To enable certificate authentication for IPSec, server certificates and corresponding CA-signed certificates must be imported. Optionally, you can use an open-source command-line tool such as OpenSSL to generate CA-signed certificates.

Prerequisites

OpenSSL must be installed.

Procedure

  1. On a Linux or Mac machine where OpenSSL is installed, open the file: /opt/local/etc/openssl/openssl.cnf or /System/Library/OpenSSL/openssl.cnf.
  2. Ensure that dir = ..
  3. Run the following commands: 
    mkdir newcerts
mkdir certs
mkdir req
mkdir private
echo "01" > serial
touch index.txt
  4. Run the command to generate a CA-signed certificate: 
    openssl req -new -x509 -newkey rsa:2048 -keyout private/cakey.pem -out cacert.pem -days 3650
  5. On NSX Edge1, do these steps:
    1. Generate a certificate signing request (CSR).
      For detailed steps, see Configure a CA Signed Certificate
    2. Copy the privacy-enhanced mail (PEM) file content, and save it in a file in req/edge1.req.
  6. Run the following command to sign the CSR: 
    sudo openssl ca -policy policy_anything -out certs/edge1.pem -in req/edge1.req
  7. On NSX Edge2, generate a CSR, copy the PEM file content, and save it in a file in req/edge2.req.
  8. Run the following command to sign the CSR: 
    sudo openssl ca -policy policy_anything -out certs/edge2.pem -in req/edge2.req
  9. Upload the PEM certificate at the end of the file certs/edge1.pem to Edge1.
  10. Upload the PEM certificate at the end of the file certs/edge2.pem to Edge2.
  11. Import the signed certificate (cacert.pem) to Edge1 and Edge2 as CA-signed certificates.
  12. In the IPSec global configuration for Edge1 and Edge2, select the uploaded PEM certificate and the CA certificate and save the configuration.
  13. Navigate to Manage > Settings > Certificates. Select the signed certificate that you imported and record the DN string.
  14. Reverse the DN string to the format C=IN,ST=ka,L=blr,O=bmware,OU=vmware,CN=edge2.eng.vmware.com and save it for Edge1 and Edge2.
  15. Create IPSec VPN sites on Edge1 and Edge2 with Local ID and Peer ID as the distinguished name (DN) string in the specified format.

Results

Check the status by clicking Show Statistics or Show IPSec Statistics. Click the channel to see the tunnel status. The channel status should be enabled and the tunnel status should be Up.