NSX Edge Gateway VPN Configuration

Use the NSX Edge VPN service to connect to remote sites

Last Updated on 30th November 2021

Objective

A VPN creates a secured tunnel accross public networks to connect remote clients or sites to your infrastructure.

This guide explains the two ways to do it through the NSX Edge Gateway

Requirements

Instructions

Interface access

In the vSphere interface menu, go to the Networking and Security dashboard.

Menu

On the left side, navigate to the NSX Edges section then click on the appliance you're setting up.

NSX

In the VPN tab, you'll notice two types of VPN:

  • IPsec VPN : Internet Protocol Security VPN secures traffic between two networks connected over a public network through IPSec gateways called endpoints. It is hardware agnostic.
  • L2 VPN : in the case of NSX Edge Gateway, Layer 2 VPN connects NSX appliances across multiple sites and secures the connection through IPsec.

IPsec VPN

In the IPsec VPN section, click on the Edit button next to Global Configuration.

IPSEC

Set a Pre-Shared Key to be used by all connecting endpoints as needed.

You can add certificates if you have created any for VPN purposes in that window.

Click Save when done.

IPSEC

In the IPsec VPN Sites section, click + Add.

IPSEC

Name the site and enable it.

On the Endpoint page:

  • Local Id is the public IP of the VPN or its FQDN.
  • Local Endpoint is the IP address or FQDN of the NSX Edge Gateway (typically the same IP as Local ID).
  • Local Subnets are the subnets used for the VPN.
  • Peer Id is the public IP of the remote site or its FQDN.
  • Peer Endpoint default value is "any" but can be changed to an IP or FQDN. If you retain the default value, the Global PSK must be set.
  • Peer Subnets are the internal subnets used on the peer site.

IPSEC

In the Tunnel Configuration page, set your encryption parameters (including certificates if needed) then click Add.

IPSEC

You can now Start the IPsec VPN service and Publish all the changes made.

IPSEC

Your tunnel is up and active.

L2 VPN

L2 VPN is a Client-Server type of connection. We will set up the Server first.

Server Side

In the L2 VPN section, select Server mode then click on the Edit button next to Global Configuration Details.

L2

Set your Server Settings:

  • Listener IP is the Public IP of the NSX Edge Gateway you will use.
  • Listener port is 443 by default (standard https) but can be changed.
  • Choose your encryption type.
  • Use system generated certificate or select an available third party one if you added one.

Click OK then Save.

L2

Back in the L2 VPN section, click + Add in Site Configuration Details.

Set your Peer Site Settings:

  • Enable the site.
  • Name it.
  • Define a User Id and password that will be used to authenticate the tunnel connection.
  • Stretched Interfaces are the internal interfaces that will communicate with the peer site. Those interfaces need to be trunk interfaces.

Click Add.

L2

You can now Start the L2 VPN service and Publish all the changes made.

L2

Your server is up and active.

Client Side

On the client NSX, in the L2 VPN section, select Client mode then click on the Edit button next to Global Configuration Details.

L2

The settings mirror those of the server:

  • Server Address is the public IP of the NSX server side.
  • The Server Port is the one defined (443 by default but you may have changed it).
  • Use the same encryption type as the server.
  • This time, the Stretched Interfaces will be the client internal ones that will be communicating with the server side.
  • The User Id and password must be the same as defined on the server .

Click Save.

L2

You can now Start the L2 VPN service and Publish all the changes made.

L2

The client side is set and communications should flow.

Go further

Join our community of users on https://community.ovh.com/en/.


Did you find this guide useful?

Please feel free to give any suggestions in order to improve this documentation.

Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.

Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.

Thank you. Your feedback has been received.


These guides might also interest you...

OVHcloud Community

Access your community space. Ask questions, search for information, post content, and interact with other OVHcloud Community members.

Discuss with the OVHcloud community

In accordance with the 2006/112/CE Directive, modified on 01/01/2015, prices exclude VAT. VAT may vary according to the customer's country of residence.