Principles
- Understand how to configure IPSec VPN
- Configure IPSec VPN parameters
- Enable logging
- Understand how to configure Layer 2 VPN
- Add Layer 2 VPN Client/Server
- View Layer 2 VPN Statistics
- Configure Network Access/Web Access SSL VPN-Plus
- Edit Client Configurations
- Edit General Settings
- Edit Web Portal Designs
- Add/Edit/Delete IP Pools
- Add/Edit/Delete Private Networks
- Add/Edit/Delete Installation Packages
- Add/Edit/Delete Users
- Add/Edit/Delete Login/Logoff script
- Determine appropriate VPN service type for a given NSX implementation
References
- NSX Administration Guide
http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf
- NSX Installation Guide
https://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_install.pdf
- NSX Design Guide
Understand how to configure IPSec VPN
- IPSec VPN offers site-to-site connectivity between an NSX Edge instance and remote sites
- Supported authentication between NSX Edge and VPN Concentrators/Routers:
- Certificate authentication
- Pre-shared key mode
- IP unicast traffic
- Dynamic Routing is not supported between NSX Edge and VPN Concentrators/Routers
- Multiple subnets behind a remote VPN concentrator/router can be connected to an NSX Edge and its internal network through IPSec tunnels
- Remote and Local subnets must not overlap
- NAT:
- NSX Edge and VPN Concentrators may be placed behind a NAT device
- Static 1:1 mapping to each Concentrator/Edge is required at each end
- Number of tunnels = #local subnets x #peer subnets
- Max tunnels for an ESG:
- Compact: 512
- Large: 1600
- Quad Large: 4096
- X-Large: 6000
- The following IPSec VPN algorithms are supported:
- AES (AES128-CBC)
- AES256 (AES256-CBC)
- Triple DES (3DES192-CBC)
- AES-GCM (AES128-GCM)
- DH-2 (Diffie–Hellman group 2)
- DH-5 (Diffie–Hellman group 5)
Configure IPSec VPN parameters
High-level process for configuring IPSec VPN between two NSX Edges:
- Enable IPSec VPN from Edge -> Manage -> VPN
- Generate CA Signed Certificates
- Generate a new certificate for each Edge:
- CSR can be generated from the Edge itself under Settings -> Certificate
- Get Edge certs signed by your CA
- Upload Edge certs to the respective Edge along with the CA Root certificate
- Required in PEM format
- Edge Certificates need the private key to be loaded
- Click on each Edge cert and reverse the DN e.g.
- Generate a new certificate for each Edge:
CN=edge1.home.lab, OU=LAB, O=Home, L=Westminster, ST=London, C=GB =>
C=GB, ST=London, L=Westminster, O=Home, OU=LAB, CN=edge1.home.lab
-
- Use these DNs for “Local Id” and “Peer Id” in the tunnel configuration
- Global IPSec Configuration
- Pre-shared key: For tunnels where peer endpoint = “any”
- Click “Enable Certificate Authentication” and select previously loaded certificates
- IPSec VPN Parameters
At least 1 external IP is required
-
- Local Id:
- IP/FQDN of this Edge for pre-shared key
- Certificate CN for Certificate authentication
- Local Endpoint:
- IP/FQDN of this Edge for pre-shared key
- Certificate CN for Certificate authentication
- Local Subnets: CIDR comma separated list of local subnets to share across tunnel
- Peer Id:
- Peer IP/FQDN for pre-shared key
- Certificate CN for Certificate authentication
- Peer Endpoint:
- IP/FQDN/any for peer Edge for pre-shared key
- Certificate CN for Certificate authentication
- Peer subnets CIDR comma separated list of remote subnets to share across tunnel
- Authentication Method: PSK (pre-shared key specified in global config) or Certificate
- Local Id:
Enable logging
Set Logging Policy under main VPN tab. Default = WARNING
Understand how to configure Layer 2 VPN
- L2 VPN uses tunnels to stretch L2 segments across sites i.e. VMs at either end of the tunnel remain on the same subnet
- L2 Segments at either end of the tunnel may be VLAN or VXLAN or a mix of both
- NSX Edges in one site can provide services to VMs in the remote site
- L2 VPN Tunnels are Client:Server
- Tunnels may be configured between 2 private Datacenters or Datacenter + Public Cloud
- There is no minimum MTU requirement
- From NSX 6.1:
- Client side may be provided by a standalone NSX Edge i.e. full NSX implementation not required on client side
- Trunk Interface may be used to link multiple L2 segment in a single NSX Edge
- Full HA support for Edges deployed for L2 VPN
Typical Use Cases:
-
- Workload Migration/Datacenter Consolidation
- Service Provider on-boarding
- Cloud Bursting
- Stretched Applications
Best Practice to mitigate against network loops
- Option 1: Separate ESXi hosts for L2VPN Edges and VMs
- Deploy NSX Edges and VMs on separate hosts. Typically, Edges are placed on a dedicated Edge Cluster and VMs on a dedicated Compute cluster
- Configure a trunk interface for the networks to be stretched:
- Use “Route based on originating virtual port” as teaming policy
- Active/Standby failover for the NSX Edge L2VPN trunk interface
- Use Sink Port and disable promiscuous mode
- No restriction on policy or failover for VMs
- Option 2: L2VPN Edges and VMs on the same ESXi host
- Use “Route based on originating virtual port” as teaming policy and Active/Standby failover for the NSX Edge L2VPN trunk interface
- VM port groups can use any teaming policy but only one uplink active at a time
- Order of Active/Standby uplink must be the same for all VM hosts + Edge hosts
- Configure the client-side standalone edge to use Sink Port mode and disable promiscuous mode on the trunk vNic
Client Edge Sink Port Configuration
- If deployed as part of an NSX implementation, this configuration is automated
