonymous sites will connect to the VPN service.
    Display Shared Key (Optional) Enable this option to make the shared key visible in the screen.
    Diffie-Hellman Group Select the cryptography scheme that allows the peer site and this edge gateway to establish a shared secret over an insecure communications channel.
    Note: The Diffie-Hellman Group must match what is configured on the remote site VPN device.
    Extension (Optional) Type one of the following options:
    • securelocaltrafficbyip=IPAddress to redirect the edge gateway local traffic over the IPsec VPN tunnel.

      This is the default value.

    • passthroughSubnets=PeerSubnetIPAddress to support overlapping subnets.
  4. Click Keep.
  5. Click Save changes.

What to do next

Configure the connection for the remote site. You must configure the IPsec VPN connection on both sides of the connection: your organization virtual data center and the peer site.

Enable the IPsec VPN service on this edge gateway. When at least one IPsec VPN connection is configured, you can enable the service. See Enable the IPsec VPN Service on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.

Enable the IPsec VPN Service on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal

When at least one IPsec VPN connection is configured, you can enable the IPsec VPN service on the edge gateway.

Prerequisites

Procedure

  1. On the IPsec VPN tab, click Activation Status.
  2. Click IPsec VPN Service Status to enable the IPsec VPN service.
  3. Click Save changes.

Results

The edge gateway IPsec VPN service is active.

Specify Global IPsec VPN Settings on an NSX Edge Gateway in the VMware Cloud Director Service Provider Admin Portal

Use the Global Configuration screen to configure IPsec VPN authentication settings at an edge gateway level. On this screen, you can set a global pre-shared key and enable certification authentication.

A global pre-shared key is used for those sites whose peer endpoint is set to any.

Prerequisites

Procedure

  1. Open Edge Gateway Services.
    1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
    2. From the secondary left panel, select Edge Gateways.
    3. Click the radio button next to the name of the target edge gateway, and click Services.
  2. On the IPsec VPN tab, click Global Configuration.
  3. (Optional) Set a global pre-shared key:
    1. Enable the Change Shared Key option.
    2. Enter a pre-shared key.
      The global pre-shared key (PSK) is shared by all the sites whose peer endpoint is set to any. If a global PSK is already set, changing the PSK to an empty value and saving it has no effect on the existing setting.
    3. (Optional) Optionally enable Display Shared Key to make the pre-shared key visible.
    4. Click Save changes.
  4. Configure certification authentication:
    1. Turn on Enable Certificate Authentication.
    2. Select the appropriate service certificates, CA certificates, and CRLs.
    3. Click Save changes.

What to do next

You can optionally enable logging for the IPsec VPN service of the edge gateway. See Statistics and Logs for an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.