Puede crear una sesión de VPN basada en ruta y VPN basada en directiva usando solo la API.

Nota: IPsec VPN no se admite en la versión de exportación limitada de NSX-T Data Center.

No puede usar NAT e IPsec VPN conjuntamente en el mismo perfil de red. Asegúrese de colocar NAT e IPsec VPN en distintos perfiles de red.

Requisitos previos

Familiarícese con IPsec VPN. Consulte IPsec VPN.

Procedimiento

  1. Configure un servicio de IPsec VPN en el enrutador lógico de nivel 0.
    Use la llamada POST /api/v1/vpn/ipsec/services.
    POST /api/v1/vpn/ipsec/services
    {
     "display_name": "IPSec VPN service",
     "logical_router_id": "f81f220f-3072-4a6e-9f53-ad3b8bb8af57"
    } 
  2. Configure el perfil de Dead Peer Detection (DPD).
    Use la llamada POST /api/v1/vpn/ipsec/dpd-profiles.

    El perfil predeterminado se aprovisiona con un intervalo de sondeo de DPD de 60 segundos.

    POST /api/v1/vpn/ipsec/dpd-profiles
    {
     "enabled":"true",
     "dpd_probe_interval": 60,
     "description": "DPD profile",
     "display_name": "DPD profile"
    }
  3. Configure los parámetros del perfil IKE.
    Use la llamada POST /api/v1/vpn/ipsec/ike-profiles.
    POST /api/v1/vpn/ipsec/ike-profiles
    {
     "digest_algorithms": ["SHA2_256"],
     "description": "IKEProfile for site1",
     "display_name": "IKEProfile site1",
     "encryption_algorithms": ["AES_128"],
     "ike_version": "IKE_V2",
     "dh_groups": ["GROUP14"],
     "sa_life_time": 21600
    }
  4. Configure un perfil de túnel de IPsec VPN.
    Use la llamada POST /api/v1/vpn/ipsec/tunnel-profiles.
    POST /api/v1/vpn/ipsec/tunnel-profiles/
    {
     "digest_algorithms": ["SHA1","SHA2_256"],
     "description": "Tunnel Profile for site 1",
     "display_name": "Tunnel Profile for site 1",
     "encapsulation_mode": "TUNNEL_MODE",
     "encryption_algorithms": ["AES_128","AES_256"],
     "enable_perfect_forward_secrecy": true,
     "dh_groups": ["GROUP14"],
     "transform_protocol": "ESP",
     "sa_life_time": 3600,
     "df_policy": "CLEAR"
    }
  5. Configure un endpoint del mismo nivel para comunicarse con los sistemas del mismo nivel de IPsec VPN.
    Use la llamada POST /api/v1/vpn/ipsec/peer-endpoints.
    POST /api/v1/vpn/ipsec/peer-endpoints
    {
     "display_name": "Peer endpoint for site 1",
     "connection_initiation_mode": "INITIATOR",
     "authentication_mode": "PSK",
     "ipsec_tunnel_profile_id": "640607f3-bb83-4e54-a153-57939965881c",
     "dpd_profile_id": "4808d04e-572d-480d-8182-61ddaa146461",
     "psk": "6721b9f1f5936956c0a8b4ed95286b452db04dae721edd0f264f0fcc6e94882b",
     "ike_profile_id": "a4db6863-b6f0-45bd-967e-a2e22c260329",
     "peer_address": "10.14.24.4",
     "peer_id": "10.14.24.4"
    } 
  6. Configure un endpoint local para el endpoint de VPN.
    Use la llamada POST /api/v1/vpn/ipsec/local-endpoints.
    POST /api/v1/vpn/ipsec/local-endpoints
    {
     "local_address": "1.1.1.12",
     "local_id": "1.1.1.12",
     "display_name": "Local endpoint",
     "ipsec_vpn_service_id": {
     “target_id” : "81388ec0-b5e3-4a9e-b551-e372e700772c"
     }
    }
  7. Configure una sesión de VPN basada en ruta.
    Use la llamada POST /api/v1/vpn/ipsec/sessions.
    POST /api/v1/vpn/ipsec/sessions
    {
     "resource_type": "RouteBasedIPSecVPNSession",
     "display_name": "RouteSession1",
     "ipsec_vpn_service_id": "657bcb55-48ce-4e0f-bfc7-a5a91b2990ae",
     "peer_endpoint_id": "cfc70ab5-16d1-4292-9391-fcee23ccea96",
     "local_endpoint_id": "9d4b44f1-0bfa-4705-ac67-09244a17d42e",
     "enabled": true,
     "tunnel_ports": [
         {
           "ip_subnets": [
              {
               "ip_addresses" : [
                 "192.168.50.1"
               ],
               "prefix_length" : 24
         }
       ]
      }
     ]
    }
  8. Configure una sesión de VPN basada en directiva.
    Use la llamada POST /api/v1/vpn/ipsec/sessions.
    POST /api/v1/vpn/ipsec/sessions
    {
     "resource_type": "PolicyBasedIPSecVPNSession",
     "display_name": "PolicySession1",
     "ipsec_vpn_service_id": "ea071856-9e91-4826-a841-9ec7ee9ea534",
     "peer_endpoint_id": "0c2447d2-8890-4b55-bf02-8c6b1a94d1ce",
     "local_endpoint_id": "161acb63-c3f2-438d-9e5c-cb655e6a1099",
     "enabled": true,
     "policy_rules": [
       {
          "sources": [
           {
             "subnet": "2.2.2.0/24"
           }
        ],
        "logged": true,
        "destinations": [
          {
            "subnet": "3.3.3.0/24"
          }
        ],
        "action": "PROTECT",
        "enabled": true
       }
     ]
    }