You must configure a local endpoint to use with the IPSec VPN that you are configuring.
The following steps use the Local Endpoints tab on the NSX Manager UI. You can also create a local endpoint while in the process of adding an IPSec VPN session by clicking the three-dot menu ( ) and selecting Add Local Endpoint. If you are in the middle of configuring an IPSec VPN session, proceed to step 3 in the following steps to guide you with creating a new local endpoint.
- If you are using a certificate-based authentication mode for the IPSec VPN session that is to use the local endpoint you are configuring, obtain the information about the certificate that the local endpoint must use.
- Ensure that you have configured an IPSec VPN service to which this local endpoint is to be associated.
- From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
- Navigate to Add Local Endpoint. and click
- Enter a name for the local endpoint.
- From the VPN Service drop-down menu, select the IPSec VPN service to which this local endpoint is to be associated.
- Enter an IP address for the local endpoint.
For an IPSec VPN service running on a Tier-0 gateway, the local endpoint IP address must be different from the Tier-0 gateway's uplink interface IP address. The local endpoint IP address you provide is associated with the loopback interface for the Tier-0 gateway and is also published as a routable IP address over the uplink interface. For IPSec VPN service running on a Tier-1 gateway, in order for the local endpoint IP address to be routable, the route advertisement for IPSec local endpoints must be enabled in the Tier-1 gateway configuration. See Add a Tier-1 Gateway for more information.
- If you are using a certificate-based authentication mode for the IPSec VPN session, from the Site Certificate drop-down menu, select the certificate that is to be used by the local endpoint.
- (Optional) Optionally add a description in Description.
- Enter the Local ID value that is used for identifying the local NSX Edge instance.
This local ID is the peer ID on the remote site. The local ID must be either the public IP address or FQDN of the remote site. For certificate-based VPN sessions defined using the local endpoint, the local ID is derived from the certificate associated with the local endpoint. The ID specified in the Local ID text box is ignored. The local ID derived from the certificate for a VPN session depends on the extensions present in the certificate.
- If the X509v3 extension X509v3 Subject Alternative Name is not present in the certificate, then the Distinguished Name (DN) is used as the local ID value.
- If the X509v3 extension X509v3 Subject Alternative Name is found in the certificate, then one of the Subject Alternative Name is taken as the local ID value.
- From the Trusted CA Certificates and Certificate Revocation List drop-down menus, select the appropriate certificates that are required for the local endpoint.
- Specify a tag, if needed.
- Click Save.