NSX Edge vs vShield Edge: Part 3 – IPsec and L2 VPN

Overview:

NSX and vShield Edges support site to site IPSec VPN between Edge instances and remote sites. Behind each remote VPN router, you can configure multiple subnets to connect to the internal network behind an Edge through IPSec tunnels. These subnets and the internal network behind the Edges must have address ranges that do not overlap. You can have a maximum of 64 tunnels across a maximum of 10 sites.

NSX Edges are also capable of L2 VPNs where you can stretch both VXLAN and VLAN across geographical sites…This allows VMs to remain on the same subnet when they are moved between sites with the IP addresses not changing. L2 VPN allows seamless migration of workloads backed by VXLAN or VLAN between physically separated locations. Specifically for Service Providers L2 VPN provides a mechanism to on-board tenants without modifying IP addresses for VM workloads.

In this post I am only going to go through IPsec VPN configuration…feel there is a whole separate post required to do L2 VPN justice. The biggest difference between an NSX and vShield Edge when looking to configure VPNs is that when you are managing a vShield Edge you will not see the options to configure L2 VPN as shown in the configuration example below.

Web Client Config
vCloud Director Config
NSX API Config

Configuring IPsec VPN From Web Client:

Configuration Items Required:

Local Endpoint
Local Subnets
Peer Endpoint
Peer Subnets
Encryption Algorithm and Authentication mechanism
Pre Shared Key
Diffie-Hellman Group

Double Click on the Edge under the NSX Edge Menu Option in Networking and Security, In the VPN Tab under Configuration click on Enable next to IPsec VPN Service Status and then hit Publish Changes

To create a new Tunnel, click on + and enter in the details collected as per the items listed above.

Click ok and then Publish the Changes…from there the Status should show a green tick. Once the other side has been configured check to see that the Tunnel(s) are up by clicking on Show IPsec Statistics.

If both sides are happy you should be able to talk between the configured subnets. Shown below you see an example of a Site to Site with One Tunnel configured up…and one down.

Configuring IPsec VPN From vCloud Director UI:

For vShield Edges managed via vCloud Director, head to the vCD UI and under Administration and the Edge Gateways. Right Click on the Edge and Configure Services. Under the VPN Tab you first want to Enable VPN and Configure the Public IPs.

Enter in the Public IP as shown above and click ok.

Click on Add and enter in the details collected. For Site to Site VPNs drop down the Establish VPN to: dropdown to a remote network and configure the rest of the settings.

Once done, you should see the Enabled and Status Column with green ticks.

A nice addition to the vCD UI (sometimes the UI team gets things right) is the Peer Settings Button which shows you the bits required to configure the other end of the connection.

Enabling/Disabling/Viewing IPsec With REST API:

Below are the key API commands to configure and manage IPsec VPN.

# ENABLING AND CONFIGURING IPSEC
# API CALL: https://NSX-MGR-IP/api/4.0/edges/EDGE-ID/ipsec/config
# METHOD: PUT
# CONTENT-TYPE: application/xml

