NSX IPSec VPN

Internet Protocol Security (IPSec) VPN ensures secure and private communications over Internet Protocol (IP) networks. It authenticates and encrypts IP packets between two end points. A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. The goal is to securely connect two or more LAN networks and allow full communication between them, without any restrictions.

Manage IPSec VPN Service



To manage IPSec VPN service for a specific edge gateway:

  1. Go to your Control Panel > Cloud > Edge Gateways.
  2. Click the label of the necessary edge gateway from the list of all gateways in your cloud.
  3. Go to the IPSec VPN tab.
  4. You can manage the following options for the entire service for a specific edge:
    • Service status - move the slider to the right to enable IPSec VPN service for this edge gateway
    • Global shared key - the global pre-shared key (PSK) that is shared by all the sites whose peer endpoint is set to Any

      If a global PSK is already set, changing the PSK to an empty value and saving it has no effect on the existing setting. 

    •  - click to edit the global shared key
    •  - click to preview the global shared key
    • Log level - select one of the following options, where Emergency is the least detailed level of logging, and Debug is the most detailed level of logging)


Add IPSec VPN Site



OnApp IPSec VPN has two different session types: policy-based and route-based. With the policy-based IPSec VPN session type, you can connect multiple local subnets behind the NSX Edge with the peer subnets on the remote VPN site by using IPSec tunnels. Alternatively, if you select the route-based IPSec VPN session type, virtual tunnel interfaces (VTI) are created on the ESG appliance. Each VTI is associated with an IPSec tunnel. The encrypted traffic is routed from one site to another site through the VTI interfaces. IPSec processing happens only at the VTI interfaces.

To add an IPSec VPN site:

  1. Go to your Control Panel > Cloud > Edge Gateways.
  2. Select the necessary edge gateway from the list of all gateways in your cloud.
  3. Go to the IPSec VPN tab > click the IPSec VPN sites tab below.
  4. Click the  button above the table.
  5. In the window that appears, specify the following parameters: 
    • Name - specify the name of the IPSec VPN site
    • Enabled - move the slider to the right to enable this IPSec VPN site
    • Enabled PFS - move the slider to the right to enable Perfect Forward Secrecy for this site
    • Local ID - enter the local ID to identify the local NSX Edge instance. This local ID is the peer ID on the remote site. Preferably, use the public IP address of the VPN or a fully qualified domain name (FQDN) for the VPN service as the local ID.
    • Local Endpoint - enter an IP address or an FQDN of the local endpoint. If you are adding an IP-to-IP tunnel using a pre-shared key, the local ID and local endpoint IP can be the same.
    • Local subnets - enter the subnets to share between the IPSec VPN sites in the CIDR format. Use a comma separator to enter multiple subnets

      The local subnets behind an NSX Edge must have address ranges that do not overlap with the IP addresses on the peer VPN site. If the local and remote peer across an IPsec VPN tunnel have overlapping IP addresses, traffic forwarding across the tunnel might not be consistent.

