NGP IPSec

The IPSec VPN supports establishing a virtual private network between an NSX Edge instance and remote sites. Certain prerequisites are required for its implementation:

Have IPSec NSX compatible equipment (a free test client is available here: https://strongswan.org/)
Have the ports udp-500 (port dedicated to the IPSec service) / udp-4500 (if behind a NAT address) and ICMP open

These flows are normally implemented in the FW rules when the IPSEC service is activated.

More details HERE

The flows implemented in the FW rules when the IPSEC service is activated

Policy Based IPSec VPN

Go to the Networking / Edge Gateways / IPSec VPN menu then click NEW.

In the General settings section:
- Name your IPSec VPN
- Type:
  - Policy Based (Policy Based)
- Enable IPSec and Logging* if needed then click NEXT
- * for Logging, request the logs through your Support
In the Peer authentication mode section:
- Enter the shared key or the certificate then click NEXT

In the Endpoints configuration, specify the Public IPs and the Subnets to be shared between the 2 Sites:

Local endpoint : Public IP and Cloud Avenue Subnet
Remote endpoint : Incoming IP of the Remote Site (EndPoint) with the Site(s) Network(s)
Click NEXT

Check the Summary at the last step and click FINISH

On the main menu, choose SECURITY PROFILE CUSTOMIZATION:

Define the Encryption characteristics and Phases 1&2 then click SAVE

IKE Profile / Phase1: This phase refers to the stage where the 2 VPNs will create a secure and authenticated channel to communicate through a key exchange using the IKEv1 or IKEv2 protocol (Internet Key Exchange)
Tunnel configuration / Phase2: The purpose of phase 2 is for the 2 peers to agree on parameters that define the type of traffic to pass through the VPN (Local & Remote Endpoint) and how to encrypt and authenticate the traffic.

Route Based IPSec VPN

In the General settings section, specify the Type “Route Based” then select the desired authentication mode

In this section, we will define the local Public IP, the remote Public IP and the local IP of the VTI interface

Validate the final summary step then in the “Edge Gateway“/”Networking“/”Routing“/”Static Routes” section, add the Remote Network to be reached by specifying as the Next Hop the IP of the VTI then click “SAVE“

On the main menu, check that the VPN is Active and that there is indeed Incoming/Outgoing Traffic.

Overview

Practical sheets

Additional components

API

Backup

Cloud Customer Space

Contractual documents

Help and technical assistance

Online help

Roles and users

Technical Dashboards

The Support

Virtual Data Center ressources

KaaS

Network

Networks and External Interconnections (links)

VDC Networks

Secnumcloud

Security

Services Area

Log in to the service area

Services

Storage

Objet Storage (S3)

Advanced features implementation guide

Getting Started

Service user manual

Shared storage (Network storage)

VDC & Virtual Machines

Tooling & Troubleshooting

vCOD

Virtual Machines

Advanced Operations

Known Issues

Main Operations

VMware Cloud Director (VCD)

Catalogs

VMWare Cloud Director Availability (vCDA)

Q & A

Services

CaaS

Openshift

Openshift On VCD

Virtual datacenter

XaaS services

DBaaS

NGP IPSec

Policy Based IPSec VPN

Route Based IPSec VPN