NSX-V Edge: Site-to-Site IPSEC VPN

This post will describe the process of setting up a site-to-site vpn from the VMware NSX Edge to a Cisco Cloud Services Router (CSR) 1000v, although we are using a virtual Cisco router, the process described below could be used for any remote device. In this post we will be configuring the Edge Services Gateway (ESG) via the vSphere Web Client, however, the method of setting up the VPN could easily be automated via the NSX REST API.


  • NSX Edge Gateway (in this case NSX 6.1.2 deployment)
  • Remote VPN Device; in this case a Cisco CSR 1000v
  • Pre-shared Keys will be used in lieu of x.509 certificates; I will cover this scenario in a separate post at a later date.


Local Site (VMware NSX):

  • NSX Edge Uplink interface IP Address:
  • NSX Internal Interface connected to logical switch, in this case I will be connecting it directly to a logical switch where my Virtual Machines reside.
  • NSX Internal Interface IP:
  • NSX Internal Network that will be tunnelled over the IPSEC tunnel:

Remote Site (Cisco CSR):

  • CSR (IOS XE Software-3.14.1S) Uplink Interface IP Address
  • CSR Internal Interface Address:
  • CSR Internal Network:

Steps to configure the NSX Edge

Prior to beginning configuration, it is assumed you already have your NSX Edge configured with an Uplink port to a VLAN backed Port Group and port to a internal logical switch.

  1. Log into your vSphere Web Client
  2. Select Networking & Security
  3. Select the + symbol to add a new edge gateway

NSX Edge Site-to-Site IPSEC VPN 1

  • Configure the NSX Edge Parameters
  • Name and Description:
  • Install Type: Edge Services Gateway
  • Name: ESG-VPN-01
  • Hostname: ESG-VPN-01
  • Description: Edge Services Gateway will be used to establish IPSEC L3 tunnel to remote datacenter
  • Tenant: BLANK
  • Settings:
  • Username: admin
  • Password: _Must be at least 12 characters and max 255 characters, contain a mix of upper case and lower case. Also it must not contain username as substring or any character repearting 3 times consecutively.
  • Enable SSH Access: Yes
  • Enable High Availability: No You may select this option in production environments, please consult documentation for guidance
  • Enable Auto Rule Generation: Yes
  • Edge Control Level Logging: Emergency
  • Configure Deployment:
  • Datacenter: ABC Medical
  • Appliance Size: Compact
  • Deploy NSX Edge: Tick
  • Add new NSX Edge Appliance
  • The main thing to keep in mind is, you want to place the ESG on the Edge Cluster, that’s the cluster where you have configured portgroups to connect to the physical network.
  • Configure Interfaces:
  • Add interfaces for uplink and internal network. You must have one interface defined as Uplink
  • Uplink vNIC:
  • Internal vNIC:
  • Default Gateway Settings:
  • Configure Default Gateway: UNTICK
  • Firewall and HA:
  • Configure Firewall default policy: Tick
  • Default Traffic Policy: Accept
  • Logging: Disable
  • Ready to complete: Verify configuration and select Finish

NSX Edge Site-to-Site IPSEC VPN 2

  1. Double click on the new ESG you created
  2. Click the VPN Tab and select add (Follow steps in screenshot below)
  • Select the following options in the Add IPSEC VPN Pane
  • Enabled: Tick
  • Enable perfect forward secrecy (PFS): Tick
  • Local Id: – This needs to be the IP Address of the NSX Instance the VPN will be running on
  • Local Endpoint: – IP Address of interface originating the VPN tunnel (Tunnel EndPoint)
  • Local Subnets:
  • Peer ID:
  • Peer Endpoint:
  • Peer Subnets:
  • Encryption Algorithm: AES
  • Authentication: PSK
  • Pre-Shared Key: cisco
  • Diffie-Hellman Group: DH2
  1. Select Enable
  2. Publish Changes

We can click on Show IPsec Statistics to see if the tunnel is up and what subnets are being tunnelled through, this of course is dependant on our remote end being configured.

NSX Edge Site-to-Site IPSEC VPN 4

For the purposes of this post, I have included a sample config for a Cisco CSR IPSEC VPN Tunnel; your configuration may vary:

crypto isakmp policy 10
encryption aes 
group 2
hash sha
lifetime 28800
authentication pre-share

crypto isakmp key 0 cisco address

crypto ipsec transform-set NSX_TRANSFORM esp-aes esp-sha-hmac

access-list 101 permit ip

crypto map NSX_PEER_MAP 10 ipsec-isakmp
	set peer
	match address 101
	set transform-set NSX_TRANSFORM

ip route name NSX_REMOTE_NET	

interface Int gi1
	ip address	
	crypto map NSX_PEER_MAP
	no shut

There you have it, a quick and easy guide on setting up IPSEC VPN to a remote CSR instance

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s