A certificate-based VPN uses digital certificates rather than pre-shared keys during IKE negotiation.

You can use certificate-based authentication with a route-based or policy-based VPN.

In certificate based authentication for IPsec VPNs, each endpoint presents a certificate during IKE negotiation. Both endpoints must share a common certificate authority (CA). Each endpoint is configured with attributes from its peer certificate (like DN, email id, IP address present in certificate), rather than an IP or CIDR, as the remote identity.

Prerequisites

If you do not have the necessary server certificates or CA certificates in NSX Manager, import the certificates. See Import a Self-signed or CA-signed Certificate and Import a CA Certificate.

If you are importing certificates, you must create a Management Gateway firewall rule that allows the import. Check with your Certificate Authority to find out the source address and port number to use in the rule.

Procedure

  1. Configure a local VPN endpoint on SDDC gateway and select the certificates for it.
    The SDDC Compute Gateway (T0) is provisioned with local endpoints by default. If you're connecting the VPN to a custom T1 gateway, you'll need to Add Local Endpoints to that gateway.

    The local ID is derived from the certificate associated with the local endpoint and depends on the X509v3 extensions present in the certificate. The local ID can be either the X509v3 extension Subject Alternative Name (SAN) or Distinguished Name (DN). The Local ID is not required and the ID specified there is ignored. However, for the remote VPN gateway, you need to configure the local ID as remote ID in the peer VPN gateway.

    • If X509v3 Subject Alternative Name is found in the certificate, then one of the SAN strings is taken as the local ID value.
      If the certificate has multiple SAN fields, then following order is used to select the local ID.
      Order SAN Field
      1 IP Address
      2 DNS
      3 Email Address

      For example, if the configured site certificate has the following SAN fields,

      X509v3 Subject Alternative Name:
DNS:Site123.vmware.com, email:[email protected], IP Address:1.1.1.1

      then the IP address 1.1.1.1 is used as the local ID. If the IP address is not available, then the DNS string is used. And if the IP address and the DNS are not available, then the email address is used.

    • If X509v3 Subject Alternative Name is not present in the certificate, then the Distinguished Name (DN) is used as the local ID value.

      For example, if the certificate does not have any SAN fields, and its DN string is

      C=US, ST=California, O=MyCompany, OU=MyOrg, CN=Site123

      then the DN string automatically becomes the local ID. The local ID is the peer ID on the remote site.

  2. Configure certificate-based authentication for the VPN.
    1. From the Authentication Mode drop-down menu, select Certificate.
    2. In the Remote Private IP/Remote ID textbox, enter a value to identify the peer site.
      The remote ID must be a distinguished name (DN), IP address, DNS, or an email address used in the peer site's certificate.
      Note:

      If the peer site's certificate contains an email address in the DN string, for example,

      C=US, ST=California, O=MyCompany, OU=MyOrg, CN=Site123/[email protected]

      then enter the Remote ID value using the following format as an example. 

      C=US, ST=California, O=MyCompany, OU=MyOrg, CN=Site123, [email protected]