VCAP6-NV (3V0-643) Study Guide – Part 9A. NSX IPSec VPNs.

This is part 9A of 20+ blogs I am writing covering the exam prep guide for the VMware Certified Advanced Professional 6 – Network Virtualisation Deployment (3V0-643)  VCAP6-NV certification.

At the time of writing there is no VCAP Design exam stream, thus you’re automatically granted the new VMware Certified Implementation Expert 6 – Network Virtualisation (VCIX6-NV) certification by successfully passing the VCAP6-NV Deploy exam.

Previous blogs in this series:

Part 1 – Intro
Part 2 – Objective 1.1
Part 3 – Objective 1.2
Part 4 – Objective 1.3
Part 5 – Objective 2.1
Part 6 – Objective 2.2
Part 7 – Objective 2.3
Part 8 – Objective 3.1

This blogs covers:

Section 3 – Deploy and Manage VMware NSX Network Services
Objective 3.2 – Configure and Manage Logical Private Networks (VPNs)

  • Configure IPSec VPN service to enable site to site communication

As exam objective 3.2 is quite large and covers IPSec VPNs, SSL VPNs and Layer 2 VPNs, I have decided to split objective 3.2 into 3 parts, the first (9A) being IPSec VPNs, (9B) being SSL VPNs and (9C) being Layer 2 VPNs.

 

Configure IPSec VPN Service to Enable Site to Site Communication

IPSec is a set of protocols that authenticates and encrypts every packet of a session and functions at the Network layer (Layer 3) of the OSI model.

An IPSec VPN creates a secure encrypted tunnel between two endpoints. Any traffic type can flow across the tunnel e.g. TCP, UDP or ICMP, email or web traffic.

NSX supports Site to Site IPSec VPNs and is used to create a secure tunnel between the Edge Services Gateway (ESG) and a remote site that will also have some form of hardware or software IPSec VPN endpoint that forms the other side of the tunnel.

Once the Site to Site IPSec VPN has been configured on the ESG, subnets are defined to be shared between sites. The defined subnets and the internal network behind the ESG cannot have overlapping address ranges.

vpn19

The size of the ESG is determined by the amount of local and peer subnets and is calculated by ‘local subnets X peer subnets = number of tunnels‘. The number of tunnels required determines the size of the ESG to be deployed. The size of the ESG can be increased after deployment if required. VMware sizing requirements are shown below:

vpn3

The NSX IPSec VPN supports the following IPSec encryption standards:

vpn6

The NSX IPSec VPN supports Pre-Shared Key (PSK) or SSL Certificates for authentication.

vpn6

There are a few steps to configure the Site to Site IPSec VPN on the ESG such as:

  • Enable the  IPSec VPN Service
  • Adding a SSL Certificate for the IPSec VPN (optional)
  • Configure Global IPSec VPN Configuration
  • Configure IPSec VPN parameters
  • Enable Logging (optional)

Note: NSX does not support using Dynamic Routing Protocols on the ESG to advertise internal networks. You will need to remove the Dynamic Routing and configure Static Routes to your internal networks (if they are not directly connected i.e. they hang off a DLR).

Note: Make sure your Distributed Logical Router (DLR) has its Default Gateway configured to point to the internal interface of the ESG so all unknown requests are sent there.

Enable the IPSec VPN Service

Enabling the service allows traffic to flow between local and remote subnets.

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that the IPSec VPN will be configured on.

Click Manage, then VPN.

Click the Enable button.

vpn1

Make sure you click Publish Changes to apply the configuration.

vpn2

 

Add a SSL Certificate for the IPSec VPN (optional)

The NSX IPSec VPN supports SSL certificates or PSK (Pre-Shared Key) for authentication. Should you require certificate authentication you will need to generate a Certificate Signing Request (CSR) and get this CSR signed by a Certificate Authority.

For the exam VMware might ask for this requirement and as there probably isn’t a CA we will have access to they may just ask for the certificate to be self-signed.

The below process is how to generate a CSR and self-sign it.

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that the IPSec VPN will be configured on.

Click Manage, then Certificates.

Click the blue cog and select Generate CSR.

vpn7

Populate the fields with information relevant to your environment.

vpn8

You can now see your CSR, highlighted in blue.

vpn9

Click the blue cog and select Self Sign Certificate.

vpn10

Enter the number of days this certificate will be valid for.

vpn11

The self signed certificate has now been created.

vpn12

When you configure the Global Configuration options you will be able to select this certificate, instead of using the default PSK authentication method.

Configure Global IPSec Configuration

This configuration enables the IPSec VPN on the ESG.

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that the IPSec VPN will be configured on.

Click Manage, then VPN, followed by IPSec VPN.

Under Global Configuration Status, click Change.

vpn14

Enter your Pre-Shared Key (PSK) or if you require Certificate Authentication select the Service Certificate and the CA Certificate. I have configured both options just to show in one screenshot.

vpn15

Make sure you click Publish Changes to apply the configuration.

vpn17

 

Configure IPSec VPN Parameters

This is where you configure the actual local and remote IPSec VPN configuration. At a minimum you must specify at least one external IP address on the ESG.

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that the IPSec VPN will be configured on.

Click Manage, then VPN, followed by IPSec VPN.

Click the green + sign to Add an IPSec VPN.

vpn18a

Enter the relevant information for the VPN connection. My configuration is shown.

vpn22

Make sure you click Publish Changes to apply the configuration.

vpn21

The last section of this blog: “My Lab IPSec VPN Configuration” I will show the working config for a NSX Site to Site IPSec VPN between two ESGs with a DLR in the middle acting as an Internet router which is running in my nested lab.

