NSX for Newbies – Part 12: Configure IPsec VPN

In this post I’m going to cover:

  • Lab topology of a IPsec VPN (Site to Site VPN) within NSX
  • dLR routing configuration
  • HQ Perimeter ESG Configuration
  • Branch ESG Configuration
  • Testing connectivity
  • Observations

Lab Topology

IPsec VPN offers site-to-site connectivity between an NSX Edge instance and remote sites, in my examples HQ and Branch.
Other use cases for IPsec VPN other than Remote/Branch office are Cloud on-boarding and Cloud to Corporate.
Up to 64 tunnels are supported and a maximum of 10 sites can be configured. Dynamic routing protocols are not supported between NSX Edges and remote VPN routers. In the following scenario, the Perimeter ESG is configured as an IPsec endpoint exposing the distributed logical switches (Web, App, DB) subnets, reachable via the Transit network.
The networks that are exposed by an IPsec tunnel endpoint must either be directly-connected or subnets reachable through static routing (again dynamic routing protocols are not supported).

*** UPDATE 17/11/2016 ***
Following some discussion with my  Xtravirt colleague Richard Renardson, testing has been done to prove that dynamic routing protocols work between the dLR and the ESG; the limitation only applies between the VPN endpoints (ESGs). In addition, after consulting internally with VMware confirmation arrived from Ray Budavari stating that the documentation given during the NSX ICM classes are misleading and dynamic routing protocols are indeed supported between dLR and ESGs. I’d like therefore to thank both Richard and the VMware team 🙂

dLR Routing configuration

Here I’m configuring the dLR default gateway so that it knows where to route unknown subnets to.
Manage > Routing  > Global Configuration > Default Gateway > Edit

HQ Perimeter ESG Configuration

  • If you had OSPF enabled, disable it  *** As per 17/11/2016 Update, this is not required so you can skip the next step ***
  • Add a static route that tells the ESG how to get to your Internal LIFs (dLR logical networks). In my case all the internal subnets can be summarised as

  • Manage > VPN > IPsec VPN click on + and the site details
    In my example, local endpoint is one of the IP addresses assigned to ESG Uplink

  • Enable and Publish the configuration

Branch ESG Configuration

A similar configuration is required on the Branch ESG, settings will be the other way around.

  • Manage > VPN > IPsec VPN > +

  • Save and Publish changes

  • The IPsec should now be up and running. Show statistics will tells you if it isn’t

Testing Connectivity

From the subnet packets should cross the Transit network ( then reach the Branch ESG



It’s worth mentioning the auto-generated firewall rules that you will find:

Because IPsec uses Internet Key Exchange (IKE) v1 as per RFC 4306 the ports used are UDP 500 and 4500 (if under a NAT).

My NSX lab is nested hence I have configured the AES as encryption algorithm. However, in a real production enviroment you would want to use hardware that support AES-NI (AES New Encryption Instruction Set by Intel).
NSX Edges will offload the AES encryption to the hardware on supported Intel Xeon and second-generation Intel Core processors. Up to 40% performance increase can be obtained. No user configuration would however be necessary as AES-NI support in hardware is autodetected.


Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

4 Trackbacks