Home‎ > ‎VCIX-NV Study Notes‎ > ‎

Section 3.1.2 Configuring and managing VPN services

Configuring and managing NSX VPN services





Vmware NSX Edge Gateway services can act as the VPN end point for 3 types of VPNs.

L2VPNs – Can extend Layer 2 networks between datacenters.  L2 VPNs are Useful for Cloud bursting/onboarding, migrating to new physical locations or Disaster Recovery.

IPsec VPNs – Used to connect datacenter networks.   Allows the new datacenter to be accessed security through a routed network

SSL VPN plus – This is an end user VPN.  It allows users to securely access data center resources.


First The IPSec VPN does not support Dynamic routing, so you must disable OSPF on your ESG and configure a static route to the network(s) you need access to.

  1. Navigate to the Networking and security – Select Edges and select your Edge.   Click on Manage -> VPNs -> IPSec VPN


2. Click on the green plus and fill out the form.

You will configure the same form on the other end of the VPN.  You will need to take the local ID and local Subnets from DC1 and put them in the Peer ID and  Peer Subnets on the VPN Peer.

The Pre-shared key needs to be the same on both ends.



3. Screen shot of the Peer.  Notice the flipped fields

4. Once you have both peers configured you will need to click the ENABLE button at the top of the IPSec IP page.

Once that is done, you should be able to click on the Show IPSec Stats link and see the VPN up.

5. You can configure a few Global parameters for the IPSec VPN.

From the IPSec VPN menu click the Change link

6.  Here you can configure a pre-shared Key or an imported SSL cert.


Generate a Certificate Signing Request

You can use your NSX Edge Gateways for SSL termination for your load balancers.  Creating a CSR is very simple.  You can self sign the cert or send the CSR out for a commercial cert.   I will show how to self sign a cert and use it in my Lab.


  1. Navigate to your ESG and manage it.  Select the Settings -> Certificates menu

  1. Click on the actions menu.  Choose Generate CSR



  1. Fill out the CSR form Click ok.


4. Select the cert and choose Self Sign.  

5. Give a time limit.

The cert can now be used b y NSX services.

Enable IPSec logging

Logging is enabled with 1 checkbox on the IPSec Configuration page.

Check the box choose your logging level.  Click publish to save changes.


Implementing  SSL VPN

NSX can provide the end point for a user level SSL VPN.  It supports several authentication types (AD, RADIUS, Local…..),  Provides the download point for the VPN installer (Windows, Linux and Mac), Provides the Authentication URL, and can be configured to use logon/logoff scripts.


-       Add an IP to your External ESG interface.  This will be your VPN Endpoint.

-       Have an IP range ready to create an address pool for the VPN users

-       Have a lists of private networks that need to be accessed from the VPN.

Have an SSL Cert configured on your ESG as shown in the previous item


  1. From your selected ESG, Click on SSL VPN.  Click on Change.


2.  Select the IP address from the drop down menu, Select a Cipher from the list.  And select the cert you previously created.



3.  Next Click on the pools Menu and Click the green PLUS to create a new pool.

Provide the IP info. Click ok

4. The list of networks the users can access over the SSL VPN is configured under the private networks Menu.  Click on the Green Plus to add a private network


5.  There are 5 Authentication server methods.

  • Active Directory

  • LDAP


  • RSA


Select your prefered method and complete the required form.


6. NSX allows you to build an installer for the VPN client.  You select the options from the Installation Package menu.

The Gateway IP needs to be your INTERNET accessible IP address or FQDN.

Packages can be created for Windows, Linux and Mac.  There are other options for how the package interacts with the end user post install.

7. If you are using local authentication you will need to create a user.

8. Client Configuration controls weather you are using Split or Full Tunnel mode.

9. Login Logoff scripts can be added if needed.  

10.  General settings holds basic connection settings.

11.  You can customize the look and colors of the portal and add customized pictures

12. Once everything is configured as you wish, Click on the dashboard and choose Enable Service.  The Dashboard also shows some helpful stats about the usage of your SSL VPN.




Enable/Disable L2 VPN

The L2VPn allows you to extend the L2 segment from a remote site into NSX.  This could be used to allow long range vMotion through vCenter or just to burst more resources into the same networks.

The L2 VPN is a Client/server design.  The server is the NSX endpoint in the target datacenter, the client is a specialized OVF that is imported into the remote datacenter.  You will need to create a  Distributed port group in VLAN trunking mode and add a Sub Interface to that network prior to starting.  The following steps show how to configure the server side.


  1. Create a new DV PortGroup in VLAN Trunnking mode.  

2. Edit a free ESG interface


3. Provide a name and change the type to Trunk.  Connect the change link to the Trunking DV Port group you created.

4. Select the Trunk portgroup

5. Click the green Plus to add a new Subinterface.

6. Name the Sub-Interface choose backing Type Network.  Click the change link.

7. Select the logical switch you are link the L2VPN to.

8. You should now have a Sub Interface

9. Next Click on VPNs – L2 VPN. Click on Change

10.  Select the listener IP address from the list, Select the Encryption and if you have a certificate installed select it.    Click OK

11. Next Click the Green Plus Under site configuration details.

Provide the name, Username and password

12. Click Enable and then publish the changes.



Configuring the Client side L2 VPN

The Client side of the L2 VPN is configured through an OVF with customization options.To start you will just need to import the OVF and follow the process.

You can download it from VMware’s downloads.

  1. Start the OVF Deploy process

2. Browse to the location of  your OVA, Click next.


3. Check the Accept Extra Config Options box.  Click Next.

4. Select your target folder





5. Select your target host.

6. Select your target storage.

7. Select the NICs.  The Public NIC must be able to get to the L2VPN Server.  The Trunk NIC is the internal NIC that will be used to map the internal VLAN.

8. Provide passwords for all the user accounts.  And the External IP address (PUBLIC INTERFACE).

9. Make sure the Ciphers match the server, provide the target server IP, TCP Port, username and password.  The sub Interfaces need to list what local VLAN maps to what tunnel ID on the server Format  <LocalVLAN>(REMOTE ID)>












10. Click finish.

If you matched everything properly, the VM will deploy and come up shortly after it boots.  You can verify by Clicking on the VPN Stats link on the Server end.