NSX-v Edge: Site-to-Site IPSEC VPN

Sep 14, 2015 NSX-v ipsec vpn
Share on:

This post will describe the process of setting up a site-to-site vpn from the VMware NSX Edge to a Cisco Cloud Services Router (CSR) 1000v, although we are using a virtual Cisco router, the process described below could be used for any remote device. In this post we will be configuring the Edge Services Gateway (ESG) via the vSphere Web Client, however, the method of setting up the VPN could easily be automated via the NSX REST API.

Pre-requisites:

  • NSX Edge Gateway (in this case NSX 6.1.2 deployment)
  • Remote VPN Device; in this case a Cisco CSR 1000v
  • Pre-shared Keys will be used in lieu of x.509 certificates; I will cover this scenario in a separate post at a later date.

Scenario

Local Site (VMware NSX):

  • NSX Edge Uplink interface IP Address: 192.168.255.1/30
  • NSX Internal Interface connected to logical switch, in this case I will be connecting it directly to a logical switch where my Virtual Machines reside.
  • NSX Internal Interface IP: 172.16.20.50/24
  • NSX Internal Network that will be tunnelled over the IPSEC tunnel: 172.16.20.0/24

Remote Site (Cisco CSR):

  • CSR (IOS XE Software-3.14.1S) Uplink Interface IP Address 192.168.255.2/30
  • CSR Internal Interface Address: 172.16.10.50/24
  • CSR Internal Network: 172.16.10.0/24

Steps to configure the NSX Edge

Prior to beginning configuration, it is assumed you already have your NSX Edge configured with an Uplink port to a VLAN backed Port Group and port to a internal logical switch.

  1. Log into your vSphere Web Client
  2. Select Networking & Security
  3. Select the + symbol to add a new edge gateway
  • Configure the NSX Edge Parameters
  • Name and Description:
  • Install Type: Edge Services Gateway
  • Name: ESG-VPN-01
  • Hostname: ESG-VPN-01
  • Description: Edge Services Gateway will be used to establish IPSEC L3 tunnel to remote datacenter
  • Tenant: BLANK
  • Settings:
  • Username: admin
  • Password: _Must be at least 12 characters and max 255 characters, contain a mix of upper case - and lower case. Also it must not contain username as substring or any character repearting 3 - times consecutively.
  • Enable SSH Access: Yes
  • Enable High Availability: No You may select this option in production environments, please - consult documentation for guidance
  • Enable Auto Rule Generation: Yes
  • Edge Control Level Logging: Emergency
  • Configure Deployment:
  • Datacenter: ABC Medical
  • Appliance Size: Compact
  • Deploy NSX Edge: Tick
  • Add new NSX Edge Appliance
  • The main thing to keep in mind is, you want to place the ESG on the Edge Cluster, that’s the - cluster where you have configured portgroups to connect to the physical network.
  • Configure Interfaces:
  • Add interfaces for uplink and internal network. You must have one interface defined as Uplink
  • Uplink vNIC: 192.168.255.1/30
  • Internal vNIC: 172.16.20.50/24
  • Default Gateway Settings:
  • Configure Default Gateway: UNTICK
  • Firewall and HA:
  • Configure Firewall default policy: Tick
  • Default Traffic Policy: Accept
  • Logging: Disable
  • Ready to complete: Verify configuration and select Finish
  1. Double click on the new ESG you created
  2. Click the VPN Tab and select add (Follow steps in screenshot below)
  • Select the following options in the Add IPSEC VPN Pane
  • Enabled: Tick
  • Enable perfect forward secrecy (PFS): Tick
  • Name: B2B VPN [CUSTOMERNAME]
  • Local Id: 192.168.255.1 – This needs to be the IP Address of the NSX Instance the VPN will be - running on
  • Local Endpoint: 192.168.255.1 – IP Address of interface originating the VPN tunnel (Tunnel - EndPoint)
  • Local Subnets: 172.16.20.0/24
  • Peer ID: 192.168.255.2
  • Peer Endpoint: 192.16.255.2
  • Peer Subnets: 172.16.10.0/24
  • Encryption Algorithm: AES
  • Authentication: PSK
  • Pre-Shared Key: cisco
  • Diffie-Hellman Group: DH2
  1. Select Enable
  2. Publish Changes

We can click on Show IPsec Statistics to see if the tunnel is up and what subnets are being tunnelled through, this of course is dependant on our remote end being configured.

For the purposes of this post, I have included a sample config for a Cisco CSR IPSEC VPN Tunnel; your configuration may vary:

 1crypto isakmp policy 10
 2encryption aes 
 3group 2
 4hash sha
 5lifetime 28800
 6authentication pre-share
 7 
 8crypto isakmp key 0 cisco address 192.168.255.1
 9 
10crypto ipsec transform-set NSX_TRANSFORM esp-aes esp-sha-hmac
11 
12access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.20.0 0.0.0.255
13 
14crypto map NSX_PEER_MAP 10 ipsec-isakmp
15    set peer 192.168.255.1
16    match address 101
17    set transform-set NSX_TRANSFORM
18    end
19 
20ip route 172.16.20.0 255.255.255.0 192.168.255.1 name NSX_REMOTE_NET    
21 
22interface Int gi1
23    ip address 192.168.255.2 255.255.255.0  
24    crypto map NSX_PEER_MAP
25    no shut

There you have it, a quick and easy guide on setting up IPSEC VPN to a remote CSR instance