    • Peer ID - enter the Peer ID to identify the peer site:
      • For peers using certificate authentication, this ID must be the distinguished name (DN) in the peer's certificate. Enter the DN of the certificate as a range of comma-separated values in the following order without spaces: C=xxx,ST=xxx,L=xxx,O=xxx,OU=xxx,CN=xxx,E=xxx.
      • For PSK peers, the peer ID can be any text value. Preferably, use the public IP address of the VPN or an FQDN for the VPN service as the peer ID.
    • Peer endpoint - enter an IP address or an FQDN of the peer endpoint. The default value is any. If you retain the default value, you must configure the Global PSK.
    • Peer subnet - enter the internal IP address of the peer subnet in the CIDR format. Use a comma separator to type multiple subnets.
    • Encryption algorithm - select one of the following supported encryption algorithms from the dropbox:
      • AES (AES128-CBC)
      • AES256 (AES256-CBC)
      • Triple DES (3DES192-CBC)
      • AES-GCM (AES128-GCM)
    • Authentication - select one of the following options:
      • PSK (Pre Shared Key) - indicates that the secret key shared between NSX Edge and the peer site is to be used for authentication. The secret key can be a string with a maximum length of 128 bytes. PSK authentication is disabled in FIPS mode.
      • Certificate - indicates that the certificate defined at the global level is to be used for authentication.
    • Shared key - the global pre-shared key (PSK) is shared by all the sites whose peer endpoint is set to'any'. If a global PSK is already set, changing the PSK to an empty value and saving it has no effect on the existing setting. 
    • Diffie-Hellman Group - select one of the following cryptography schemes that allows the peer site and the NSX Edge to establish a shared secret over an insecure communications channel:
      • DH-2 (not available when the FIPS mode is enabled)
      • DH-5 (not available when the FIPS mode is enabled)
      • DH-14 (a default selection for both FIPS and non-FIPS mode)
      • DH-15
      • DH-16
    • Extension - type one of the following:
      • securelocaltrafficbyip=IPAddress to redirect Edge local traffic over the IPSec VPN tunnel. IP address is the default value.
      • passthroughSubnets=PeerSubnetIPAddress to support overlapping subnets.
    • Digest Algorithm - select one of the following secure hashing algorithms:
      • SHA1
      • SHA_256
    • IKE Option - select one of the following Internet Key Exchange (IKE) protocols to set up a security association (SA) in the IPSec protocol suite:
      • IKEv1 - when you select this option, IPSec VPN initiates and responds to IKEv1 protocol only
      • IKEv2 - when you select this option, IPSec VPN initiates and responds to IKEv2 protocol only
      • IKE-Flex - when you select this option, and if the tunnel establishment fails with IKEv2 protocol, the source site does not fall back and initiate a connection with the IKEv1 protocol. Instead, if the remote site initiates a connection with the IKEv1 protocol, then the connection is accepted

        If you configure multiple sites with the same local and remote endpoints, make sure that you select the same IKE version and PSK across all these IPSec VPN sites.

    • IKE Responder Only - move the slider to the right to operate IPSec VPN in a responder-only mode. In this mode, IPSec VPN never initiates a connection.
    • Session Type - select one of the possible options:
      • policy based - select to use the policy-based IPSec VPN
      • route-based - select to use the route-based IPSec VPN. If you select this session type, fill in the following additional fields that will appear:
        • Tunnel Interface IP CIDR  
        • Tunnel Interface MTU - default value is 1476. Valid values are in the range from 92 to 8976

         4. Click the Save button above the table to apply the changes. 


Edit IPSec VPN Site



To edit the details of an IPSec VPN site:

