Today we're going to take a look at the VPN configuration options that NSX Edge offers us.
In general, we can divide VPN technologies into two key types:
Site-to-site VPN. The most common use of IPSec is to create a secure tunnel, for example, between a main office network and a network at a remote site or in the cloud.
Remote Access VPN. Used to connect individual users to corporate private networks using the VPN client software.
NSX Edge allows us to use both options.
We will configure using a test bench with two NSX Edge, a Linux server with an installed daemon racoon and a Windows laptop to test Remote Access VPN.
IPsec
In the vCloud Director interface, go to the Administration section and select the vDC. On the Edge Gateways tab, select the Edge we need, right-click and select Edge Gateway Services.
In the NSX Edge interface, go to the VPN-IPsec VPN tab, then to the IPsec VPN Sites section and click + to add a new site.
Fill in the required fields:
Enabled β activates the remote site.
PFS β ensures that each new cryptographic key is not associated with any previous key.
Local ID and Local Endpointt is the external address of the NSX Edge.
local subnets - local networks that will use IPsec VPN.
Peer ID and Peer Endpoint β address of the remote site.
Peer subnets β networks that will use IPsec VPN on the remote side.
Everything is ready, site-to-site IPsec VPN is up and running.
In this example, we used PSK for peer authentication, but certificate authentication is also possible. To do this, go to the Global Configuration tab, enable certificate authentication and select the certificate itself.
In addition, in the site settings, you will need to change the authentication method.
I note that the number of IPsec tunnels depends on the size of the deployed Edge Gateway (read about this in our first article).
SSL VPN
SSL VPN-Plus is one of the Remote Access VPN options. It allows individual remote users to securely connect to private networks behind the NSX Edge Gateway. An encrypted tunnel in the case of SSL VPN-plus is established between the client (Windows, Linux, Mac) and NSX Edge.
Let's start setting up. In the Edge Gateway service control panel, go to the SSL VPN-Plus tab, then to Server Settings. We select the address and port on which the server will listen for incoming connections, enable logging and select the necessary encryption algorithms.
Here you can also change the certificate that the server will use.
After everything is ready, turn on the server and do not forget to save the settings.
Next, we need to set up a pool of addresses that we will issue to clients upon connection. This network is separate from any existing subnet in your NSX environment and does not need to be configured on other devices on the physical networks, except for the routes that point to it.
Go to the IP Pools tab and click +.
Select addresses, subnet mask and gateway. Here you can also change the settings for DNS and WINS servers.
The resulting pool.
Now let's add the networks that users connecting to the VPN will have access to. Go to the Private Networks tab and click +.
We fill in:
Network - a local network to which remote users will have access.
Send traffic, it has two options:
- over tunnel - send traffic to the network through the tunnel,
β bypass tunnelβsend traffic to the network directly bypassing the tunnel.
Enable TCP Optimization - check if you chose the over tunnel option. When optimization is enabled, you can specify the port numbers for which you want to optimize traffic. Traffic for the remaining ports on that particular network will not be optimized. If no port numbers are specified, traffic for all ports is optimized. Read more about this feature here.
Next, go to the Authentication tab and click +. For authentication, we will use a local server on the NSX Edge itself.
Here we can select policies for generating new passwords and configure options for blocking user accounts (for example, the number of retries if the password is entered incorrectly).
Since we are using local authentication, we need to create users.
In addition to basic things like a name and password, here you can, for example, prohibit the user from changing the password or, conversely, force him to change the password the next time he logs in.
After all the necessary users have been added, go to the Installation Packages tab, click + and create the installer itself, which will be downloaded by a remote employee for installation.
Press +. Select the address and port of the server to which the client will connect, and the platforms for which you want to generate the installation package.
Below in this window, you can specify the client settings for Windows. Choose:
start client on logon β the VPN client will be added to startup on the remote machine;
create desktop icon - will create a VPN client icon on the desktop;
server security certificate validation - will validate the server certificate upon connection.
Server setup is complete.
Now let's download the installation package we created in the last step to a remote PC. When setting up the server, we specified its external address (185.148.83.16) and port (445). It is at this address that we need to go in a web browser. In my case it is 185.148.83.16: 445.
In the authorization window, you must enter the credentials of the user we created earlier.
After authorization, we see a list of created installation packages available for download. We have created only one - we will download it.
We click on the link, the download of the client begins.
Unpack the downloaded archive and run the installer.
After installation, launch the client, in the authorization window, click Login.
In the certificate verification window, select Yes.
We enter the credentials for the previously created user and see that the connection was completed successfully.
We check the statistics of the VPN client on the local computer.
In the Windows command line (ipconfig / all), we see that an additional virtual adapter has appeared and there is connectivity to the remote network, everything works:
And finally, check from the Edge Gateway console.
L2 VPN
L2VPN will be needed when you need to combine several geographically
distributed networks into one broadcast domain.
This can be useful, for example, when migrating a virtual machine: when a VM moves to another geographical area, the machine will retain its IP addressing settings and will not lose connectivity with other machines located in the same L2 domain with it.
In our test environment, we will connect two sites to each other, we will call them A and B, respectively. We have two NSXs and two identically created routed networks attached to different Edges. Machine A has the address 10.10.10.250/24, Machine B has the address 10.10.10.2/24.
In vCloud Director, go to the Administration tab, go to the VDC we need, go to the Org VDC Networks tab and add two new networks.
Select the routed network type and bind this network to our NSX. We put the checkbox Create as subinterface.
As a result, we should get two networks. In our example, they are called network-a and network-b with the same gateway settings and the same mask.
Now let's go to the settings of the first NSX. This will be the NSX that Network A is attached to. It will act as a server.
We return to the NSx Edge interface / Go to the VPN tab -> L2VPN. We turn on L2VPN, select the Server operation mode, in the Server Global settings we specify the external NSX IP address on which the port for the tunnel will listen. By default, the socket will open on port 443, but this can be changed. Do not forget to select the encryption settings for the future tunnel.
Go to the Server Sites tab and add a peer.
We turn on the peer, set the name, description, if necessary, set the username and password. We will need this data later when setting up the client site.
In Egress Optimization Gateway Address we set the gateway address. This is necessary so that there is no conflict of IP addresses, because the gateway of our networks has the same address. Then click on the SELECT SUB-INTERFACES button.
Here we select the desired subinterface. We save the settings.
We see that the newly created client site has appeared in the settings.
Now let's move on to configuring NSX from the client side.
We go to NSX side B, go to VPN -> L2VPN, enable L2VPN, set L2VPN mode to client mode. On the Client Global tab, set the address and port of NSX A, which we specified earlier as Listening IP and Port on the server side. It is also necessary to set the same encryption settings so that they are consistent when the tunnel is raised.
We scroll below, select the subinterface through which the tunnel for L2VPN will be built.
In Egress Optimization Gateway Address we set the gateway address. Set user-id and password. We select the subinterface and do not forget to save the settings.
Actually, that's all. The settings of the client and server side are almost identical, with the exception of a few nuances.
Now we can see that our tunnel has worked by going to Statistics -> L2VPN on any NSX.
If we now go to the console of any Edge Gateway, we will see on each of them in the arp table the addresses of both VMs.
That's all about VPN on NSX Edge. Ask if something is unclear. It is also the last part of a series of articles on working with NSX Edge. We hope they were helpful π