#BASIC EXAMPLE

<?xml version="1.0" encoding="UTF-8"?>
<ipsec>
<global>
<psk>hello123</psk>
</global>
<sites>
<site>
<name>PER-SYD</name>
<description>Perth to Sydney Example</description>
<localId>119.252.74.130</localId>
<localIp>119.252.74.130</localIp>
<peerId>144.130.51.60</peerId>
<peerIp>144.130.51.60</peerIp> 
<authenticationMode>psk</authenticationMode>
<psk>hello123</psk>
<localSubnets>
<subnet>10.10.10.0/24</subnet>
</localSubnets>
<peerSubnets>
<subnet>10.10.69.0/24</subnet>
</peerSubnets>
</site>
</sites>
</ipsec>
&nbsp;
#ALL OPTIONS
<?xml version="1.0" encoding="UTF-8"?>
<ipsec>
<enabled>true</enabled> <!-- Optional, true by default -->
<logging> <!-- optional. logging is disable by default. -->
<logLevel>debug</logLevel> <!-- optional, default is info. -->
<enable>true</enable> <!-- optional, default is false. -->
</logging>
<global>
<psk>hello123</psk> <!-- Required only when peerIp is specified as any in siteConfig -->
<serviceCertificate>certificate-4</serviceCertificate> <!-- Required when x.509 certificate mode is selected -->
<caCertificates> <!-- Optional, CA list -->
<caCertificate>certificate-3</caCertificate>
</caCertificates>
<crlCertificates> <!-- Optional, CRL list -->
<crlCertificate>crl-1</crlCertificate>
</crlCertificates>
</global>
<sites>
<site>
<enabled>true</enabled> <!-- Optional, true by default -->
<name>VPN to edge-pa-1</name> <!-- Optional -->
<description>psk VPN to edge-pa-1 192.168.11.0/24 == 192.168.1.0/24</description>
<!-- Optional -->
<localId>11.0.0.11</localId>
<localIp>11.0.0.11</localIp>
<peerId>11.0.0.1</peerId>
<peerIp>any</peerIp> <!-- Can be a Ipv4Address such as 11.0.0.3 -->
<encryptionAlgorithm>aes256</encryptionAlgorithm> <!-- Optional, default aes256-->
<authenticationMode>psk</authenticationMode> <!-- Possible values are psk and x.509 -->
<!-- <psk>hello123</psk> --> <!-- Required if peerIp is not any -->
<enablePfs>true</enablePfs> <!-- Optional, true by default -->
<dhGroup>dh2</dhGroup> <!-- Optional, dh2 by default -->
<localSubnets>
<subnet>192.168.11.0/24</subnet>
</localSubnets>
<peerSubnets>
<subnet>192.168.1.0/24</subnet>
</peerSubnets>
</site>
<site>
<name>VPN to edge-right</name>
<description>certificate VPN to edge-right 192.168.22.0/24 == 192.168.2.0/24</description>
<localId>11.0.0.12</localId>
<localIp>11.0.0.12</localIp>
<peerId>C=CN, ST=BJ, L=BJ, O=VMware, OU=DEV, CN=Right</peerId> <!-- Should be a DN if
authenticationMode is x.509 -->
<peerIp>11.0.0.2</peerIp>
<encryptionAlgorithm>aes256</encryptionAlgorithm>
<authenticationMode>x.509</authenticationMode>
<enablePfs>true</enablePfs>
<dhGroup>dh2</dhGroup>
<localSubnets>
<subnet>192.168.22.0/24</subnet>
</localSubnets>
<peerSubnets>
<subnet>192.168.2.0/24</subnet>
</peerSubnets>
<extension>securelocaltrafficbyip=192.168.11.1</extension> <!-- Default value. To disable this extension,
replace with securelocaltrafficbyip=0-->
</site>
</sites>
</ipsec>

# ENABLING AND CONFIGURING IPSEC

# API CALL: https://NSX-MGR-IP/api/4.0/edges/EDGE-ID/ipsec/config

# METHOD: PUT

# CONTENT-TYPE: application/xml

#BASIC EXAMPLE

<?xml version="1.0" encoding="UTF-8"?>

<ipsec>

<psk>hello123</psk>

</global>

<sites>

<site>

<description>Perth to Sydney Example</description>

<psk>hello123</psk>

</localSubnets>

</peerSubnets>

</site>

</sites>

</ipsec>

#ALL OPTIONS

<?xml version="1.0" encoding="UTF-8"?>

<ipsec>

<logLevel>debug</logLevel>

</logging>

<psk>hello123</psk>

<serviceCertificate>certificate-4</serviceCertificate>

<caCertificate>certificate-3</caCertificate>

</caCertificates>

</crlCertificates>

</global>

<sites>

<site>

</localSubnets>

</peerSubnets>

</site>

<site>

<name>VPN to edge-right</name>

<description>certificate VPN to edge-right 192.168.22.0/24 == 192.168.2.0/24</description>