  1. Go to your Control Panel > Cloud > Edge Gateways.
  2. Select the necessary edge gateway from the list of all gateways in your cloud.
  3. Go to the IPSec VPN tab > click the IPSec VPN sites tab below.
  4. Click the  icon next to the required IPSec VPN site. 
  5. Make the necessary changes in the window that appears.
 Click here to view the description of parameters available for editing.
  • Name - specify the name of the IPSec VPN site
  • Enabled - move the slider to the right to enable this IPSec VPN site
  • Enabled PFS - move the slider to the right to enable Perfect Forward Secrecy for this site
  • Local ID - enter the local ID to identify the local NSX Edge instance. This local ID is the peer ID on the remote site. Preferably, use the public IP address of the VPN or a fully qualified domain name (FQDN) for the VPN service as the local ID.
  • Local Endpoint - enter an IP address or an FQDN of the local endpoint. If you are adding an IP-to-IP tunnel using a pre-shared key, the local ID and local endpoint IP can be the same.
  • Local subnets - enter the subnets to share between the IPSec VPN sites in the CIDR format. Use a comma separator to enter multiple subnets.
  • Peer ID - enter the Peer ID to identify the peer site:
    • For peers using certificate authentication, this ID must be the distinguished name (DN) in the peer's certificate. Enter the DN of the certificate as a range of comma-separated values in the following order without spaces: C=xxx,ST=xxx,L=xxx,O=xxx,OU=xxx,CN=xxx,E=xxx.
    • For PSK peers, the peer ID can be any text value. Preferably, use the public IP address of the VPN or an FQDN for the VPN service as the peer ID.
  • Peer endpoint - enter an IP address or an FQDN of the peer endpoint. The default value is any. If you retain the default value, you must configure the Global PSK.
  • Peer subnet - enter the internal IP address of the peer subnet in the CIDR format. Use a comma separator to type multiple subnets.
  • Encryption algorithm - select one of the following supported encryption algorithms from the dropbox:
    • AES (AES128-CBC)
    • AES256 (AES256-CBC)
    • Triple DES (3DES192-CBC)
    • AES-GCM (AES128-GCM)
  • Authentication - select one of the following options:
    • PSK (Pre Shared Key) - indicates that the secret key shared between NSX Edge and the peer site is to be used for authentication. The secret key can be a string with a maximum length of 128 bytes.
      PSK authentication is disabled in FIPS mode.
    • Certificate - indicates that the certificate defined at the global level is to be used for authentication. 
  • Shared key - the global pre-shared key (PSK) is shared by all the sites whose peer endpoint is set to'any'. If a global PSKis already set, changing the PSK to an empty value and saving it has no effect on the existing setting. 
  • Diffie-Hellman Group - select one of the following cryptography schemes that allows the peer site and the NSX Edge to establish a shared secret over an insecure communications channel:
    • DH-2 (not available when the FIPS mode is enabled)
    • DH-5 (not available when the FIPS mode is enabled)
    • DH-14 (a default selection for both FIPS and non-FIPS mode)
    • DH-15
    • DH-16
  • Extension - type one of the following:
    • securelocaltrafficbyip=IPAddress to redirect Edge local traffic over the IPSec VPN tunnel. IP address is the default value. 
    • passthroughSubnets=PeerSubnetIPAddress to support overlapping subnets.
  • Digest Algorithm - select one of the following secure hashing algorithms:
    • SHA1
    • SHA_256
  • IKE Option - select one of the following Internet Key Exchange (IKE) protocols to set up a security association (SA) in the IPSec protocol suite
    • IKEv1 - when you select this option, IPSec VPN initiates and responds to IKEv1 protocol only.
    • IKEv2 - when you select this option, IPSec VPN initiates and responds to IKEv2 protocol only.
    • IKE-Flex - when you select this option, and if the tunnel establishment fails with IKEv2 protocol, the source site does not fall back and initiate a connection with the IKEv1 protocol. Instead, if the remote site initiates a connection with the IKEv1 protocol, then the connection is accepted.

      If you configure multiple sites with the same local and remote endpoints, make sure that you select the same IKE version and PSK across all these IPSec VPN sites.

  • IKE Responder Only - move the slider to the right to operate IPSec VPN in a responder-only mode. In this mode, IPSec VPN never initiates a connection.
  • Session Type  - select one of the possible options:
    • policy based - select to use the policy-based IPSec VPN
    • route-based - select to use the route-based IPSec VPN. If you select this session type, the following additional fields will appear:
      • Tunnel Interface IP CIDR 
      • Tunnel Interface MTU - default value is 1476. Valid values are in the range from 92 to 8976

6. Click the Save button above the table to apply the changes. 


Certificate Authentication



If you select Certificate as an Authentication option for an IPSec VPN site, it is required to enable Certificate Authentication. It is not possible to upload a certificate on OnApp side; the certificates are imported to OnApp from vCloud as you import the edge gateway (if there were any certificates assigned on the vCloud side). 

Self-signed certificates cannot be used for IPSec VPN. 

To configure certificate authentication for IPSec VPN:

  1. Go to your Control Panel > Cloud > Edge Gateways.
  2. Select the necessary edge gateway from the list of all gateways in your cloud.
  3. Go to the IPSec VPN tab.
  4. Move the Enable Certificate Authentication slider to the right to enable service authentication. 
  5. On the page that appears, select the necessary service certificates, CA certificates and CRLs certificates.


Delete IPSec VPN Site



To delete an IPSec VPN site:

  1. Go to your Control Panel > Cloud > Edge Gateways.
  2. Click the label of the edge gateway the necessary IPSec VPN was added to. 
  3. Click the IPSec VPN tab.
  4. Click the IPSec VPN sites tab below. On the page that appears, you will see the list of IPSec VPN sites added to this edge gateway. 
  5. Click the line with the required IPSec VPN site to select it.
  6. Once selected, click the  button that appeared above the table to delete the IPSec VPN site. 
  7. Click the Save button above the table to apply the changes.