You can create a route-based VPN and policy-based VPN session using only the API.

Note:

IPSec VPN is not supported in the NSX-T Data Center limited export release.

You cannot use NAT and IPSec VPN together on the same network profile. Make sure that you place NAT and IPSec VPN on different network profiles.

Prerequisites

Familiarize yourself with the IPSec VPN. See IPSec VPN.

Procedure

  1. Configure an IPSec VPN service on the tier-0 logical router.

    Use the POST /api/v1/vpn/ipsec/services call.

    POST /api/v1/vpn/ipsec/services
    {
     "display_name": "IPSec VPN service",
     "logical_router_id": "f81f220f-3072-4a6e-9f53-ad3b8bb8af57"
    } 
  2. Configure dead peer detection (DPD) profile.

    Use the POST /api/v1/vpn/ipsec/dpd-profiles call.

    The default profile is provisioned with 60 seconds DPD probe interval.

    POST /api/v1/vpn/ipsec/dpd-profiles
    {
     "enabled":"true",
     "dpd_probe_interval": 60,
     "description": "DPD profile",
     "display_name": "DPD profile"
    }
  3. Configure IKE profile parameters.

    Use the POST /api/v1/vpn/ipsec/ike-profiles call.

    POST /api/v1/vpn/ipsec/ike-profiles
    {
     "digest_algorithms": ["SHA2_256"],
     "description": "IKEProfile for site1",
     "display_name": "IKEProfile site1",
     "encryption_algorithms": ["AES_128"],
     "ike_version": "IKE_V2",
     "dh_groups": ["GROUP14"],
     "sa_life_time": 21600
    }
  4. Configure a tunnel profile for IPSec VPN.

    Use the POST /api/v1/vpn/ipsec/tunnel-profiles call.

    POST /api/v1/vpn/ipsec/tunnel-profiles/
    {
     "digest_algorithms": ["SHA1","SHA2_256"],
     "description": "Tunnel Profile for site 1",
     "display_name": "Tunnel Profile for site 1",
     "encapsulation_mode": "TUNNEL_MODE",
     "encryption_algorithms": ["AES_128","AES_256"],
     "enable_perfect_forward_secrecy": true,
     "dh_groups": ["GROUP14"],
     "transform_protocol": "ESP",
     "sa_life_time": 3600,
     "df_policy": "CLEAR"
    }
  5. Configure a peer endpoint to communicate with the IPSec VPN peer.

    Use the POST /api/v1/vpn/ipsec/peer-endpoints call.

    POST /api/v1/vpn/ipsec/peer-endpoints
    {
     "display_name": "Peer endpoint for site 1",
     "connection_initiation_mode": "INITIATOR",
     "authentication_mode": "PSK",
     "ipsec_tunnel_profile_id": "640607f3-bb83-4e54-a153-57939965881c",
     "dpd_profile_id": "4808d04e-572d-480d-8182-61ddaa146461",
     "psk": "6721b9f1f5936956c0a8b4ed95286b452db04dae721edd0f264f0fcc6e94882b",
     "ike_profile_id": "a4db6863-b6f0-45bd-967e-a2e22c260329",
     "peer_address": "10.14.24.4",
     "peer_id": "10.14.24.4"
    } 
  6. Configure a local endpoint for the VPN endpoint.

    Use the POST /api/v1/vpn/ipsec/local-endpoints call.

    POST /api/v1/vpn/ipsec/local-endpoints
    {
     "local_address": "1.1.1.12",
     "local_id": "1.1.1.12",
     "display_name": "Local endpoint",
     "ipsec_vpn_service_id": {
     “target_id” : "81388ec0-b5e3-4a9e-b551-e372e700772c"
     }
    }
  7. Configure a route-based VPN session.

    Use the POST /api/v1/vpn/ipsec/sessions call.

    POST /api/v1/vpn/ipsec/sessions
    {
     "resource_type": "RouteBasedIPSecVPNSession",
     "display_name": "RouteSession1",
     "ipsec_vpn_service_id": "657bcb55-48ce-4e0f-bfc7-a5a91b2990ae",
     "peer_endpoint_id": "cfc70ab5-16d1-4292-9391-fcee23ccea96",
     "local_endpoint_id": "9d4b44f1-0bfa-4705-ac67-09244a17d42e",
     "enabled": true,
     "tunnel_ports": [
         {
           "ip_subnets": [
              {
               "ip_addresses" : [
                 "192.168.50.1"
               ],
               "prefix_length" : 24
         }
       ]
      }
     ]
    }
  8. Configure a policy-based VPN session.

    Use the POST /api/v1/vpn/ipsec/sessions call.

    POST /api/v1/vpn/ipsec/sessions
    {
     "resource_type": "PolicyBasedIPSecVPNSession",
     "display_name": "PolicySession1",
     "ipsec_vpn_service_id": "ea071856-9e91-4826-a841-9ec7ee9ea534",
     "peer_endpoint_id": "0c2447d2-8890-4b55-bf02-8c6b1a94d1ce",
     "local_endpoint_id": "161acb63-c3f2-438d-9e5c-cb655e6a1099",
     "enabled": true,
     "policy_rules": [
       {
          "sources": [
           {
             "subnet": "2.2.2.0/24"
           }
        ],
        "logged": true,
        "destinations": [
          {
            "subnet": "3.3.3.0/24"
          }
        ],
        "action": "PROTECT",
        "enabled": true
       }
     ]
    }