The L2 VPN server is the destination NSX edge to which the L2 VPN client is going to connect.

As described in the NSX Administration Guide, you can connect multiple peer sites to this L2 VPN server.

Note:

Changing site configuration settings causes the edge gateway to disconnect and reconnect all existing connections.

Prerequisites

  • Verify that the edge gateway has a routed organization virtual data center network that is configured as a subinterface on the edge gateway. See the vCloud Director Administrator's Guide for the steps on creating an external routed organization virtual data center network.

  • Navigate to the L2 VPN Screen in the Tenant Portal.

  • If you want to bind a service certificate to the L2 VPN connection, verify that the server certificate has already been uploaded to the edge gateway. See Add a Service Certificate to the Edge Gateway.

  • You must have the listener IP of the server, listener port, encryption algorithm, and at least one peer site configured before you can enable the L2 VPN service.

Procedure

  1. On the L2 VPN tab, select Server for the L2 VPN mode.
  2. On the Server Global tab, configure the L2 VPN server's global configuration details.

    Option

    Action

    Listener IP

    Select the primary or secondary IP address of an external interface of the edge gateway.

    Listener Port

    Edit the displayed value as appropriate for the needs of your organization.

    The default port for the L2 VPN service is 443.

    Encryption Algorithm

    Select the encryption algorithm for the communication between the server and the client.

    Service Certificate Details

    Click Change server certificate to select the certificate to be bound to the L2 VPN server.

    In the Change Server Certificate window, turn on Validate Server Certificate, select a server certificate from the list, and click OK.

  3. To configure the peer sites, click the Server Sites tab.
  4. Click the Add (Create button) button.
  5. Configure the settings for an L2 VPN peer site.

    Option

    Action

    Enabled

    Enable this peer site.

    Name

    Enter a unique name for the peer site.

    Description

    (Optional) Type a description.

    User ID

    Password

    Confirm Password

    Enter the user name and password with which the peer site is to be authenticated.

    User credentials on the peer site must be the same as the credentials on the client side.

    Stretched Interfaces

    Select at least one subinterface to be stretched with the client.

    The subinterfaces available for selection are those organization virtual data center networks configured as subinterfaces on the edge gateway.

    Egress Optimization Gateway Address

    (Optional) If the default gateway for virtual machines is the same across the two sites, enter the gateway IP addresses of the subinterfaces for which you want the traffic locally routed or blocked over the L2 VPN tunnel.

  6. Click Keep.
  7. Click Save changes.

    The save operation can take a minute to complete.

What to do next

Enable the L2 VPN service on this edge gateway. See Enable the L2 VPN Service on an Edge Gateway.