This is part 9A of 20+ blogs I am writing covering the exam prep guide for the VMware Certified Advanced Professional 6 – Network Virtualisation Deployment (3V0-643)  VCAP6-NV certification.

At the time of writing there is no VCAP Design exam stream, thus you’re automatically granted the new VMware Certified Implementation Expert 6 – Network Virtualisation (VCIX6-NV) certification by successfully passing the VCAP6-NV Deploy exam.

Previous blogs in this series:

Part 1 – Intro
Part 2 – Objective 1.1
Part 3 – Objective 1.2
Part 4 – Objective 1.3
Part 5 – Objective 2.1
Part 6 – Objective 2.2
Part 7 – Objective 2.3
Part 8 – Objective 3.1

This blogs covers:

Section 3 – Deploy and Manage VMware NSX Network Services
Objective 3.2 – Configure and Manage Logical Private Networks (VPNs)

• Configure IPSec VPN service to enable site to site communication

As exam objective 3.2 is quite large and covers IPSec VPNs, SSL VPNs and Layer 2 VPNs, I have decided to split objective 3.2 into 3 parts, the first (9A) being IPSec VPNs, (9B) being SSL VPNs and (9C) being Layer 2 VPNs.

 

Configure IPSec VPN Service to Enable Site to Site Communication

IPSec is a set of protocols that authenticates and encrypts every packet of a session and functions at the Network layer (Layer 3) of the OSI model.

An IPSec VPN creates a secure encrypted tunnel between two endpoints. Any traffic type can flow across the tunnel e.g. TCP, UDP or ICMP, email or web traffic.

NSX supports Site to Site IPSec VPNs and is used to create a secure tunnel between the Edge Services Gateway (ESG) and a remote site that will also have some form of hardware or software IPSec VPN endpoint that forms the other side of the tunnel.

Once the Site to Site IPSec VPN has been configured on the ESG, subnets are defined to be shared between sites. The defined subnets and the internal network behind the ESG cannot have overlapping address ranges.

The size of the ESG is determined by the amount of local and peer subnets and is calculated by ‘local subnets X peer subnets = number of tunnels‘. The number of tunnels required determines the size of the ESG to be deployed. The size of the ESG can be increased after deployment if required. VMware sizing requirements are shown below:

The NSX IPSec VPN supports the following IPSec encryption standards:

The NSX IPSec VPN supports Pre-Shared Key (PSK) or SSL Certificates for authentication.

There are a few steps to configure the Site to Site IPSec VPN on the ESG such as:

• Enable the  IPSec VPN Service
• Adding a SSL Certificate for the IPSec VPN (optional)
• Configure Global IPSec VPN Configuration
• Configure IPSec VPN parameters
• Enable Logging (optional)

Note: NSX does not support using Dynamic Routing Protocols on the ESG to advertise internal networks. You will need to remove the Dynamic Routing and configure Static Routes to your internal networks (if they are not directly connected i.e. they hang off a DLR).

Note: Make sure your Distributed Logical Router (DLR) has its Default Gateway configured to point to the internal interface of the ESG so all unknown requests are sent there.

Enable the IPSec VPN Service

Enabling the service allows traffic to flow between local and remote subnets.

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that the IPSec VPN will be configured on.

Click Manage, then VPN.

Click the Enable button.

Make sure you click Publish Changes to apply the configuration.

 

Add a SSL Certificate for the IPSec VPN (optional)

The NSX IPSec VPN supports SSL certificates or PSK (Pre-Shared Key) for authentication. Should you require certificate authentication you will need to generate a Certificate Signing Request (CSR) and get this CSR signed by a Certificate Authority.

For the exam VMware might ask for this requirement and as there probably isn’t a CA we will have access to they may just ask for the certificate to be self-signed.

The below process is how to generate a CSR and self-sign it.

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that the IPSec VPN will be configured on.

Click Manage, then Certificates.

Click the blue cog and select Generate CSR.

Populate the fields with information relevant to your environment.

You can now see your CSR, highlighted in blue.

Click the blue cog and select Self Sign Certificate.

Enter the number of days this certificate will be valid for.

The self signed certificate has now been created.

When you configure the Global Configuration options you will be able to select this certificate, instead of using the default PSK authentication method.

Configure Global IPSec Configuration

This configuration enables the IPSec VPN on the ESG.

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that the IPSec VPN will be configured on.

Click Manage, then VPN, followed by IPSec VPN.

Under Global Configuration Status, click Change.

Enter your Pre-Shared Key (PSK) or if you require Certificate Authentication select the Service Certificate and the CA Certificate. I have configured both options just to show in one screenshot.

Make sure you click Publish Changes to apply the configuration.

 

Configure IPSec VPN Parameters

This is where you configure the actual local and remote IPSec VPN configuration. At a minimum you must specify at least one external IP address on the ESG.

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that the IPSec VPN will be configured on.

Click Manage, then VPN, followed by IPSec VPN.

Click the green + sign to Add an IPSec VPN.

Enter the relevant information for the VPN connection. My configuration is shown.

Make sure you click Publish Changes to apply the configuration.

The last section of this blog: “My Lab IPSec VPN Configuration” I will show the working config for a NSX Site to Site IPSec VPN between two ESGs with a DLR in the middle acting as an Internet router which is running in my nested lab.

 

Enable Logging

Pretty simple task. This enables logging of all IPSec VPN traffic.

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that the IPSec VPN will be configured on.

Click Manage, then VPN, followed by IPSec VPN.

Click Logging Policy, tick the box to Enable and select your logging level.

Make sure you click Publish Changes to apply the configuration.

My Lab IPSec VPN Configuration

I am using the same IP addressing as the example configuration shown below which is from the VMware NSX 6.2 documentation. Some of the bits in this VMware doco is incorrect also.

My configuration is between two ESGs with a DLR in the middle to simulate Internet routing, with a VM hanging off each local network. Once deployed I can ping from a VM on the 192.168.5.0 network to the VM on the 172.16.0.0 network.

The left-hand-side of the above diagram I will refer to as DataCentre and the right-hand-side I will refer to as RemoteSite. There are no static routes or dynamic routing protocols involved. Prior to starting the VMs cannot ping each other.

The DataCentre configuration: (left-hand-side)

The DataCentre Global Configuration:

The DataCentre VPN Parameters:

 

The RemoteSite Configuration (right hand side)

The RemoteSite Global Configuration:

The RemoteSite VPN Parameters:

Now if I jump on the console of either ESG and run the following command: show service ipsec , I can see the IPSec VPN configuration is active.

From a VM on the DataCentre side I can ping the VM on the RemoteSite, and I also show the trace route.

In my lab, the Logical Switches are directly connected to the ESG. If they are connected to a DLR you will need to make sure that the ESG has static routes to these networks.

Well I hope that gave you a really good overview of NSX IPSec VPNs. I have never done any IPSec VPNs before so I read plenty before even starting the deployment and config. Probably spent a good 15hrs working on this to the point of this final full stop here –>.

I have decided to stop here for the night and get some zzz’s as I am going to take my KTM for decent caning tomorrow to clean off the dust!

The next blog, Part 9B will work through exam objective 3.2 covering: Configure SSL VPN Service to Allow Remote Users to Access Private Networks.

Be Social; Please share.

NSX rocks!