7.0
7.0
Docs menu
MENU

NSX-T IPSec VPN

IPSec VPN stands for Internet Protocol Security (IPSec). It secures VPN tunnels between organization virtual data center networks or between an organization virtual data center network and an external IP address. You can set the IPSec VPN service on an edge gateway.

On this page, you will find information on how to create and manage IPSec VPN tunnels.

View IPSec VPN Tunnels

  1. Go to your Control Panel > Cloud > Edge Gateways > NSX-T tab.
  2. On the page that appears, click the NSX-T edge gateway for which you want to view IPSec VPN tunnels.
  3. Click the IPSEC VPN tab.
  4. On the following page, you can view the list of IPSec VPN tunnels with the following parameters:
    • Status - the status of the IPSec VPN tunnel
    • Label - the name of the IPSec VPN tunnel
    • Security Profile - the security profile used for the IPSec VPN tunnel, Default or Custom
    • Authentication Mode - the mode of authentication that can be Pre-Shared Key (specifies that the secret key shared between the edge gateway and the peer site is used for authentication) or Certificate (specifies that the certificate defined at the global level is used for authentication)
    • Local IP - the local IP address of the IPSec VPN tunnel
    • Local Networks - the local networks of the IPSec VPN tunnel which are specified in CIDR format
    • Remote IP - the remote IP address of the IPSec VPN tunnel
    • Remote Networks - the remote networks of the IPSec VPN tunnel which are specified in CIDR format
    • Logging - shows if logging for the tunnel is enabled or not

Create IPSec VPN Tunnel

  1. Go to your Control Panel > Cloud > Edge Gateways > NSX-T tab.

  2. On the page that appears, click the NSX-T edge gateway for which you need to create an IPSec VPN tunnel.

  3. Click the IPSEC VPN tab.

  4. On the following page, click image above the IPSec VPN tunnels table and fill in the following:

    • Label - the name of the IPSec VPN tunnel
    • Description - the description of the IPSec VPN tunnel
    • State - move the slider to the right to make the IPSec VPN tunnel active
    • Pre-Shared Key - the global pre-shared key (PSK) that is shared by all the sites with peer endpoint set to Any . If a global PSK is already set, changing the PSK to an empty value and saving it have no effect on the existing setting.
    • Local IP Address - the local IP address of the IPSec VPN tunnel
    • Local Networks - the local networks of the IPSec VPN tunnel which are specified in CIDR format. Click image once you specify a network.
    • Remote IP Address - the remote IP address of the IPSec VPN tunnel
    • Remote Networks - the remote networks of the IPSec VPN tunnel which are specified in CIDR format. Click image once you specify a network.
    • Remote ID - the ID that identifies the peer site and depends on the authentication mode of the IPSec VPN tunnel. For Pre-Shared Key , if you configure NAT on the remote ID, enter the private IP address of the remote site. Otherwise, use the public IP address of the remote device, terminating the VPN tunnel. For Certificate , the remote ID should match the certificate SAN (Subject Alternative Name), if available, or the distinguished name of the certificate used to secure the remote endpoint. If you do not set it, the remote ID defaults to the remote IP address of the IPSec VPN tunnel.
    • Logging - move the slider to the right to enable logging for the IPSec VPN tunnel

  5. Click Save.

Edit IPSec VPN Tunnel

  1. Go to your Control Panel > Cloud > Edge Gateways > NSX-T tab.

  2. Select the necessary NSX-T edge gateway for which you want to edit an IPSec VPN tunnel.

  3. Click the IPSEC VPN tab.

  4. On the following page, click image next to the required IPSec VPN tunnel and edit the following parameters:

    • Label - the name of the IPSec VPN tunnel
    • Description - the description of the IPSec VPN tunnel
    • State - move the slider to the right to make the IPSec VPN tunnel active
    • Authentication Mode - the mode of authentication of the IPSec VPN

      • Pre-Shared Key - specifies that the secret key shared between the edge gateway and the peer site is used for authentication

      • Pre-Shared Key - the global pre-shared key (PSK) that is shared by all the sites with peer endpoint set to Any . If a global PSK is already set, changing the PSK to an empty value and saving it have no effect on the existing setting.

