You must configure at least one external IP address on the NSX Edge to provide IPSec VPN service.
- Log in to the vSphere Web Client.
- Click Networking & Security and then click NSX Edges.
- Double-click an NSX Edge.
- Click the Monitor tab and then click the VPN tab.
- Click IPSec VPN.
- Click the Add () icon.
- Type a name for the IPSec VPN.
- Type the IP address of the NSX Edge instance in Local Id. This will be the peer Id on the remote site.
- Type the IP address of the local endpoint.
If you are adding an IP to IP tunnel using a pre-shared key, the local Id and local endpoint IP can be the same.
- Type the subnets to share between the sites in CIDR format. Use a comma separator to type multiple subnets.
- Type the Peer Id to uniquely identify the peer site. For peers using certificate authentication, this ID must be the common name in the peer's certificate. For PSK peers, this ID can be any string. VMware recommends that you use the public IP address of the VPN or a FQDN for the VPN service as the peer ID.
- Type the IP address of the peer site in Peer Endpoint. If you leave this blank, NSX Edge waits for the peer device to request a connection.
- Type the internal IP address of the peer subnet in CIDR format. Use a comma separator to type multiple subnets.
- Select the Encryption Algorithm.
AES-GCM encryption algorithm is not FIPS compliant.
- In Authentication Method, select one of the following:
PSK (Pre Shared Key)
Indicates that the secret key shared between NSX Edge and the peer site is to be used for authentication. The secret key can be a string with a maximum length of 128 bytes.
PSK authentication is disabled in FIPS mode.
Indicates that the certificate defined at the global level is to be used for authentication.
- Type the shared key in if anonymous sites are to connect to the VPN service.
- Click Display Shared Key to display the key on the peer site.
- In Diffie-Hellman (DH) Group, select the cryptography scheme that will allow the peer site and the NSX Edge to establish a shared secret over an insecure communications channel.
DH14 is default selection for both FIPS and non-FIPS mode. DH2 and DH5 are not available when FIPS mode is enabled.
- In Extension, type one of the following:
securelocaltrafficbyip=IPAddress to re-direct Edge's local traffic over the IPSec VPN tunnel. This is the default value. For more information see http://kb.vmware.com/kb/20080007 .
passthroughSubnets=PeerSubnetIPAddress to support overlapping subnets.
- Click OK.
NSX Edge creates a tunnel from the local subnet to the peer subnet.
What to do next
Enable the IPSec VPN service.