Configure IPSec VPN Service to Enable Site to Site Communication

By | August 24, 2018

In this post, we will cover following topics of Objective 3.2 of VCAP6-NV Deploy Exam

Objective 3.2 – Configure and Manage Logical Virtual Private Networks (VPNs)

  • Configure IPSec VPN service to enable site to site communication
  • Configure SSL VPN service to allow remote users to access private networks
  • Configure L2 VPN service to stretch multiple logical networks across geographical sites

Configure IPSec VPN Service to Enable Site to Site Communication

NSX Edge Services Gateway supports site to site IPSec VPN. IPSec is a set of protocols that authenticates and encrypts every packet of a session and functions at the Network layer (Layer 3) of the OSI model.

Using IPSec VPN you can creates a secure encrypted tunnel between two sites. Any traffic type can flow across the tunnel e.g. TCP, UDP or ICMP, email or web traffic. Just ensure you don’t have an overlapping subnets behind the edge gateway. You can create more than one IPSec tunnel on ESG and number of tunnels is directly dependent on size of NSX edge.

Once the Site to Site IPSec VPN has been configured on the ESG, subnets are defined to be shared between sites. The defined subnets and the internal network behind the ESG cannot have overlapping address ranges.

vpn19

The size of the ESG is determined by the amount of local and peer subnets and is calculated by ‘ local subnets X peer subnets = number of tunnels‘. The number of tunnels required determines the size of the ESG to be deployed. The size of the ESG can be increased after deployment if required. VMware sizing requirements are shown below:

vpn3

The NSX IPSec VPN supports the following IPSec encryption standards:

vpn6

The NSX IPSec VPN supports Pre-Shared Key (PSK) or SSL Certificates for authentication.

vpn6

There are a few steps to configure the Site to Site IPSec VPN on the ESG such as:

  • Enable the  IPSec VPN Service
  • Adding a SSL Certificate for the IPSec VPN (optional)
  • Configure Global IPSec VPN Configuration
  • Configure IPSec VPN parameters
  • Enable Logging (optional)

Note: NSX does not support using Dynamic Routing Protocols on the ESG to advertise internal networks. You will need to remove the Dynamic Routing and configure Static Routes to your internal networks (if they are not directly connected i.e. they hang off a DLR).

Note: Make sure your Distributed Logical Router (DLR) has its Default Gateway configured to point to the internal interface of the ESG so all unknown requests are sent there.

Enable the IPSec VPN Service

Enabling the service allows traffic to flow between local and remote subnets.

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that the IPSec VPN will be configured on.

Click Manage, then VPN.

Click the Enable button.

vpn1

Make sure you click Publish Changes to apply the configuration.

vpn2

Add a SSL Certificate for the IPSec VPN (optional)

The NSX IPSec VPN supports SSL certificates or PSK (Pre-Shared Key) for authentication. Should you require certificate authentication you will need to generate a Certificate Signing Request (CSR) and get this CSR signed by a Certificate Authority.

For the exam VMware might ask for this requirement and as there probably isn’t a CA we will have access to they may just ask for the certificate to be self-signed.

The below process is how to generate a CSR and self-sign it.

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that the IPSec VPN will be configured on.

Click Manage, then Certificates.

Click the blue cog and select Generate CSR.

vpn7

Populate the fields with information relevant to your environment.

You can now see your CSR, highlighted in blue.

vpn9

Click the blue cog and select Self Sign Certificate.

vpn10

Enter the number of days this certificate will be valid for.

vpn11

The self signed certificate has now been created.

vpn12

When you configure the Global Configuration options you will be able to select this certificate, instead of using the default PSK authentication method.

Configure Global IPSec Configuration

This configuration enables the IPSec VPN on the ESG.

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that the IPSec VPN will be configured on.

Click Manage, then VPN, followed by IPSec VPN.

Under Global Configuration Status, click Change.

vpn14

Enter your Pre-Shared Key (PSK) or if you require Certificate Authentication select the Service Certificate and the CA Certificate. I have configured both options just to show in one screenshot.

vpn15

Make sure you click Publish Changes to apply the configuration.

vpn17

Configure IPSec VPN Parameters

This is where you configure the actual local and remote IPSec VPN configuration. At a minimum you must specify at least one external IP address on the ESG.

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that the IPSec VPN will be configured on.

Click Manage, then VPN, followed by IPSec VPN.

Click the green + sign to Add an IPSec VPN.

vpn18a

Enter the relevant information for the VPN connection. My configuration is shown.

vpn22

Make sure you click Publish Changes to apply the configuration.

vpn21

The last section of this blog: “My Lab IPSec VPN Configuration” I will show the working config for a NSX Site to Site IPSec VPN between two ESGs with a DLR in the middle acting as an Internet router which is running in my nested lab.

Enable Logging

Pretty simple task. This enables logging of all IPSec VPN traffic.

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that the IPSec VPN will be configured on.

Click Manage, then VPN, followed by IPSec VPN.

Click Logging Policy, tick the box to Enable and select your logging level.

Make sure you click Publish Changes to apply the configuration.

vpn21

My Lab IPSec VPN Configuration

I am using the same IP addressing as the example configuration shown belowwhich is from the VMware NSX 6.2 documentation. Some of the bits in this VMware doco is incorrect also.

vpn19

My configuration is between two ESGs with a DLR in the middle to simulate Internet routing, with a VM hanging off each local network. Once deployed I can ping from a VM on the 192.168.5.0 network to the VM on the 172.16.0.0 network.

The left-hand-side of the above diagram I will refer to as DataCentre and the right-hand-side I will refer to as RemoteSite. There are no static routes or dynamic routing protocols involved. Prior to starting the VMs cannot ping each other.

The DataCentre configuration: (left-hand-side)

vpn30

The DataCentre Global Configuration:

vpn31

The DataCentre VPN Parameters:

vpn32

The RemoteSite Configuration (right hand side)

vpn33

The RemoteSite Global Configuration:

vpn34

The RemoteSite VPN Parameters:

vpn35

Now lets jump on the console of either ESG and run the following command: show service ipsec , I can see the IPSec VPN configuration is active.

console

From a VM on the DataCentre side I can ping the VM on the RemoteSite, and I also show the trace route.

ping

In my lab, the Logical Switches are directly connected to the ESG. If they are connected to a DLR you will need to make sure that the ESG has static routes to these networks.

Also read the below reference documents:

In Next post we will cover: Objective 3.2B – Configure and Manage Logical Virtual Private Networks (SSL VPNs)

I hope this has been informative and thank you for reading! Be social and share it on social media, if you feel worth sharing it…!!!

Hello,

I am Rahul Sharma, I am currently working as Subject Matter Expert for SDDC and Cloud Infrastructure Services, Mainly on VMware Virtualization Platform.

I have 9 Year’s of IT experience and have expertise in Designing and Deploying of VMware vSphere, vSAN, vCloud Director, vRealize Automation, SRM, NSX  and modern data center technologies like vBlock, Cisco UCS, DELL, HPE C7000, HPE Synergy HCI etc.

I am vExpert, VCIX6-DCV, Dual VCP – DCV & NV, MSCE – Cloud, CCNA, ITIL v3 Certified.

Leave a Reply

Your email address will not be published. Required fields are marked *