      • Certificate - specifies that the certificate defined at the global level is used for authentication

        • Server Certificate - a certificate that confirms the identity of a server
        • CA Certificate - a certificate issued by CA (Certificate Authority)
          • If the authentication mode of an IPSec VPN is Pre-Shared Key, you cannot change it to Certificate.
          • If the authentication mode of an imported IPSec VPN is Certificate, you can change it to Pre-Shared Key.
          • You cannot edit the certificate imported from vCloud.
          • To import a certificate, your VCD organization should have at least one user with the vCloud Organization Administrator role having valid vCloud credentials.

      • Security Profile - the security profile used for the IPSec VPN tunnel, Default or Custom

      • Local IP Address - the local IP address of the IPSec VPN tunnel

      • Local Networks - the local networks of the IPSec VPN tunnel which are specified in CIDR format

      • Remote IP Address - the remote IP address of the IPSec VPN tunnel

      • Remote Networks - the remote networks of the IPSec VPN tunnel which are specified in CIDR format

      • Remote ID - the ID that identifies the peer site and depends on the authentication mode of the IPSec VPN tunnel. For Pre-shared Key, if you configure NAT on the remote ID, enter the private IP address of the remote site. Otherwise, use the public IP address of the remote device, terminating the VPN tunnel. For Certificate , the remote ID must match the certificate SAN (Subject Alternative Name), if available, or the distinguished name of the certificate used to secure the remote endpoint. If you do not set it, the remote ID defaults to the remote IP address of the IPSec VPN tunnel.

      • Logging - move the slider to the right to enable logging for the IPSec VPN tunnel

  5. Click Save.

  • If the security profile of an NSX-T IPSec VPN tunnel is set to Default, you can’t change it to Custom. The instructions on how to edit the security profile are provided in Customize Security Profile below.
  • If you set the security profile of an edited NSX-T IPSec VPN tunnel to Default, all security profile settings are set to Default for this NSX-T IPSec VPN tunnel.

Customize Security Profile

  1. Go to your Control Panel > Cloud > Edge Gateways > NSX-T > label > IPSec VPN tab.

  2. On the following page, hover over the necessary IPSec VPN tunnel and click image that appears next to its security profile.

  3. In the dialog, you can edit the following:

    IKE Profiles

    • IKE version - select the required IKE version in the drop-down list
    • Encryption - in the drop-down list, select desired encryption method used in the IKE negotiation
    • Digest - in the drop-down list, select the required secure hash algorithm used in the IKE negotiation
    • Diffie-Hellman Group - in the drop-down list, select the required DH group that creates a shared secret over an insecure network
    • Association Life Time (seconds) - set the security association lifetime

    Tunnel Configuration

    • Enable Perfect Forward Secrecy - move the slider to the right to enable the perfect forward secrecy
    • Defragmentation Policy - in the drop-down list, select the desired policy to handle defragmentation bits for the NSX-T IPSec VPN tunnel
    • Encryption - in the drop-down list, select the required encryption method for the NSX-T IPSec VPN tunnel
    • Digest - in the drop-down list, select the required secure hash algorithm for the NSX-T IPSec VPN tunnel
    • Diffie-Hellman Group - in the drop-down list, select the desired DH group for the NSX-T IPSec VPN tunnel
    • Association Life Time (seconds) - set the security association lifetime for the NSX-T IPSec VPN tunnel

    DPD Configuration

    • Probe Interval(seconds) - set the interval for DPD probes

  4. Click Save.

Delete IPSec VPN Tunnel

  1. Go to your Control Panel > Cloud > Edge Gateways > NSX-T tab.
  2. Select the necessary NSX-T edge gateway for which you want to delete the IPSec VPN tunnel.
  3. Click the IPSEC VPN tab.
  4. On the following page, click the checkbox next to the required IPSec VPN.
  5. Once selected, click that appears above the table to delete the IPSec VPN tunnel.
  6. Click OK in the dialog to confirm the deletion.