NSX L2 VPN

With L2 VPN, you can stretch multiple logical networks (both VLAN and VXLAN) between different physical sites. In addition, you can configure multiple sites on an L2 VPN server. L2 VPN allows you to extend your datacenter by allowing virtual machines to retain network connectivity across geographical boundaries. Virtual servers remain on the same subnet when they are moved between sites and their IP addresses do not change. 

NSX L2 VPN configuration consists of three steps:

  1. Configuration of your destination edge - L2 VPN server
  2. Adding peer sites to the L2 VPN server
  3. Configuration of your source edge - L2 VPN client

Before you proceed further, please note that: 

  • The Any action on L2 VPN service and Any action on L2 VPN peer site permissions should be enabled for a user who wants to use NSX L2 VPN.
  • You must enable the L2 VPN service on both the server and the client. For that, use the L2 VPN slider located at the top left corner of the screen.



Edit L2 VPN Server


Configure L2 VPN Server which is the destination NSX Edge to which the client is to be connected. 

To configure L2 VPN server:

  1. Go to Dashboard > Cloud > Edge Gateways menu.
  2. Click the label of the edge gateway for which you want to configure the server.
  3. Click the L2 VPN tab, then click Server > Server Global tab.
  4. On the page that follows edit the following fields:
    • Listener IP - enter the primary or secondary IP address of an external interface of the NSX Edge
    • Listener Port - edit the port number for the L2 VPN service
    • Encryption algorithm - select one or more encryption algorithms to encrypt the communication between the server and the client
    • Validate server certificate - move the slider to the right to enable the certificate to be bound to SSL VPN server, then select the certificate from the list that appears
  5. Click the Save button at the top of the page. 

Next, you can add and configure multiple sites on an L2 VPN server.


Add Peer Sites to L2 VPN Server


To add new peer sites:

  1. Go to Dashboard > Cloud > Edge Gateways menu.
  2. Click the label of the edge gateway for which you want to configure the server.
  3. Click the L2 VPN tab, then click Server > Server Sites tab.
  4. On the page that follows, edit the following details:
    • Name - enter a unique name for the peer site
    • Enabled - move the slider to the left to disable the newly added peer site
    • Description - add a description of your peer site
    • User ID - enter a user name with which the peer site is to be authenticated
    • User password - enter a password with which the peer site is to be authenticated
    • Confirm password - confirm the password
    • Select sub-interfaces - select the sub interfaces to be stretched with the client
    • Egress optimization gateway address - enter the gateway IP addresses for which the traffic is to be locally routed or for which the traffic is to be blocked over the tunnel

      Can be used if the default gateway for virtual servers is the same across the two sites. Provide the list of IP addresses separated by comma, e.g. 191.1.1.1, 192.1.1.1

  5. Click the Save button.


Edit Peer Sites


To edit peer sites:

  1. Go to Dashboard > Cloud > Edge Gateways menu.
  2. Click the label of the edge gateway for which you want to configure the server.
  3. Click the L2 VPN tab, then click Server > Server Sites tab.
  4. Click the icon next to the label of the peer site you want to edit.
  5. On the page that loads, edit the following details:
    • Name - enter a unique name for the peer site
    • Enabled - move the slider to the left to disable the newly added peer site
    • Description - add a description of your peer site
    • User ID - enter a user name with which the peer site is to be authenticated
    • User password - enter a password with which the peer site is to be authenticated
    • Confirm password - confirm the password
    • Select sub-interfaces - select the sub interfaces to be stretched with the client
    • Egress optimization gateway address - enter the gateway IP addresses for which the traffic is to be locally routed or for which the traffic is to be blocked over the tunnel

  6. Click the Save button.

Next, proceed to L2 VPN Client which is the source NSX Edge to which the client is connected.



Edit L2 VPN Client


To edit L2 VPN client:

  1. Go to Dashboard > Cloud > Edge Gateways menu.
  2. Click the label of the edge gateway for which you want to configure the server.
  3. Click the L2 VPN tab, then click Client > Client Global tab.
  4. On the page that loads, edit the following details:
    • Server address - enter the address of the L2 VPN server to which this client is to be connected
    • Server port - edit the default port to which the L2 VPN client must connect to, if necessary
    • Encryption algorithm - select the encryption algorithm for communicating with the server
    • Select sub-interfaces - to select the sub interfaces to be stretched to the server
    • Egress optimization gateway address - enter the gateway IP address of the sub interfaces or the IP addresses to which traffic should not flow over the tunnel
    • User ID - enter a user name with which the server is to be authenticated
    • User password - enter a password with which the peer site is to be authenticated
    • Confirm password - confirm the password
  5. Click the Save button at the top of the page.


Edit Advanced Client Settings


When a client Edge does not have direct access to the Internet and must reach the source (server) NSX Edge through a proxy server, you must specify proxy server settings as follows:

  1. Go to Dashboard > Cloud > Edge Gateways menu.
  2. Click the label of the edge gateway for which you want to configure the server.
  3. Click the L2 VPN tab, then click Client > Client Advanced tab.
  4. On the page that loads, edit the following details:
    • Enable secure proxy - move the slider to the right to enable only secure proxy connections
      • Proxy address - enter the proxy server address
      • Proxy port - enter the proxy server port
      • Proxy user name - enter a user name with which the proxy server is to be authenticated
      • Proxy user password - enter a user password with which the proxy server is to be authenticated
    • Use system generated certificate - move the slider to the right to use system generated certificate
  5. Click the Save button at the top of the page.