<peerId>C=CN, ST=BJ, L=BJ, O=VMware, OU=DEV, CN=Right</peerId> <!-- Should be a DN if

authenticationMode is x.509 -->

</localSubnets>

</peerSubnets>

<extension>securelocaltrafficbyip=192.168.11.1</extension> <!-- Default value. To disable this extension,

replace with securelocaltrafficbyip=0-->

</site>

</sites>

</ipsec>

# GET IPSEC CONFIG
# API CALL: https://NSX-MGR-IP/api/4.0/edges/EDGE-ID/ipsec/config
# METHOD: GET

#EXAMPLE RESPONSE

<?xml version="1.0" encoding="UTF-8" ?>
 <ipsec>
<version>15</version>
<enabled>true</enabled>
 <logging>
<enable>false</enable>
<logLevel>info</logLevel>
 </logging>
<sites>
 <site>
<enabled>true</enabled>
<name>PER-SYD</name>
<description>Perth to Sydney Example</description>
<localId>119.252.74.130</localId>
<localIp>119.252.74.130</localIp>
<peerId>144.130.51.60</peerId>
<peerIp>144.130.51.60</peerIp>
<encryptionAlgorithm>aes256</encryptionAlgorithm>
<enablePfs>true</enablePfs>
<dhGroup>dh2</dhGroup>
<localSubnets>
<subnet>10.10.10.0/24</subnet>
</localSubnets>
<peerSubnets>
<subnet>10.10.69.0/24</subnet>
</peerSubnets>
<psk>******</psk>
<authenticationMode>psk</authenticationMode>
 </site>
</sites>
 <global>
<psk>******</psk>
<caCertificates />
<crlCertificates />
 </global>
 </ipsec>

# GET IPSEC CONFIG

# API CALL: https://NSX-MGR-IP/api/4.0/edges/EDGE-ID/ipsec/config

# METHOD: GET

#EXAMPLE RESPONSE

<?xml version="1.0" encoding="UTF-8" ?>

<ipsec>

<enable>false</enable>

</logging>

<sites>

<site>

<description>Perth to Sydney Example</description>

</localSubnets>

</peerSubnets>

</site>

</sites>

</global>

</ipsec>

# GET IPSEC STATS
# API CALL: https://NSX-MGR-IP/api/4.0/edges/EDGE-ID/ipsec/statistics
# METHOD: GET

#EXAMPLE RESPONSE DOWN

<?xml version="1.0" encoding="UTF-8" ?>
 <ipsecStatusAndStats>
 <siteStatistics>
 <ikeStatus>
<channelStatus>down</channelStatus>
<channelState>STATE_MAIN_R2 (sent MR2, expecting MI3)</channelState>
<lastInformationalMessage />
<localIpAddress>119.252.74.130</localIpAddress>
<peerId>144.130.51.60</peerId>
<peerIpAddress>144.130.51.60</peerIpAddress>
<localSubnets>
<string>10.10.10.0/24</string>
</localSubnets>
<peerSubnets>
<string>10.10.69.0/24</string>
</peerSubnets>
 </ikeStatus>
 <tunnelStats>
<tunnelStatus>down</tunnelStatus>
<lastInformationalMessage />
<localSubnet>10.10.10.0/24</localSubnet>
<peerSubnet>10.10.69.0/24</peerSubnet>
 </tunnelStats>
 </siteStatistics>
<timeStamp>1434957824</timeStamp>
 </ipsecStatusAndStats>

#EXAMPLE RESPONSE UP

<?xml version="1.0" encoding="UTF-8" ?>
 <ipsecStatusAndStats>
 <siteStatistics>
 <ikeStatus>
<channelStatus>up</channelStatus>
<channelState>STATE_MAIN_R3 (sent MR3, ISAKMP SA established)</channelState>
<lastInformationalMessage />
<localIpAddress>119.252.74.130</localIpAddress>
<peerId>119.252.84.8</peerId>
<peerIpAddress>119.252.84.8</peerIpAddress>
<localSubnets>
<string>10.10.20.0/24</string>
</localSubnets>
<peerSubnets>
<string>10.10.10.0/24</string>
</peerSubnets>
 </ikeStatus>
 <tunnelStats>
<tunnelStatus>up</tunnelStatus>
<tunnelState>STATE_QUICK_I2 (sent QI2, IPsec SA established)</tunnelState>
<lastInformationalMessage />
<localSubnet>10.10.20.0/24</localSubnet>
<peerSubnet>10.10.10.0/24</peerSubnet>
<encryptionAlgorithm>aes-cbc</encryptionAlgorithm>
<authenticationAlgorithm>hmac-sha1</authenticationAlgorithm>
<localSPI>19625635(0x012b76a3)</localSPI>
<peerSPI>912680898(0x366667c2)</peerSPI>
<establishedDate>Jun 22 07:29:35 2015</establishedDate>
<txBytesFromLocalSubnet>0</txBytesFromLocalSubnet>
<rxBytesOnLocalSubnet>0</rxBytesOnLocalSubnet>
 </tunnelStats>
 </siteStatistics>
<timeStamp>1434958999</timeStamp>
 </ipsecStatusAndStats>

