How to Configure IPsec VPN within VMware NSX Edge

This article shows you how to create an IPsec VPN between a NSX Edge Gateway with a vCloud Director/NSX Manager and a remote Client site.
First you need basic details from client so that you can configure IPSec VPN from your end.Like you need Phase 1 and Phase 2 Details. (This document related to NSX Edge 6.3.2)


Image Credit VMware
Note: NSX Edge supports Main Mode for Phase 1 and Quick Mode for Phase 2.

Phase 1 Parameters

Phase 1 sets up mutual authentication of the peers, negotiates cryptographic parameters, and creates session keys. The Phase 1 parameters used by NSX Edge are:
  • Main mode
  • TripleDES / AES [Configurable]
  • SHA-1
  • MODP group 2 (1024 bits)
  • pre-shared secret [Configurable]
  • SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
  • ISAKMP aggressive mode disabled
In 6.3.2 you Can see basic details or you can say this is mixed mode like Phase 1 and Phase 2 they don’t have different tabs or options.


Here are details which you have to fill while configuring IPSec VPN for client.

Note: If you are doing this from HTML5 Console then in “Peer Subnets” You have to provide IP range from Increasing to Decreasing order like (192.168.11.0/24 and after that 192.168.10.0/24).


I was trying to update this tab from vCloud Director Web and i was not able to do so i changed this from vCenter > NSX manager > Edge settings.
Client side settings must match with your Edge settings.
If your Client have old router (Cisco) then you have to ask them to do settings with supported parameter and these parameters are:
1. SHA1
2. Diffie-Hellman Group – DH5 or DH2 (Old router can only support this IOS 12.4)
3. Encryption Algorithm – AES256
NSX Edge to Cisco
  • proposal: encrypt 3des-cbc, sha, psk, group5(group2)
After setup you can export Settings from Edge and share it with Client Network Team so that they can run it in their router and do the same setup which you have done in your Edge gateway.
Go to vCenter > NSX Manager > NSX Edges > Search your Edge and double click > Manage (R.H.S) > VPN Tab > IPSec VPN and from here you can download script for Cisco router.


You can copy and send it to client IT team.
Note: It will copy Shared key also so before sending to Client IT team remove that.
After this check the Tunnel status.
Go to vCenter > NSX Manager > NSX Edges > Search your Edge and double click > Manage (R.H.S) > VPN Tab > IPSec VPN


Comments

Post a Comment

Popular posts from this blog

Avamar falied to take backup of all virtual machine

Recently I encountered an issue where Avamar failed to take backup. Logs stating  insufficient Permission in the host OS 2018-02-19 06:59:56 avvcbimage Error <0000>: [IMG0008] Failed to connect to virtual disk [VMAXDS] VM/VM-000002.vmdk (3014) (3014) Insufficient permissions in the host operating system (Log #2)  We verified the permission on the vCenter but no luck,However on demand backup from local Account is with same level of access is successful. While investigation further we found that there are errors related to DNS, and even some DNS server are getting backed up via avamar. We asked to remove DNS from Avamar back considering VM stun operation during the backup but it did not help to resolve the issue. Later on we found that DNS server which is hardcoded in Avamar was decommission due which Domain ID's were unable to run backup on vCenter
Read more

Deploy a 2-node vSAN cluster

Image
A 2-node hyperconverged cluster is useful in branch office where you need high availability or for small infrastructure. With 2-node hyperconverged solution, you don’t need to leverage a NAS or a SAN for the shared storage. So, the hardware footprint is reduced and the manageability is improved because hyperconverged solution are easier to use than standard infrastructure with SAN. VMware provides a Software-Defined Storage solution called vSAN. vSAN can be deployed from 2 nodes to 16 nodes. 2-node cluster should be used for ROBO (Remote Office and Branch Office). A 2-node cluster requires a Witness Appliance provided by VMware freely while the appliance is virtual. The Witness Appliance is based on ESXi. This is the first time that VMware supports a scenario in production with a nested ESXi. This topic describes how to deploy a 2-node vSAN cluster and its witness appliance. Why you need a witness appliance vSAN is something like a RAID over the network. vSAN curre...
Read more