Use the steps in this topic to enable IPSec VPN on the NSX Edge instance.

Prerequisites

To enable certificate authentication, server certificates and corresponding CA-signed certificates must be imported. Optionally, you can use an open-source command-line tool such as OpenSSL to generate CA-signed certificates.

Self-signed certificates cannot be used for IPSec VPN. They can only be used in load balancing and SSL VPN.

Procedure

  1. Log in to the vSphere Web Client.
  2. Click Networking & Security > NSX Edges.
  3. Double-click an NSX Edge.
  4. Click Manage > VPN > IPSec VPN.
  5. Next to Global Configuration, click Edit or Change.
  6. Enter a global pre-shared key for those sites whose peer endpoint is set to "any".
    To view the pre-shared key, click the Show Pre-Shared Key ( Show Icon.) icon or select the Display shared key check box.
  7. Configure the global extensions.
    The following table describes the global extensions.
    Extension Description
    add_spd

    Allowed values are on and off. The default value is on, even when you do not configure this extension.

    When add_spd=off:
    • Security policies are installed only when the tunnel is up.
    • If the tunnel is up, packets are sent encrypted through the tunnel.
    • If the tunnel is down, packets are sent unencrypted, if a route is available.
    When add_spd=on:
    • Security policies are installed regardless of whether the tunnel is established.
    • If the tunnel is up, packets are sent encrypted through the tunnel.
    • If the tunnel is down, packets are dropped.
    ike_fragment_size If the maximum transmission unit (MTU) is small, you can set the IKE fragment size by using this extension to avoid failures in the IKE negotiation. For example, ike_fragment_size=900
    ignore_df
    Allowed values are on and off. Default value is off.
    • When ignore_df=off, NSX Edge copies the value of the "don't fragment (DF)" bit from the clear text packet to the encrypted packet. This implies that if the clear text packet has the DF bit set, after encryption, the packet also has the DF bit set.
    • When ignore_df=on, NSX Edge ignores the value of the DF bit in the clear text packet, and the DF bit is always 0 in the encrypted packet.

    • Set this flag to on when the DF bit is set in the clear text packet and the size of the packet after encryption exceeds the MTU of the TCP packet. If the DF bit is set, the packet is dropped, but if the bit is cleared, the packet gets fragmented.

  8. Enable certificate authentication, and then select the appropriate Service certificate, CA certificate, and the certificate revocation list (CRL).
  9. Click Save or OK, and then click Publish Changes.