# GET IPSEC STATS

# API CALL: https://NSX-MGR-IP/api/4.0/edges/EDGE-ID/ipsec/statistics

# METHOD: GET

#EXAMPLE RESPONSE DOWN

<?xml version="1.0" encoding="UTF-8" ?>

<channelState>STATE_MAIN_R2 (sent MR2, expecting MI3)</channelState>

</localSubnets>

</peerSubnets>

</ikeStatus>

</tunnelStats>

</siteStatistics>

</ipsecStatusAndStats>

#EXAMPLE RESPONSE UP

<?xml version="1.0" encoding="UTF-8" ?>

<channelState>STATE_MAIN_R3 (sent MR3, ISAKMP SA established)</channelState>

</localSubnets>

</peerSubnets>

</ikeStatus>

<tunnelState>STATE_QUICK_I2 (sent QI2, IPsec SA established)</tunnelState>

</tunnelStats>

</siteStatistics>

</ipsecStatusAndStats>

# GET IPSEC Session Statistics
# API CALL: https://NSX-MGR-IP/api/4.0/edges/EDGE-ID/statistics/dashboard/ipsec?interval=1
# DEFAULT INTERVAL 1 HOUR
# METHOD: GET

#EXAMPLE RESPONSE

<?xml version="1.0" encoding="UTF-8" ?>
 <dashboardStatistics>
 <meta>
<startTime>1434959200</startTime>
<endTime>1434959260</endTime>
<interval>20</interval>
 </meta>
<data>
 <ipsec>
 <ipsecTunnels>
 <dashboardStatistic>
<timestamp>1434959200</timestamp>
<value>2.0</value>
 </dashboardStatistic>
 <dashboardStatistic>
<timestamp>1434959220</timestamp>
<value>2.0</value>
 </dashboardStatistic>
 <dashboardStatistic>
<timestamp>1434959240</timestamp>
<value>0.0</value>
 </dashboardStatistic>
 </ipsecTunnels>
 <ipsecBytesIn>
 <dashboardStatistic>
<timestamp>1434959200</timestamp>
<value>0.0</value>
 </dashboardStatistic>
 <dashboardStatistic>
<timestamp>1434959220</timestamp>
<value>0.0</value>
 </dashboardStatistic>
 <dashboardStatistic>
<timestamp>1434959240</timestamp>
<value>0.0</value>
 </dashboardStatistic>
 </ipsecBytesIn>
 <ipsecBytesOut>
 <dashboardStatistic>
<timestamp>1434959200</timestamp>
<value>0.0</value>
 </dashboardStatistic>
 <dashboardStatistic>
<timestamp>1434959220</timestamp>
<value>0.0</value>
 </dashboardStatistic>
 <dashboardStatistic>
<timestamp>1434959240</timestamp>
<value>0.0</value>
 </dashboardStatistic>
 </ipsecBytesOut>
 </ipsec>
</data>
 </dashboardStatistics>

# GET IPSEC Session Statistics

# API CALL: https://NSX-MGR-IP/api/4.0/edges/EDGE-ID/statistics/dashboard/ipsec?interval=1

# DEFAULT INTERVAL 1 HOUR

# METHOD: GET

#EXAMPLE RESPONSE

<?xml version="1.0" encoding="UTF-8" ?>

<meta>

</meta>

<data>

<ipsec>

</dashboardStatistic>

</dashboardStatistic>

</dashboardStatistic>

</ipsecTunnels>

</dashboardStatistic>

</dashboardStatistic>

</dashboardStatistic>

</ipsecBytesIn>

</dashboardStatistic>

</dashboardStatistic>

</dashboardStatistic>

</ipsecBytesOut>

</ipsec>

</data>

</dashboardStatistics>

VIRTUALIZATION IS LIFE!