Objective 6.2 – Configure and manage logical VPNs

Principles

  • Understand how to configure IPSec VPN
    • Configure IPSec VPN parameters
    • Enable logging
  • Understand how to configure Layer 2 VPN
    • Add Layer 2 VPN Client/Server
    • View Layer 2 VPN Statistics
  • Configure Network Access/Web Access SSL VPN-Plus
    • Edit Client Configurations
    • Edit General Settings
    • Edit Web Portal Designs
    • Add/Edit/Delete IP Pools
    • Add/Edit/Delete Private Networks
    • Add/Edit/Delete Installation Packages
    • Add/Edit/Delete Users
    • Add/Edit/Delete Login/Logoff script
  • Determine appropriate VPN service type for a given NSX implementation

References

  1. NSX Administration Guide

http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf

  1. NSX Installation Guide

https://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_install.pdf

  1. NSX Design Guide

Understand how to configure IPSec VPN

  • IPSec VPN offers site-to-site connectivity between an NSX Edge instance and remote sites
  • Supported authentication between NSX Edge and VPN Concentrators/Routers:
    • Certificate authentication
    • Pre-shared key mode
    • IP unicast traffic
  • Dynamic Routing is not supported between NSX Edge and VPN Concentrators/Routers
  • Multiple subnets behind a remote VPN concentrator/router can be connected to an NSX Edge and its internal network through IPSec tunnels
    • Remote and Local subnets must not overlap
  • NAT:
    • NSX Edge and VPN Concentrators may be placed behind a NAT device
    • Static 1:1 mapping to each Concentrator/Edge is required at each end
  • Number of tunnels = #local subnets x #peer subnets
  • Max tunnels for an ESG:
    • Compact: 512
    • Large: 1600
    • Quad Large: 4096
    • X-Large: 6000
  • The following IPSec VPN algorithms are supported:
    • AES (AES128-CBC)
    • AES256 (AES256-CBC)
    • Triple DES (3DES192-CBC)
    • AES-GCM (AES128-GCM)
    • DH-2 (Diffie–Hellman group 2)
    • DH-5 (Diffie–Hellman group 5)

Configure IPSec VPN parameters

High-level process for configuring IPSec VPN between two NSX Edges:

  1. Enable IPSec VPN from Edge -> Manage -> VPN
  2. Generate CA Signed Certificates
    1. Generate a new certificate for each Edge:
      1. CSR can be generated from the Edge itself under Settings -> Certificate
    2. Get Edge certs signed by your CA
    3. Upload Edge certs to the respective Edge along with the CA Root certificate
      1. Required in PEM format
      2. Edge Certificates need the private key to be loaded
    4. Click on each Edge cert and reverse the DN e.g.

CN=edge1.home.lab, OU=LAB, O=Home, L=Westminster, ST=London, C=GB =>

C=GB, ST=London, L=Westminster, O=Home, OU=LAB, CN=edge1.home.lab

    1. Use these DNs for “Local Id” and “Peer Id” in the tunnel configuration
  1. Global IPSec Configuration
    1. Pre-shared key: For tunnels where peer endpoint = “any”
    2. Click “Enable Certificate Authentication” and select previously loaded certificates

  1. IPSec VPN Parameters

At least 1 external IP is required

    1. Local Id:
      1. IP/FQDN of this Edge for pre-shared key
      2. Certificate CN for Certificate authentication
    2. Local Endpoint:
      1. IP/FQDN of this Edge for pre-shared key
      2. Certificate CN for Certificate authentication
    3. Local Subnets: CIDR comma separated list of local subnets to share across tunnel
    4. Peer Id:
      1. Peer IP/FQDN for pre-shared key
      2. Certificate CN for Certificate authentication
    5. Peer Endpoint:
      1. IP/FQDN/any for peer Edge for pre-shared key
      2. Certificate CN for Certificate authentication
    6. Peer subnets CIDR comma separated list of remote subnets to share across tunnel
    7. Authentication Method: PSK (pre-shared key specified in global config) or Certificate

Enable logging

Set Logging Policy under main VPN tab. Default = WARNING

Understand how to configure Layer 2 VPN

  • L2 VPN uses tunnels to stretch L2 segments across sites i.e. VMs at either end of the tunnel remain on the same subnet
  • L2 Segments at either end of the tunnel may be VLAN or VXLAN or a mix of both
  • NSX Edges in one site can provide services to VMs in the remote site
  • L2 VPN Tunnels are Client:Server
  • Tunnels may be configured between 2 private Datacenters or Datacenter + Public Cloud
  • There is no minimum MTU requirement
  • From NSX 6.1:
    • Client side may be provided by a standalone NSX Edge i.e. full NSX implementation not required on client side
    • Trunk Interface may be used to link multiple L2 segment in a single NSX Edge
    • Full HA support for Edges deployed for L2 VPN

Typical Use Cases:

    • Workload Migration/Datacenter Consolidation
    • Service Provider on-boarding
    • Cloud Bursting
    • Stretched Applications

Best Practice to mitigate against network loops

  1. Option 1: Separate ESXi hosts for L2VPN Edges and VMs
    1. Deploy NSX Edges and VMs on separate hosts. Typically, Edges are placed on a dedicated Edge Cluster and VMs on a dedicated Compute cluster
    2. Configure a trunk interface for the networks to be stretched:
      • Use “Route based on originating virtual port” as teaming policy
      • Active/Standby failover for the NSX Edge L2VPN trunk interface
      • Use Sink Port and disable promiscuous mode
    3. No restriction on policy or failover for VMs

