After creating an L2 VPN Server service, you must add an L2 VPN session and attach it to an existing segment.
The following steps use the L2 VPN Sessions tab on the NSX Manager UI to create an L2 VPN Server session. You also select an existing local endpoint and segment to attach to the L2 VPN Server session.
- You must have configured an L2 VPN Server service before proceeding. See Add an L2 VPN Server Service.
- Obtain the information for the local endpoint and remote IP to use with the L2 VPN Server session you are adding. To create a local endpoint, see Add Local Endpoints.
- Obtain the values for the pre-shared key (PSK) and the tunnel interface subnet to use with the L2 VPN Server session.
- Obtain the name of the existing segment you want to attach to the L2 VPN Server session you are creating. See Add a Segment for information.
- From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
- Navigate to the tab.
- Select .
- Enter a name for the L2 VPN Server session.
- From the VPN Service drop-down menu, select the IPsec service on the same Tier-0 gateway for which the L2 VPN session is being created.
Note: If you are adding this L2 VPN Server session from the Set L2VPN Server Sessions dialog box, the L2 VPN Server service is already indicated above the Add L2 Session button.
- Select an existing local endpoint from the drop-down menu.
If you want to create a different local endpoint, click the three-dot menu ( ) and select Add Local Endpoint.
- Enter the IP address of the remote site under Remote IP.
- To enable or disable the L2 VPN Server session, click Admin Status.
By default, the value is set to Enabled, which means the L2 VPN Server session is to be configured down to the NSX Edge node.
- Enter the secret key value in Pre-shared Key.
Caution: Be careful when sharing and storing a PSK value because it is considered sensitive information.
- Enter an IP subnet address in the Tunnel Interface using the CIDR notation.
For example, 22.214.171.124/24. This subnet address is required.
- Enter a value in Remote ID.
For peer sites using certificate authentication, this ID must be the common name in the peer site's certificate. For PSK peers, this ID can be any string. Preferably, use the public IP address of the VPN or an FQDN for the VPN services as the
- If you want to include this session as part of a specific group, enter the tag name in Tags.
- Click Advanced Properties. if you want to reduce the maximum segment size (MSS) payload of the TCP session during the L2 VPN connection.
By default, TCP MSS Clamping is enabled and the TCP MSS Direction is set to Both. See Understanding TCP MSS Clamping for more information.
- Enable or disable TCP MSS Clamping.
- Set the TCP MSS Value, if necessary. If the field is left blank, the value is automatically assigned.
- Click Save and click Yes when prompted if you want to continue with the VPN service configuration.
You are returned to the Add L2VPN Sessions panel and the Segments link is now enabled.
- Attach an existing segment to the L2 VPN Server session.
In the Set L2VPN Sessions pane or dialog box, the system has incremented the Segments count for the L2 VPN Server session.
- Click .
- In the Set Segments dialog box, click Set Segment to attach an existing segment to the L2 VPN Server session.
- From the Segment drop-down menu, select the VNI-based or VLAN-based segment that you want to attach to the session.
- Enter a unique value in the VPN Tunnel ID that is used to identify the segment that you selected.
- In the Local Egress Gateway IP text box, enter the IP address of the local gateway that your workload VMs on the segment use as their default gateway. The same IP address can be configured in the remote site on the extended segment.
- Click Save and then Close.
- To finish the L2 VPN Server session configuration, click Close Editing.
In the VPN Services tab, the system incremented the Sessions count for the L2 VPN Server service that you configured.
If you have attached one or more segments to the session, you see the number of segments for each session in the L2 VPN Sessions tab. You can reconfigure or add segments by clicking the number in the Segments column. You do not need to edit the session. If the number is zero, it is not clickable and you must edit the session to add segments.