You can add either an IPSec VPN (policy-based or route-based) or an L2 VPN service using the NSX Manager user interface (UI).
The following sections provide information about the workflows required to set up the VPN service that you need. The topics that follow these sections provide details on how to add either an IPSec VPN or an L2 VPN service using the NSX Manager UI.
Policy-Based IPSec VPN Configuration Workflow
Configuring a policy-based IPSec VPN service workflow requires the following high-level steps.
- Create and enable an IPSec VPN service using an existing Tier-0 or Tier-1 gateway. Refer to Add an NSX IPSec VPN Service.
- Create a DPD (dead peer detection) profile, if you prefer not to use the system default. Refer to Add DPD Profiles.
- To use a non-system default IKE profile, define an IKE (Internet Key Exchange) profile. Refer to Add IKE Profiles.
- Configure an IPSec profile using Add IPSec Profiles.
- Use Add Local Endpoints to create a VPN server hosted on the NSX Edge.
- Configure a policy-based IPSec VPN session, apply the profiles, and attach the local endpoint to it. Refer to Add a Policy-Based IPSec Session. Specify the local and peer subnets to be used for the tunnel. Traffic from a local subnet destined to the peer subnet is protected using the tunnel defined in the session.
- To get a representative configuration of VPN on the remote VPN endpoint, use the Download Configuration feature. This file contains parameters that come from the IPSec VPN session configured in step 6 and can be used to configure the remote endpoint of the VPN session. Refer to Download the Remote Side IPSec VPN Configuration File for details.
Route-Based IPSec VPN Configuration Workflow
A route-based IPSec VPN configuration workflow requires the following high-level steps.
- Configure and enable an IPSec VPN service using an existing Tier-0 or Tier-1 gateway. Refer to Add an NSX IPSec VPN Service.
- Define an IKE profile if you prefer not to use the default IKE profile. Refer to Add IKE Profiles.
- If you decide not to use the system default IPSec profile, create one using Add IPSec Profiles.
- Create a DPD profile if you want to do not want to use the default DPD profile. Refer to Add DPD Profiles.
- Add a local endpoint using Add Local Endpoints.
- Configure a route-based IPSec VPN session, apply the profiles, and attach the local endpoint to the session. Provide a VTI IP in the configuration and use the same IP to configure routing. The routes can be static or dynamic (using BGP). Refer to Add a Route-Based IPSec Session.
- To get a representative configuration of VPN on the remote VPN endpoint, use the Download Configuration feature. This file contains parameters that come from the IPSec VPN session configured in step 6 and can be used to configure the remote endpoint of the VPN session. Refer to Download the Remote Side IPSec VPN Configuration File for details.
L2 VPN Configuration Workflow
Configuring an L2 VPN requires that you configure an L2 VPN service in Server mode and then another L2 VPN service in Client mode. You also must configure the sessions for the L2 VPN server and L2 VPN client using the peer code generated by the L2 VPN Server. Following is a high-level workflow for configuring an L2 VPN service.
- Create an L2 VPN Service in Server mode.
- Configure a route-based IPSec VPN tunnel with a Tier-0 or Tier-1 gateway and an L2 VPN Server service using that route-based IPSec tunnel. Refer to Add an L2 VPN Server Service.
- Configure an L2 VPN server session, which binds the newly created route-based IPSec VPN service and the L2 VPN server service, and automatically allocates the GRE IP addresses. Refer to Add an L2 VPN Server Session.
- Add segments to the L2 VPN Server sessions. This step is also described in Add an L2 VPN Server Session.
- Use Download the Remote Side L2 VPN Configuration File to obtain the peer code for the L2 VPN Server service session, which must be applied on the remote site and used to configure the L2 VPN Client session automatically.
- Create an L2 VPN Service in Client mode.
- Configure another route-based IPSec VPN service using a different Tier-0 or Tier-1 gateway and configure an L2 VPN Client service using that Tier-0 or Tier-1 gateway that you just configured. Refer to Add an L2 VPN Client Service for information.
- Define the L2 VPN Client sessions by importing the peer code generated by the L2 VPN Server service. Refer to Add an L2 VPN Client Session.
- Add segments to the L2 VPN Client sessions defined in the previous step. This step is described in Add an L2 VPN Client Session.