The NSX Data Center for vSphere edge gateways in a VMware Cloud Director environment support L2 VPN. With L2 VPN, you can extend your organization virtual data center by enabling virtual machines to maintain network connectivity while retaining the same IP address across geographical boundaries. You can configure the L2 VPN service on an edge gateway.

NSX Data Center for vSphere provides the L2 VPN capabilities of an edge gateway. With L2 VPN, you can configure a tunnel between two sites. Virtual machines remain on the same subnet despite being moved between these sites, which enables you to extend your organization virtual data center by stretching its network using L2 VPN. An edge gateway at one site can provide all services to virtual machines on the other site.

To create the L2 VPN tunnel, you configure an L2 VPN server and L2 VPN client. As described in the NSX Administration Guide, the L2 VPN server is the destination edge gateway and the L2 VPN client is the source edge gateway. After configuring the L2 VPN settings on each edge gateway, you must then enable the L2 VPN service on both the server and the client.

Note: A routed organization virtual data center network created as a subinterface must exist on the edge gateways.

Navigate to the L2 VPN Screen Using Your VMware Cloud Director Tenant Portal

To begin configuring the L2 VPN service for an NSX Data Center for vSphere edge gateway in VMware Cloud Director, you must navigate to the L2 VPN screen.

Procedure

  1. Open Edge Gateway Services.
    1. From the primary left navigation panel, select Networking and from the page top navigation bar, select Edge Gateways.
    2. Select the edge gateway that you want to edit, and click Services.
  2. Navigate to VPN > L2 VPN.

What to do next

Configure the L2 VPN server. See Configure the NSX Data Center for vSphere Edge Gateway as an L2 VPN Server in the VMware Cloud Director Tenant Portal.

Configure the NSX Data Center for vSphere Edge Gateway as an L2 VPN Server in the VMware Cloud Director Tenant Portal

The L2 VPN server is the destination NSX edge to which the L2 VPN client is going to connect.

As described in the NSX Administration Guide, you can connect multiple peer sites to this L2 VPN server.

Note: Changing site configuration settings causes the edge gateway to disconnect and reconnect all existing connections.

Prerequisites

Procedure

  1. On the L2 VPN tab, select Server for the L2 VPN mode.
  2. On the Server Global tab, configure the L2 VPN server's global configuration details.
    Option Action
    Listener IP Select the primary or secondary IP address of an external interface of the edge gateway.
    Listener Port Edit the displayed value as appropriate for the needs of your organization.

    The default port for the L2 VPN service is 443.

    Encryption Algorithm Select the encryption algorithm for the communication between the server and the client.
    Service Certificate Details Click Change server certificate to select the certificate to be bound to the L2 VPN server.

    In the Change Server Certificate window, turn on Validate Server Certificate, select a server certificate from the list, and click OK.

  3. To configure the peer sites, click the Server Sites tab.
  4. Click the Add button.
  5. Configure the settings for an L2 VPN peer site.
    Option Action
    Enabled Enable this peer site.
    Name Enter a unique name for the peer site.
    Description (Optional) Enter a description.

    User ID

    Password

    Confirm Password

    Enter the user name and password with which the peer site is to be authenticated.

    User credentials on the peer site must be the same as the credentials on the client side.

    Stretched Interfaces Select at least one subinterface to be stretched with the client.

    The subinterfaces available for selection are those organization virtual data center networks configured as subinterfaces on the edge gateway.

    Egress Optimization Gateway Address (Optional) If the default gateway for virtual machines is the same across the two sites, enter the gateway IP addresses of the subinterfaces for which you want the traffic locally routed or blocked over the L2 VPN tunnel.
  6. Click Keep.
  7. Click Save changes.

What to do next

Enable the L2 VPN service on this edge gateway. See Enable the L2 VPN Service on an NSX Data Center for vSphere Edge Gateway Using Your VMware Cloud Director Tenant Portal.

Configure the NSX Data Center for vSphere Edge Gateway as an L2 VPN Client in the VMware Cloud Director Tenant Portal

The L2 VPN client is the source NSX edge that initiates communication with the destination NSX edge, the L2 VPN server.

Prerequisites

Procedure

  1. On the L2 VPN tab, select Client for the L2 VPN mode.
  2. On the Client Global tab, configure the global configuration details of the L2 VPN client.
    Option Description
    Server Address Enter the IP address of the L2 VPN server to which this client is to be connected.
    Server Port Enter the L2 VPN server port to which the client should connect.

    The default port is 443.

    Encryption Algorithm Select the encryption algorithm for communicating with the server.
    Stretched Interfaces Select the subinterfaces to be stretched to the server.

    The subinterfaces available to select are the organization virtual data center networks configured as subinterfaces on the edge gateway.

    Egress Optimization Gateway Address (Optional) If the default gateway for virtual machines is the same across the two sites, type the gateway IP addresses of the subinterfaces or the IP addresses to which traffic should not flow over the tunnel.
    User Details Enter the user ID and password for authentication with the server.
  3. Click Save changes.
  4. (Optional) To configure advanced options, click the Client Advanced tab.
  5. If this L2 VPN client edge does not have direct access to the Internet, and must reach the L2 VPN server edge by using a proxy server, specify the proxy settings.
    Option Description
    Enable Secure Proxy Select to enable the secure proxy.
    Address Enter the proxy server IP address.
    Port Enter the proxy server port.

    User Name

    Password

    Enter the proxy server authentication credentials.
  6. To enable server certification validation, click Change CA certificate and select the appropriate CA certificate.
  7. Click Save changes.

What to do next

Enable the L2 VPN service on this edge gateway. See Enable the L2 VPN Service on an NSX Data Center for vSphere Edge Gateway Using Your VMware Cloud Director Tenant Portal.

Enable the L2 VPN Service on an NSX Data Center for vSphere Edge Gateway Using Your VMware Cloud Director Tenant Portal

When the required L2 VPN settings are configured, you can enable the L2 VPN service on the edge gateway.

Note: If HA is already configured on this edge gateway, ensure that the edge gateway has more than one internal interface configured on it. If only a single interface exists and that has already been used by the HA capability, the L2 VPN configuration on the same internal interface fails.

Prerequisites

Procedure

  1. On the L2 VPN tab, click the Enable toggle.
  2. Click Save changes.

Results

The L2 VPN service of the edge gateway becomes active.

What to do next

Create NAT or firewall rules on the Internet-facing firewall side to enable the L2 VPN server to connect to the L2 VPN client.