You can add either an IPSec VPN (policy-based or route-based) or an L2 VPN using the NSX Manager user interface (UI).
The following sections provide information about the workflows required to set up the VPN service that you need. The topics that follow these sections provide details on how to add either an IPSec VPN or an L2 VPN using the NSX Manager user interface.
Policy-Based IPSec VPN Configuration Workflow
Configuring a policy-based IPSec VPN service workflow requires the following high-level steps.
- Create and enable an IPSec VPN service using an existing Tier-0 or Tier-1 gateway. See Add an IPSec VPN Service.
- Create a DPD (dead peer detection) profile, if you prefer not to use the system default. See Add DPD Profiles.
- To use a non-system default IKE profile, define an IKE (Internet Key Exchange) profile . See Add IKE Profiles.
- Configure an IPSec profile using Add IPSec Profiles.
- Use Add Local Endpoints to create a VPN server hosted on the NSX Edge.
- Configure a policy-based IPSec VPN session, apply the profiles, and attach the local endpoint to it. See Add a Policy-Based IPSec Session. Specify the local and peer subnets to be used for the tunnel. Traffic from a local subnet destined to the peer subnet is protected using the tunnel defined in the session.
Route-Based IPSec VPN Configuration Workflow
A route-based IPSec VPN configuration workflow requires the following high-level steps.
- Configure and enable an IPSec VPN service using an existing Tier-0 or Tier-1 gateway. See Add an IPSec VPN Service.
- Define an IKE profile if you prefer not to use the default IKE profile. See Add IKE Profiles.
- If you decide not to use the system default IPSec profile, create one using Add IPSec Profiles.
- Create a DPD profile if you want to do not want to use the default DPD profile. See Add DPD Profiles.
- Add a local endpoint using Add Local Endpoints.
- Configure a route-based IPSec VPN session, apply the profiles, and attach the local endpoint to the session. Provide a VTI IP in the configuration and use the same IP to configure routing. The routes can be static or dynamic (using BGP). See Add a Route-Based IPSec Session.
L2 VPN Configuration Workflow
Configuring an L2 VPN requires that you configure an L2 VPN service in Server mode and then another L2 VPN service in Client mode. You also must configure the sessions for the L2 VPN server and L2 VPN client using the peer code generated by the L2 VPN Server. Following is a high-level workflow for configuring an L2 VPN service.
- Create an L2 VPN Service in Server mode.
- Configure a route-based IPSec VPN tunnel with a Tier-0 or Tier-1 gateway and an L2 VPN Server service using that route-based IPSec tunnel. See Add an L2 VPN Server Service.
- Configure an L2 VPN server session, which binds the newly created route-based IPSec VPN service and the L2 VPN server service, and automatically allocates the GRE IP addresses. See Add an L2 VPN Server Session.
- Add segments to the L2 VPN Server sessions. This step is also described in Add an L2 VPN Server Session.
- Use Download the Remote Side L2 VPN Configuration File to obtain the peer code for the L2 VPN Server service session, which must be applied on the remote site and used to configure the L2 VPN Client session automatically.
- Create an L2 VPN Service in Client mode.
- Configure another route-based IPSec VPN service using a different Tier-0 or Tier-1 gateway and configure an L2 VPN Client service using that Tier-0 or Tier-1 gateway that you just configured. See Add an L2 VPN Client Service for information.
- Define the L2 VPN Client sessions by importing the peer code generated by the L2 VPN Server service. See Add an L2 VPN Client Session.
- Add segments to the L2 VPN Client sessions defined in the previous step. This step is described in Add an L2 VPN Client Session.