  1. Option 2: L2VPN Edges and VMs on the same ESXi host
    1. Use “Route based on originating virtual port” as teaming policy and Active/Standby failover for the NSX Edge L2VPN trunk interface
    2. VM port groups can use any teaming policy but only one uplink active at a time
    3. Order of Active/Standby uplink must be the same for all VM hosts + Edge hosts
    4. Configure the client-side standalone edge to use Sink Port mode and disable promiscuous mode on the trunk vNic

Client Edge Sink Port Configuration

  1. If deployed as part of an NSX implementation, this configuration is automated
  2. When deployed as a standalone edge and connected to a vDS the Sink port must be configured manually
  3. Sink port configuration is done at vDS level and requires manual modification of the port – follow guidelines in the NSX admin guide

Add Layer 2 VPN Client/Server

Server Configuration

  1. Configure a sub-interface for the VLAN/VXLAN to be stretched
  2. Select the “Server” checkbox and click Change to set the following parameters:
    1. Listener IP/Port
    2. Encryption Algorithm
    3. Certificate

  1. Add a site and configure the parameters using the sub-interface defined earlier

Client Configuration

  1. Configure a sub-interface for the VLAN/VXLAN to be stretched
  2. Select Manage -> VPN -> L2VPN
  3. Select the “Client” checkbox and click Change to set the following parameters:
    1. Server Address/Port
    2. Encryption Algorithm
    3. Sub-Interfaces
    4. Gateway
    5. User credentials
    6. Advanced -> Proxy Settings (if no direct access to Internet/WAN)

  1. If a standard port group is used on the Client Site, enable Promiscuous Mode and Forged Transmits on it

Standalone VPN Client

If the client-side VPN Edge is a standalone, configure the following on the trunk port:

  • Standard Trunk Port Group:
    • Enable forged transmits
    • Enable promiscuous mode
  • vDS Trunk Port Group:
    • Enable forged transmits
    • Configure a Sink port or enable promiscuous mode (sink port recommended)

View Layer 2 VPN Statistics

  • L2VPN Statistics can be viewed per tunnel from the Client side
  • Click “Fetch Status” and expand “Tunnel” to view statistics for each tunnel

Configure Network Access/Web Access SSL VPN-Plus

VPN-Plus allows remote users to access private corporate applications

  • Network Access = Client Installed on remote user machine
  • Web Access: No client install on remote user machine

Edit Client Configurations

Manage -> SSL VPN-Plus -> Client Configuration and click “Change”

  • Tunnelling mode:
    • Full: all client traffic is passed down the VPN Tunnel
      • Exclude local subnets: exclude local traffic from the tunnel
    • Split: only VPN traffic is passed down the VPN Tunnel
  • Enable auto reconnect for client to automatically reconnect if VPN connection drops
  • Client upgrade notification: Notify end user that client upgrade is available

Edit General Settings

Manage -> SSL VPN-Plus -> General Settings

Select To
Prevent multiple logon using same username Allow a remote user to login only once
Enable compression Enable TCP based intelligent data compression
Enable logging Maintain a log of the traffic passing through the SSL VPN gateway.
Force virtual keyboard Allow remote users to login with virtual keyboard only
Randomize keys of virtual keyboard Make the virtual keyboard keys random
Enable forced timeout Disconnect remote user after specified timeout period
Session idle timeout End user session after timeout period
User notification Login message
Enable public URL access Allow access to sites not configured (and not listed on web portal)

Edit Web Portal Designs

Manage -> SSL VPN-Plus -> Portal Customization

Items that can be customised:

  • Port Design: Title, Company Name, Logo, Colours
  • Client Design: Banner, Icons

Add/Edit/Delete IP Pools

Manage -> SSL VPN-Plus -> IP Pools

Pool Configuration:

  • Range/Mask/Gateway
  • DNS/WINs

Add/Edit/Delete Private Networks

Manage -> SSL VPN-Plus -> Private Networks

Determines the private networks that a user can access when connected to a VPN

  • Network: subnet
  • Send Traffic:
    • Over Tunnel: Send traffic to the NSX Edge first
    • Bypass Tunnel: Bypass the NSX Edge and go directly to the endpoint (public or private)
    • Enable TCP Optimization:
      • Use when Send Traffic Over Tunnel is selected.
      • NSX Edge opens TCP connections on behalf of client
      • Prevents TCP-over-TCP meltdown whereby two TCP sessions attempt to correct the same IP Packet
    • Ports: List of ports eligible for TCP Optimization

Add/Edit/Delete Installation Packages

Manage -> SSL VPN-Plus -> Installation Package

  • Windows package is created by default
  • Add Gateway/IP
  • Add MAC/Linux if needed

Windows Installation Parameters

Option Description
Start client on logon The SSL VPN client is started when the remote user logs on to his system
Allow remember password Enables the option
Enable silent mode installation Hides installation commands from remote user
Hide SSL client network adapter Hides the VMware SSL VPN-Plus Adapter, which is installed on the remote user’s computer along with the SSL VPN installation package
Hide client system tray icon Hides the SSL VPN tray icon which indicates whether the VPN connection is active or not
Create desktop icon Creates an icon to invoke the SSL client on the user’s desktop
Enable silent mode operation Hides the pop-up that indicates that installation is complete
Server security certificate validation The SSL VPN client validates the SSL VPN server certificate before establishing the secure connection

Add/Edit/Delete Users

Manage -> SSL VPN-Plus -> Users

Local users only

Configure an Authentication Provider to use AD/LDAP/RADIUS.

Add/Edit/Delete Login/Logoff script

Manage -> SSP VPN-Plus -> Logon/Logoff Scripts

Bind login/logoff scripts with Edge

Determine appropriate VPN service type for a given NSX implementation

  • IPSec VPN: Connect remote Datacenters over a L3 encrypted connection
  • SSL VPN-Plus: Remote access for end users to corporate resources
  • L2 VPN: Stretch L2 segments to remote Datacenters or ISPs