VMware Cloud Director supports the creation, deletion and management of L2 VPN tunnels between NSX edge gateways.

With L2 VPN, you can extend your organization VDC by enabling virtual machines to maintain their network connectivity across geographical boundaries while keeping the same IP address. The connection is secured with a route-based IPSec tunnel between the two sides of the tunnel.

You can configure the L2 VPN service on an NSX edge gateway in your VMware Cloud Director environment and create a L2 VPN tunnel. Virtual machines remain on the same subnet, which enables you to extend your organization VDC by stretching its network. This way, an edge gateway at one site can provide all services to virtual machines on the other site.

To create the L2 VPN tunnel, you configure an L2 VPN server and an L2 VPN client.

The service type - server or client - that you configure on the first L2 VPN tunnel on an edge gateway determines the session mode for all other L2 VPN tunnels on the edge gateway. You can only configure one client session per edge gateway.

After you create a tunnel, you cannot change its session mode from server to client, or vice versa. For example, if you want to change the session mode on an NSX edge gateway from server to client, you must delete all existing server tunnels from it.

When you create an L2 VPN server tunnel endpoint, a tunnel ID is automatically assigned to the organization VDC network that you stretch, and a peer code is generated. On the client side of the tunnel, you need to add a corresponding network with the same tunnel ID, peer code, and the same subnet.

For more information on L2 VPN for NSX, see NSX Administration Guide.

Configure an NSX Edge Gateway as an L2 VPN Server in the VMware Cloud Director Service Provider Admin Portal

The L2 VPN server is the destination NSX edge to which the L2 VPN client is going to connect.

In Server session mode, the NSX edge gateway acts as the server side of the L2 VPN tunnel. It generates peer codes to distribute for client sessions.

You can connect multiple peer sites to a single L2 VPN server.

Prerequisites

  • Verify that the NSX edge gateway is connected to a routed organization virtual data center network.
  • Verify that your role includes the Organization vDC Gateway: Configure L2 VPN right.

Procedure

  1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select Cloud Resources.
  2. From the secondary left panel, select Edge Gateways, and click the name of the target edge gateway.
  3. Under Services, click L2 VPN.
  4. To configure an L2 VPN tunnel, click New.
  5. If this is the first L2 VPN tunnel for this edge gateway, select Server session mode and click Next.
  6. Enter a name and, optionally, a description for the L2 VPN tunnel.
  7. Choose a pre-shared key to enter.
    If you change the pre-shared key after the initial configuration of the L2 VPN server, you must reconfigure all client tunnels that use the pre-shared key with a new peer code .
  8. To enable the tunnel upon creation, toggle on the State option.
  9. (Optional) To enable logging, toggle on the Logging option.
  10. Click Next.
  11. From the drop-down menu, select one of the IP addresses that are available to the edge gateway for the local endpoint.
    The IP address must be either the primary IP of the edge gateway, or an IP address that is separately allocated to the edge gateway.
  12. Enter a subnet address in CIDR notation for the tunnel interface that secures the connection.
  13. Enter the IP address for the remote endpoint.
  14. Select an initiation mode and click Next.
    Option Description
    Initiator The local endpoint initiates the L2 VPN tunnel setup and responds to incoming tunnel setup requests from peer gateways.
    Respond Only The local endpoint only responds to incoming tunnel setup requests, it doesn't initiate the L2 VPN tunnel setup.
  15. Select one or more organization VDC networks to which to attach the tunnel and click Next.
  16. On the Ready to Complete page, review your settings and click Finish.

Results

The new L2 VPN tunnel appears in the list.

What to do next

In the Org VDC Networks row of the list of L2 VPN tunnels, click Info and note the tunnel IDs for the organization VDC networks that you want to stretch.

Copy the L2 VPN Peer Code From An L2 VPN Server Endpoint in the VMware Cloud Director Service Provider Admin Portal

To configure an NSX edge gateway as an L2 VPN client, you must copy the peer code that is generated from the L2 VPN server side of the tunnel.

Prerequisites

Verify that you configured the L2 VPN server endpoint of the tunnel.

Procedure

  1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select Cloud Resources.
  2. From the secondary left panel, select Edge Gateways, and click the name of the target edge gateway.
  3. Under Services, click L2 VPN.
  4. Select the L2 VPN tunnel for which you want to copy the peer code.
  5. Click the Copy peer code button.

Results

The peer code is copied to the clipboard.

Configure an NSX Edge Gateway as an L2 VPN Client in the VMware Cloud Director Service Provider Admin Portal

You can create only one client tunnel on an NSX edge gateway.

Prerequisites

Procedure

  1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select Cloud Resources.
  2. From the secondary left panel, select Edge Gateways, and click the name of the target edge gateway.
  3. Under Services, click L2 VPN.
  4. To configure an L2 VPN tunnel, click New.
  5. If this is the first L2 VPN tunnel for this edge gateway, select Client session mode and click Next.
  6. Enter a name and, optionally, a description for the L2 VPN tunnel.
  7. Paste the peer code from the L2 VPN Server tunnel that you wish to connect to.
  8. To enable the tunnel upon creation, toggle on the State option.
  9. (Optional) To enable logging, toggle on the Logging option.
  10. Click Next.
  11. Enter one of the IP addresses that are available to the edge gateway for the local endpoint.
    The IP address must be the one that you entered as a remote endpoint on the server side of the tunnel.
  12. Enter the IP address for the remote endpoint.
    The IP address must be the one that you entered as a local endpoint on the server side of the tunnel.
  13. Select the organization VDC network or networks to which to attach the tunnel, specify the tunnel ID for each network, and click Next.
    The tunnel IDs that you use for each organization VDC network must be the same as the tunnel IDs for the organization VDC networks on the server side.
  14. On the Ready to Complete page, review your settings and click Finish.