To enable certificate authentication for IPSec, server certificates and corresponding CA-signed certificates must be imported. Optionally, you can use an open-source command-line tool such as OpenSSL to generate CA-signed certificates.

Before you begin

OpenSSL must be installed.

Procedure

  1. On a Linux or Mac machine where OpenSSL is installed, open the file: /opt/local/etc/openssl/openssl.cnf or /System/Library/OpenSSL/openssl.cnf.
  2. Ensure that dir = ..
  3. Run the following commands:
    mkdir newcerts
    mkdir certs
    mkdir req
    mkdir private
    echo "01" > serial
    touch index.txt
  4. Run the command to generate a CA-signed certificate:
    openssl req -new -x509 -newkey rsa:2048 -keyout private/cakey.pem -out cacert.pem -days 3650
  5. On NSX Edge1, generate a CSR, copy the privacy-enhanced mail (PEM) file content, and save it in a file in req/edge1.req.
  6. Run the command to sign the CSR:
    sudo openssl ca -policy policy_anything -out certs/edge1.pem -in req/edge1.req
  7. On NSX Edge2, generate a CSR, copy the PEM file content, and save it in a file in req/edge2.req.
  8. Run the command to sign the CSR:
    sudo openssl ca -policy policy_anything -out certs/edge2.pem -in req/edge2.req
  9. Upload the PEM certificate at the end of the file certs/edge1.pem to Edge1.
  10. Upload the PEM certificate at the end of the file certs/edge2.pem to Edge2.
  11. Upload the CA certificate in the file cacert.pem to Edge1 and Edge2 as CA-signed certificates.
  12. In the IPSec global configuration for Edge1 and Edge2, select the uploaded PEM certificate and the uploaded CA certificate and save the configuration.
  13. On the Certifcate tab, click the uploaded certificate and record the DN string.
  14. Reverse the DN string to the format C=IN,ST=ka,L=blr,O=bmware,OU=vmware,CN=edge2.eng.vmware.com and save it for Edge1 and Edge2.
  15. Create IPsec VPN sites on Edge1 and Edge2 with Local ID and Peer ID as the distinguished name (DN) string in the specified format.

Results

Check the status by clicking Show IPsec Statistics. Click the channel to see the tunnel status. Both the channel and tunnel status should be green.