- When deployed as a standalone edge and connected to a vDS the Sink port must be configured manually
- Sink port configuration is done at vDS level and requires manual modification of the port – follow guidelines in the NSX admin guide
Add Layer 2 VPN Client/Server
Server Configuration
- Configure a sub-interface for the VLAN/VXLAN to be stretched
- Select the “Server” checkbox and click Change to set the following parameters:
- Listener IP/Port
- Encryption Algorithm
- Certificate
- Add a site and configure the parameters using the sub-interface defined earlier
Client Configuration
- Configure a sub-interface for the VLAN/VXLAN to be stretched
- Select Manage -> VPN -> L2VPN
- Select the “Client” checkbox and click Change to set the following parameters:
- Server Address/Port
- Encryption Algorithm
- Sub-Interfaces
- Gateway
- User credentials
- Advanced -> Proxy Settings (if no direct access to Internet/WAN)
- If a standard port group is used on the Client Site, enable Promiscuous Mode and Forged Transmits on it
Standalone VPN Client
If the client-side VPN Edge is a standalone, configure the following on the trunk port:
- Standard Trunk Port Group:
- Enable forged transmits
- Enable promiscuous mode
- vDS Trunk Port Group:
- Enable forged transmits
- Configure a Sink port or enable promiscuous mode (sink port recommended)
View Layer 2 VPN Statistics
- L2VPN Statistics can be viewed per tunnel from the Client side
- Click “Fetch Status” and expand “Tunnel” to view statistics for each tunnel
Configure Network Access/Web Access SSL VPN-Plus
VPN-Plus allows remote users to access private corporate applications
- Network Access = Client Installed on remote user machine
- Web Access: No client install on remote user machine
Edit Client Configurations
Manage -> SSL VPN-Plus -> Client Configuration and click “Change”
- Tunnelling mode:
- Full: all client traffic is passed down the VPN Tunnel
- Exclude local subnets: exclude local traffic from the tunnel
- Split: only VPN traffic is passed down the VPN Tunnel
- Full: all client traffic is passed down the VPN Tunnel
- Enable auto reconnect for client to automatically reconnect if VPN connection drops
- Client upgrade notification: Notify end user that client upgrade is available
Edit General Settings
Manage -> SSL VPN-Plus -> General Settings
Select | To |
Prevent multiple logon using same username | Allow a remote user to login only once |
Enable compression | Enable TCP based intelligent data compression |
Enable logging | Maintain a log of the traffic passing through the SSL VPN gateway. |
Force virtual keyboard | Allow remote users to login with virtual keyboard only |
Randomize keys of virtual keyboard | Make the virtual keyboard keys random |
Enable forced timeout | Disconnect remote user after specified timeout period |
Session idle timeout | End user session after timeout period |
User notification | Login message |
Enable public URL access | Allow access to sites not configured (and not listed on web portal) |
Edit Web Portal Designs
Manage -> SSL VPN-Plus -> Portal Customization
Items that can be customised:
- Port Design: Title, Company Name, Logo, Colours
- Client Design: Banner, Icons
Add/Edit/Delete IP Pools
Manage -> SSL VPN-Plus -> IP Pools
Pool Configuration:
- Range/Mask/Gateway
- DNS/WINs
Add/Edit/Delete Private Networks
Manage -> SSL VPN-Plus -> Private Networks
Determines the private networks that a user can access when connected to a VPN
- Network: subnet
- Send Traffic:
- Over Tunnel: Send traffic to the NSX Edge first
- Bypass Tunnel: Bypass the NSX Edge and go directly to the endpoint (public or private)
- Enable TCP Optimization:
- Use when Send Traffic Over Tunnel is selected.
- NSX Edge opens TCP connections on behalf of client
- Prevents TCP-over-TCP meltdown whereby two TCP sessions attempt to correct the same IP Packet
- Ports: List of ports eligible for TCP Optimization
Add/Edit/Delete Installation Packages
Manage -> SSL VPN-Plus -> Installation Package
- Windows package is created by default
- Add Gateway/IP
- Add MAC/Linux if needed
Windows Installation Parameters
Option | Description |
Start client on logon | The SSL VPN client is started when the remote user logs on to his system |
Allow remember password | Enables the option |
Enable silent mode installation | Hides installation commands from remote user |
Hide SSL client network adapter | Hides the VMware SSL VPN-Plus Adapter, which is installed on the remote user’s computer along with the SSL VPN installation package |
Hide client system tray icon | Hides the SSL VPN tray icon which indicates whether the VPN connection is active or not |
Create desktop icon | Creates an icon to invoke the SSL client on the user’s desktop |
Enable silent mode operation | Hides the pop-up that indicates that installation is complete |
Server security certificate validation | The SSL VPN client validates the SSL VPN server certificate before establishing the secure connection |
Add/Edit/Delete Users
Manage -> SSL VPN-Plus -> Users
Local users only
Configure an Authentication Provider to use AD/LDAP/RADIUS.
Add/Edit/Delete Login/Logoff script
Manage -> SSP VPN-Plus -> Logon/Logoff Scripts
Bind login/logoff scripts with Edge
Determine appropriate VPN service type for a given NSX implementation
- IPSec VPN: Connect remote Datacenters over a L3 encrypted connection
- SSL VPN-Plus: Remote access for end users to corporate resources
- L2 VPN: Stretch L2 segments to remote Datacenters or ISPs