When you add a route-based IPSec VPN, tunneling is provided on traffic that is based on routes that were learned dynamically over a virtual tunnel interface (VTI) using a preferred protocol, such as BGP. IPSec secures all the traffic flowing through the VTI.
The steps described in this topic use the IPSec Sessions tab to create a route-based IPSec session. You also add information for the tunnel, IKE, and DPD profiles, and select an existing local endpoint to use with the route-based IPSec VPN.
Note:
You can also add the IPSec VPN sessions immediately after the IPSec VPN service is successfully configured. Click Yes when prompted to continue with the IPSec VPN service configuration and select on the Add IPSec Service panel. The first few steps in the following procedure assume you selected No to the prompt to continue with the IPSec VPN service configuration. If you selected Yes, proceed to step 3 to guide you with the rest of the route-based IPSec VPN session configuration.
Prerequisites
- You must have configured an IPSec VPN service before proceeding. See Add an IPSec VPN Service.
- Obtain the information for the local endpoint, IP address for the peer site, and tunnel service IP subnet address to use with the route-based IPSec session you are adding. To create a local endpoint, see Add Local Endpoints.
- If you are using a Pre-Shared Key (PSK) for authentication, obtain the PSK value.
- If you are using a certificate for authentication, ensure that the necessary server certificates and corresponding CA-signed certificates are already imported. See Certificates.
- If you do not want to use the default values for the IPSec tunnel, IKE, or dead peer detection (DPD) profiles provided by NSX-T Data Center, configure the profiles you want to use instead. See Adding Profiles for information.
Procedure
- With admin privileges, log in to NSX Manager.
- Navigate to .
- Select .
- Enter a name for the route-based IPSec session.
- From the VPN Service drop-down menu, select the IPSec VPN service to which you want to add this new IPSec session.
Note: If you are adding this IPSec session from the
Add IPSec Sessions dialog box, the VPN Service name is already indicated above the
Add IPSec Session button.
- Select an existing local endpoint from the drop-down menu.
The local endpoint value is required and identifies the local
NSX Edge node. If you want to create a different local endpoint, click the three-dot menu (
) and select
Add Local Endpoint.
- In the Remote IP text box, enter the IP address of the remote site.
This is a required value.
- Enter an optional description for this route-based IPSec VPN session.
The maximum length is 1024 characters.
- To enable or disable the IPSec session, click Admin Status.
By default, the value is set to
Enabled
, which means the IPSec session is to be configured down to the
NSX Edge node.
- (Optional) From the Compliance suite drop-down menu, select a security compliance suite.
The default value is set to
None
. If you select a compliance suite, the
Authentication Mode is set to
Certificate
and in the
Advanced Properties section, the values for
IKE profile and
IPSec profile are set to the system-defined profiles for the selected compliance suite. You cannot edit these system-defined profiles.
- Enter an IP subnet address in Tunnel Interface in the CIDR notation.
This address is required.
- If the Compliance Suite is set to
None
, select a mode from the Authentication Mode drop-down menu.
The default authentication mode used is
PSK
, which means a secret key shared between
NSX Edge and the remote site is used for the IPSec VPN session. If you select
Certificate
, the site certificate that was used to configure the local endpoint is used for authentication.
For more information about certificate-based authentication, see Using Certificate-Based Authentication for IPSec VPN Sessions.
- If you selected
PSK
for the authentication mode, enter the key value in the Pre-shared Key text box.
This secret key can be a string with a maximum length of 128 characters.
Caution: Be careful when sharing and storing a PSK value because it contains some sensitive information.
- Enter a value in Remote ID.
For peer sites using PSK authentication, this ID value must be the IP address or the FQDN of the peer site. For peer sites using certificate authentication, this ID value must be the common name (CN) or distinguished name (DN) used in the peer site's certificate.
Note: If the peer site's certificate contains an email address in the DN string, for example,
C=US, ST=California, O=MyCompany, OU=MyOrg, CN=Site123/[email protected]
then enter the
Remote ID value using the following format as an example.
C=US, ST=California, O=MyCompany, OU=MyOrg, CN=Site123, [email protected]"
If the local site's certificate contains an email address in the DN string and the peer site uses the strongSwan IPsec implementation, enter the local site's ID value in that peer site. The following is an example.
C=US, ST=California, O=MyCompany, OU=MyOrg, CN=Site123, [email protected]"
- If you want to include this IPSec session as part of a specific group tag, enter the tag name in Tags.
- To change the profiles, initiation mode, TCP MSS clamping mode, and tags used by the route-based IPSec VPN session, click Advanced Properties.
By default, the system-generated profiles are used. Select another available profile if you do not want to use the default. If you want to use a profile that is not configured yet, click the three-dot menu (
) to create another profile. See
Adding Profiles.
- If the IKE Profiles drop-down menu is enabled, select the IKE profile.
- Select the IPsec tunnel profile, if the IPSec Profiles drop-down menu is not disabled.
- Select the preferred DPD profile if the DPD Profiles drop-down menu is enabled.
- Select the preferred mode from the Connection Initiation Mode drop-down menu.
Connection initiation mode defines the policy used by the local endpoint in the process of tunnel creation. The default value is
Initiator. The following table describes the different available connection initiation modes.
Table 1.
Connection Initiation Modes
Connection Initiation Mode |
Description |
Initiator |
The default value. In this mode, the local endpoint initiates the IPSec VPN tunnel creation and responds to incoming tunnel setup requests from the peer gateway. |
On Demand |
Do not use with the route-based VPN. This mode applies to policy-based VPN only. |
Respond Only |
The IPSec VPN never initiates a connection. The peer site always initiates the connection request and the local endpoint responds to that connection request. |
- If you want to reduce the maximum segment size (MSS) payload of the TCP session during the IPSec connection, enable TCP MSS Clamping, select the TCP MSS direction value, and optionally set the TCP MSS Value.
- If you want to include this IPSec session as part of a specific group tag, enter the tag name in Tags.
- Click Save.
Results
When the new route-based IPSec VPN session is configured successfully, it is added to the list of available IPsec VPN sessions. It is in read-only mode.
What to do next
- Verify that the IPSec VPN tunnel status is Up. See Monitor and Troubleshoot VPN Sessions for information.
- Configure routing using either a static route or BGP. See Configure a Static Route or Configure BGP.
- If necessary, manage the IPSec VPN session information by clicking the three-dot menu ( ) on the left-side of the session's row. Select one of the actions you can perform.