 

Enable Logging

Pretty simple task. This enables logging of all IPSec VPN traffic.

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that the IPSec VPN will be configured on.

Click Manage, then VPN, followed by IPSec VPN.

Click Logging Policy, tick the box to Enable and select your logging level.

Make sure you click Publish Changes to apply the configuration.

vpn21

My Lab IPSec VPN Configuration

I am using the same IP addressing as the example configuration shown below which is from the VMware NSX 6.2 documentation. Some of the bits in this VMware doco is incorrect also.

vpn19

My configuration is between two ESGs with a DLR in the middle to simulate Internet routing, with a VM hanging off each local network. Once deployed I can ping from a VM on the 192.168.5.0 network to the VM on the 172.16.0.0 network.

The left-hand-side of the above diagram I will refer to as DataCentre and the right-hand-side I will refer to as RemoteSite. There are no static routes or dynamic routing protocols involved. Prior to starting the VMs cannot ping each other.

The DataCentre configuration: (left-hand-side)

vpn30

The DataCentre Global Configuration:

vpn31

The DataCentre VPN Parameters:

vpn32

 

The RemoteSite Configuration (right hand side)

vpn33

The RemoteSite Global Configuration:

vpn34

The RemoteSite VPN Parameters:

vpn35

Now if I jump on the console of either ESG and run the following command: show service ipsec , I can see the IPSec VPN configuration is active.

console

From a VM on the DataCentre side I can ping the VM on the RemoteSite, and I also show the trace route.

ping

In my lab, the Logical Switches are directly connected to the ESG. If they are connected to a DLR you will need to make sure that the ESG has static routes to these networks.

Well I hope that gave you a really good overview of NSX IPSec VPNs. I have never done any IPSec VPNs before so I read plenty before even starting the deployment and config. Probably spent a good 15hrs working on this to the point of this final full stop here –>.

I have decided to stop here for the night and get some zzz’s as I am going to take my KTM for decent caning tomorrow to clean off the dust!

The next blog, Part 9B will work through exam objective 3.2 covering: Configure SSL VPN Service to Allow Remote Users to Access Private Networks.

Be Social; Please share.

NSX rocks!

  1. […] Objective 3.2 – Configure and Manage Logical Virtual Private Networks (VPNs) […]

    Like

    Reply

  2. […] Part 1 – Intro Part 2 – Objective 1.1 Part 3 – Objective 1.2 Part 4 – Objective 1.3 Part 5 – Objective 2.1 Part 6 – Objective 2.2 Part 7 – Objective 2.3 Part 8 – Objective 3.1 Part 9A – Objective 3.2 IPSec VPNs […]

    Like

    Reply

  3. […] 2.1 Part 6 – Objective 2.2 Part 7 – Objective 2.3 Part 8 – Objective 3.1 Part 9A – Objective 3.2 IPSec VPNs Part 9B – Objective 3.2 SSL […]

    Like

    Reply

  4. […] 2.1 Part 6 – Objective 2.2 Part 7 – Objective 2.3 Part 8 – Objective 3.1 Part 9A – Objective 3.2 IPSec VPNs Part 9B – Objective 3.2 SSL VPNs Part 9C – Objective 3.3 L2 […]

    Like

    Reply

  5. […] 2.1 Part 6 – Objective 2.2 Part 7 – Objective 2.3 Part 8 – Objective 3.1 Part 9A – Objective 3.2 IPSec VPNs Part 9B – Objective 3.2 SSL VPNs Part 9C – Objective 3.2 L2 VPNs Part 10 – […]

    Like

    Reply

  6. […] 5 – Objective 2.1 Part 6 – Objective 2.2 Part 7 – Objective 2.3 Part 8 – Objective 3.1 Part 9A – Objective 3.2 IPSec VPNs Part 9B – Objective 3.2 SSL VPNs Part 9C – Objective 3.2 L2 VPNs Part 10 – Objective 3.3 Part […]

    Like

    Reply

  7. […] 5 – Objective 2.1 Part 6 – Objective 2.2 Part 7 – Objective 2.3 Part 8 – Objective 3.1 Part 9A – Objective 3.2 IPSec VPNs Part 9B – Objective 3.2 SSL VPNs Part 9C – Objective 3.2 L2 VPNs Part 10 – Objective 3.3 Part […]

    Like

    Reply

  8. […] 5 – Objective 2.1 Part 6 – Objective 2.2 Part 7 – Objective 2.3 Part 8 – Objective 3.1 Part 9A – Objective 3.2 IPSec VPNs Part 9B – Objective 3.2 SSL VPNs Part 9C – Objective 3.2 L2 VPNs Part 10 – Objective 3.3 Part […]

    Like

    Reply

  9. […] 5 – Objective 2.1 Part 6 – Objective 2.2 Part 7 – Objective 2.3 Part 8 – Objective 3.1 Part 9A – Objective 3.2 IPSec VPNs Part 9B – Objective 3.2 SSL VPNs Part 9C – Objective 3.2 L2 VPNs Part 10 – Objective 3.3 Part […]

    Like

    Reply

  10. […] Objective 3.2 – Configure and Manage Logical Virtual Private Networks (IPSec VPNs) […]

    Like

    Reply

  11. […] review the implementation and configuration of the IPSec VPN service refer to blog post 9A. Make sure everything is configured as it should […]

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: