Set up a VPN

Last update: November 19 2024

Set up a VPN

The VPN server function is built into the Edge routers. VPN types available:

• IPSec (Site-to-site VPN — Used to create a secure tunnel between sites. For example, between the main office network and a network at a remote site or in the cloud;
• SSL VPN (Remote Access VPN) — used to connect individual users to an organization's private networks using a VPN client;
• L2 VPN — allows you to combine networks located on different sites (in different Cloud Director infrastructures) into one broadcast domain — for example, when migrating a virtual machine.

Connect IPsec⁠

1. From control panel open the Cloud Director panel: VMware-based cloud → Cloud Director.
2. Open the virtual data center page.
3. Go to the section Networking → Edges.
4. Open the page of the desired Edge.
5. Click Services.
6. Open the tab VPN → IPsec VPN → IPsec VPN Sites.
7. Click +.
8. Optional: to activate the remote site, turn on the toggle switch Enabled.
9. Optional: to prevent each new cryptographic key from being associated with any previous key, turn on the toggle switch PFS.
10. In the field Local Endpoint enter the external address of the NSX Edge.
11. In the field Local Subnets enter the local networks in CIDR format that will use the IPsec VPN.
12. In the field Peer ID enter the address of the remote site.
13. In the field Peer Endpoint enter the address of the remote site.
14. In the field Peer Subnets Enter the networks that will use the IPsec VPN on the remote side.
15. In the field Encryption Algorithm select the tunnel encryption algorithm.
16. In the field Authentication select how the peer will be authenticated — by Pre-Shared Key or certificate.
17. In the field Pre-Shared Key enter the key that will be used for authentication. The key must match on both sides.
18. In the field Diffie-Hellman Group select the key group number in the key exchange algorithm.
19. In the field Digest algorithm select the packet integrity control hashing algorithm.
20. In the field IKE option Select the version of the IKE (Internet Key Exchange) protocol.
21. To ensure that Edge does not initiate a connection when it is turned on, but waits for a connection from the remote side, enable the toggle switch IKE responder only.
22. In the field Session type select a tunnel type. More information about tunnels in the instructions Policy-Based IPSec VPN or Route-Based IPSec VPN VMware documentation.
23. Click Keep.
24. Open the tab VPN → IPsec VPN → Activation Status.
25. Turn on the toggle switch IPsec VPN Service Status.
26. Open the tab Statistics → IPsec VPN.
27. Check that the column Channel Status VPN status is active.

View tunnel status⁠

The number of IPsec tunnels depends on the size of the deployed Edge router. By default, 512 IPsec tunnels are available.

1. From control panel open the Cloud Director panel: VMware-based cloud → Cloud Director.

2. Open the virtual data center page.

3. Go to the section Networking → Edges.

4. Open the page of the desired Edge.

5. Click Services.

6. Open the tab Edge settings.

7. In the block SSH Status toggle switch Enabled.

8. Enter the login and password for SSH access and enable it in the Firewall settings. It is not recommended to leave SSH enabled.

9. In the Edge console, check the status of the service:

   show service ipsec

10. Check the status of the site and agreed parameters:

    show service ipsec site

11. Check the status of the Security Association (SA):

    show service ipsec sa

Connect SSL VPN⁠

SSL VPN-Plus is one of the Remote Access VPN options. It allows individual remote users to securely connect to private networks behind the NSX Edge gateway. An encrypted tunnel in the case of SSL VPN-plus is established between the client (Windows, Linux, Mac) and VMware NSX® Edge™.

1. From control panel open the Cloud Director panel: VMware-based cloud → Cloud Director.

2. Open the virtual data center page.

3. Go to the section Networking → Edges.

4. Open the page of the desired Edge.

5. Click Services.

6. Open the tab SSL VPN-Plus → Authentication.

7. Click +Local.

8. Configure and enable the authentication server. During configuration, you can select policies for generating new passwords and configure options for locking user accounts (e.g., number of retries for incorrect passwords), see the instructions for more details Configure an Authentication Service for SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway VMware documentation.

9. Click Keep.

10. Open the tab SSL VPN-Plus → Server Settings.

11. In the fields IP Address and Port specify the address and port on which the server will listen for incoming connections.

12. Turn on the toggle switch Enable Logging.

13. In the block Cipher List check the required encryption algorithms.

14. Optional: To change the certificate to be used by the server, click CHANGE SERVER CERTIFICATE.

15. Turn on the toggle switch Enable.

16. Click Save changes.

17. Open the tab SSL VPN-Plus → Users.

18. Click +.

19. In the field User ID enter the user ID.

20. In the field Password enter the user's password.

21. To enable the user, turn on the toggle switch Enabled.

22. Click Keep.

23. Open the tab SSL VPN-Plus → Installation Packages.

24. To create an installer that a remote employee can download for installation, click +.

25. In the field Profile Name enter the name of the installation package profile.

26. In the field Gateway enter the server address, it can be viewed on the tab SSL VPN-Plus → Server Settings → IP Address.

27. In the field Port enter the server port, it can be viewed on the tab SSL VPN-Plus → Server Settings → Port.

28. Select the installation packages for the different operating systems. The Windows package is created by default and is always available.

29. Optional: To have the VPN client added to the autoloader on the remote machine, check the checkbox start client on logon (Windows only).

30. Optional: to create a VPN client icon on the desktop, check the checkbox create desktop icon (Windows only).

31. Optional: to validate the server certificate when connecting, check the checkbox server security certificate validation (Windows only).

32. Open the tab SSL VPN-Plus → IP Pools.

33. Click +.

34. In the field IP Range Specify the range of addresses that will be given to users when they connect.

35. In the field Netmask specify the network mask.

36. In the field Gateway Specify the gateway of the network.

37. Optional: configure DNS and WINS servers.

38. Open the tab Private Networks.

39. Click +.

40. In the field Network Add a local network to which remote users will have access.

41. In the field Send traffic select a way to send traffic:

    • over tunnel — through the tunnel;
    • bypass tunnel — directly bypassing the tunnel.

42. If you have selected the option to send traffic over tunneland check the box Enable TCP Optimization.

Connect the created installation package⁠

1. Open a web browser using the external address and port you set when you configured the Firewall.
2. Enter the user credentials. After successful authorization, the list of created installation packages available for download will be opened.
3. Download created installation package.
4. Unzip the downloaded archive.
5. Install the client.
6. Start the client.
7. In the authorization window, click Login.
8. In the Certificate Validation window, click Yes.
9. Enter the user's credentials.

Connect NSX L2 VPN⁠

When moving to a different geographical location, the virtual machine will retain its IP addressing settings and will not lose connectivity with other machines in the same L2 domain as it. This feature can be used if there are two virtual machines located in different virtual data centers and regions.

The first VM has the address 10.10.10.2/24and the second VM — 10.10.10.200/24.

The linked broadcast domains must be built on the NSX platform. It is possible to use NSX Edge standalone, more details in VMware Customer Connect documentation (site registration is required to view).

1. From control panel open the Cloud Director panel: VMware-based cloud → Cloud Director.

2. Open the virtual data center page.

3. Go to the section Networking → Networks.

4. Click New.

5. Create a network with parameters:

   • Scope — select Current Organization Virtual Data Center;
   • Network Type — select Routed;
   • Interface Type — select subinterface;
   • Gateway CIDR — specify 10.10.10.1/24.

6. Open the tab Data Centers →Virtual Data Center.

7. Open the second virtual data center page.

8. Add a network with the same parameters.

Configure the NSX L2 VPN server⁠

1. From control panel open the Cloud Director panel: VMware-based cloud → Cloud Director.
2. Open the virtual data center page.
3. Go to the section Networking → Edges.
4. Open the page of the desired Edge.
5. Click Services.
6. Open the tab VPN → L2VPN.
7. Turn on the toggle switch L2VPN.
8. In the field L2VPN mode select Server.
9. On the tab Server Global enter the external IP address of the Egde router on which the tunnel port will be listened to. By default the socket will open on port 443, but this can be changed.
10. Check the encryption settings for the tunnel.
11. Open the tab Server Sites.
12. Click +.
13. Turn on the toggle switch Enabled.
14. Enter the name of the feast.
15. Enter the user's name and password.
16. In the field Egress Optimization Gateway Address Enter the gateway address so that there is no IP address conflict, since the gateway of the created networks has the same address.
17. Click Select sub-interfaces.
18. Select the desired subinterface.
19. Save the settings. The created client site will appear in the settings.

To configure the NSX L2 VPN client⁠

1. From control panel open the Cloud Director panel: VMware-based cloud → Cloud Director.
2. Open the virtual data center page.
3. Go to the section Networking → Edges.
4. Open the page of the desired Edge.
5. Click Services.
6. Open the tab VPN → L2VPN.
7. Turn on the toggle switch L2VPN.
8. In the field L2VPN mode select Client.
9. On the tab Client Global Specify the NSX Edge address and port of the first virtual data center that was specified in the fields Listening IP and Port on the server side.
10. Configure encryption in the same way as on the server so that its settings are consistent when the tunnel is brought up.
11. Click SELECT SUB-INTERFACES.
12. Select the subinterface through which the tunnel for L2VPN will be built.
13. In the field Egress Optimization Gateway Address enter the gateway address.
14. In the field User Id enter a user name.
15. In the field Password enter the password.
16. In the field Confirm Password confirm the password.
17. Save the settings.
18. On any Edge router, under the tab Statistics → L2VPN check the tunnel.