This example contains a configuration scenario for a basic point-to-point policy-based IPSec VPN connection between an NSX Edge and a Cisco or WatchGuard VPN on the other end.

For this scenario, NSX Edge connects the internal network 192.168.5.0/24 to the Internet. NSX Edge interfaces are configured as follows:

  • Uplink interface: 10.115.199.103
  • Internal interface: 192.168.5.1

The VPN gateway at the remote site connects the 172.15.0.0/16 internal network to the Internet. The remote gateway interfaces are configured as follows:

  • Uplink interface: 10.24.120.90
  • Internal interface: 172.16.0.1
Figure 1. NSX Edge Connecting to a Remote VPN Gateway
IPSEC
Note: For NSX Edge to NSX Edge IPSec tunnels, you can use the same scenario by setting up the second NSX Edge as the remote gateway.

Procedure

  1. Log in to the vSphere Web Client.
  2. Click Networking & Security > NSX Edges.
  3. Double-click an NSX Edge.
  4. Click Manage > VPN > IPSec VPN.
  5. Click Add.
  6. In the Name text box, type a name for the IPSec VPN site.
  7. In the Local Id text box, type 10.115.199.103 as the IP address of the NSX Edge instance. This local Id becomes the peer Id on the remote site.
  8. In the Local Endpoint text box, type 10.115.199.103.
    If you are adding an IP to IP tunnel using a pre-shared key, the local Id and local endpoint IP can be the same.
  9. In the Local Subnets text box, type 192.168.5.0/24.
  10. In the Peer Id, type 10.24.120.90 to identify the peer site uniquely.
  11. In the Peer Endpoint text box, type 10.24.120.90.
  12. In the Peer Subnets text box, type 172.15.0.0/16.
  13. Select the IKE Version. For example, select IKEv2.
  14. Select the Digest Algorithm. For example, select SHA_256.
  15. Select the Encryption Algorithm. For example, select AES.
  16. Select an Authentication Method. For example, select PSK.
  17. Type the Pre-shared Key.
  18. To display the pre-shared key on the peer site, click the Show Pre-Shared Key (Show Icon.) icon or select the Display Shared Key check box.
  19. Select the Diffie-Hellman (DH) Group cryptography scheme. For example, select DH14.
  20. Click Add or OK.
    The IPSec VPN site configuration is saved on the NSX Edge.

What to do next

Enable the IPSec VPN service.