The L2 VPN client is the source NSX Edge that initiates a communication with the destination Edge (L2 VPN server).

You can also configure a standalone Edge as the L2 VPN client. See Configure Standalone Edge as L2 VPN Client.

Procedure

  1. Log in to the vSphere Web Client.
  2. Click Networking & Security > NSX Edges.
  3. Double-click an Edge that you want to configure as the L2 VPN client.
  4. Click Manage > VPN > L2 VPN.
  5. Next to L2 VPN Mode, select Client.
  6. Next to Global Configuration Details, click Edit or Change.
  7. Specify the L2 VPN client details.
    1. Enter the address of the L2 VPN server to which this client is to be connected. The address can be a host name or an IP address.
    2. Edit the default port to which the L2 VPN client must connect to, if necessary.
    3. Select the encryption algorithm for communicating with the server.
    4. In Stretched Interfaces, click Edit Icon in HTML5. or Select Sub Interfaces to select the sub interfaces to be stretched to the server.
    5. Select the trunk interface for the Edge.
      Sub interfaces configured on the trunk vNIC are displayed.
    6. Double-click the sub interfaces to be stretched and click Add or OK.
    7. In Egress Optimization Gateway Address, enter the gateway IP address of the sub interfaces or the IP addresses to which traffic should not flow over the tunnel.
    8. (Optional) Select Unstretched Networks check box when you want the VMs on the unstretched networks to communicate with the VMs that are behind the L2 VPN server edge on the stretched network. In addition, you want this communication to be routed through the same L2 VPN tunnel. Unstretched subnets can either be behind the L2 VPN server edge or the L2 VPN client edge or both.

      For example, imagine that you have created an L2 VPN tunnel to stretch the 192.168.10.0/24 subnetwork between two data center sites using the NSX L2 VPN service.

      Behind the L2 VPN server edge, you have two additional subnets (for example, 192.168.20.0/24 and 192.168.30.0/24). When unstretched networks are enabled, the VMs on 192.168.20.0/24 and 192.168.30.0/24 subnets can communicate with the VMs that are behind the L2 VPN server edge on the stretched network (192.168.10.0/24). This communication is routed through the same L2 VPN tunnel.

    9. If you have enabled unstretched networks, do these steps depending on where the unstretched subnets are situated:
      • When unstretched subnets are behind the L2 VPN server edge, enter the network address of the unstretched network in the CIDR format while configuring the L2 VPN client edge. To enter multiple unstretched networks, separate the network addresses by commas.
      • When unstretched subnets are behind the L2 VPN client edge, keep the Unstretched Networks text box blank. In other words, do not enter the network address of the unstretched networks on the L2 VPN client edge.
      In the earlier example, because the unstretched subnets are behind the L2 VPN server edge, you must enter the unstretched networks as 192.168.20.0/24, 192.168.30.0/24 while configuring the L2 VPN client edge.
    10. In User Details, type the user credentials to get authenticated at the server.
  8. Click the Advanced tab and specify the other client details.
    1. (Optional) Enable only secure proxy connections.
      When a client Edge does not have direct access to the Internet and must reach the source (server) NSX Edge through a proxy server, you must specify proxy server settings.
    2. Enter the proxy server address, port, user name, and password.
    3. To enable server certificate validation, select Validate Server Certificate and select the appropriate CA certificate.
    4. Click Save or OK, and then click Publish Changes.

What to do next

Ensure that the Internet facing firewall allows traffic to flow from L2 VPN Edge to the Internet. The destination port is 443.