Starting with NSX Data Center 6.4.2, you can stretch your layer 2 networks between two sites with L2 VPN service over IPSec. Before configuring the L2 VPN service over IPSec, you must first create a route-based IPSec VPN tunnel. You then consume this route-based IPSec VPN tunnel to create an L2 VPN tunnel between the two sites.

You cannot create and edit a route-based IPSec VPN tunnel by using the vSphere Web Client. You must use the NSX REST APIs. For more information about creating route-based IPSec VPN tunnels, see the NSX API Guide.

Workflow for Configuring L2 VPN Service Over IPSec

You must use NSX REST APIs to configure the L2 VPN service over IPSec on both the server Edge and the client Edge.

The steps in the workflow are supported only with NSX REST APIs. In this documentation, only the API URLs are mentioned. For a detailed information about the API parameters, sample requests and responses, see the NSX API Guide.

First, configure the L2 VPN service in the server (hub) mode on the NSX Edge by using the following steps. The Edge that you configure in the server mode must be an NSX Edge.
  1. Create a route-based IPSec VPN tunnel with the Edge that you want to configure as the L2 VPN server (hub). A site ID is auto-generated when you create the tunnel.
    PUT /api/4.0/edges/{edgeId}/ipsec/config
  2. Create an L2 VPN tunnel for a client, and bind this L2 VPN tunnel with the site ID that was generated in step 1.
    POST /api/4.0/edges/{edgeId}/l2t/config/l2tunnels
  3. Retrieve the peer code for this client. This peer code becomes the input code (shared code) for configuring the L2 VPN service on the client Edge.
    GET /api/4.0/edges/{edgeId}/l2t/config/l2tunnels/{l2tunnelId}/peercodes
  4. Enable the L2 VPN over IPSec service.
    POST /api/4.0/edges/{edgeId}/l2t/config

If you want to stretch the L2 network with other sites, repeat the preceding three steps on the server for the L2 VPN clients at other sites.

Now, configure the L2 VPN service in the client (spoke) mode on another Edge by using the following steps. This Edge can either be an NSX-managed Edge or a standalone Edge.
  1. Create a route-based IPSec VPN tunnel with the same parameters that you used for configuring the route-based IPSec VPN tunnel on the server Edge.
  2. Configure the Edge in spoke mode.
    PUT /api/4.0/edges/{edgeId}/l2t/config/globalconfig
  3. Create an L2 VPN tunnel by using the site ID that was generated on the server, and with the peer code that you retrieved from the server.
  4. Enable the L2 VPN over IPSec service.