Set up a VPN

Last update: March 04 2024

Set up a VPN

The VPN server function is built into Edge routers. VPN types available:

• IPSec (Site-to-site VPN) — used to create a secure tunnel between sites. For example, between the main office network and a network at a remote site or in the cloud;
• SSL VPN (Remote Access VPN) — used to connect individual users to organizations' private networks using a VPN client;
• L2 VPN — allows you to join networks located on different sites (in different Cloud Director infrastructures) into one broadcast domain — for example, when migrating a virtual machine.

Connect IPsec⁠

1. From Control Panel, open the Cloud Director panel: Cloud powered by VMware → Cloud Director.
2. Open the virtual data center page.
3. Go to Networking → Edges.
4. Open the page of the desired Edge.
5. Press Services.
6. Open the VPN → IPsec VPN → IPsec VPN Sites tab.
7. Press +.
8. Optional: to activate the remote site, turn on the Enabled toggle switch.
9. Optional: to prevent each new cryptographic key from being associated with any previous key, enable the PFS toggle switch.
10. In the Local Endpoint field, enter the external address of the NSX Edge.
11. In the Local Subnets field, enter the local networks in CIDR format that will use the IPsec VPN.
12. In the Peer ID field, enter the address of the remote site.
13. In the Peer Endpoint field, enter the address of the remote site.
14. In the Peer Subnets field, enter the networks that will use the IPsec VPN on the remote side.
15. In the Encryption Algorithm field, select the tunnel encryption algorithm.
16. In the Authentication field, select how the peer will be authenticated — using a Pre-Shared Key or a certificate.
17. In the Pre-Shared Key field, enter the key that will be used for authentication. The key must match on both sides.
18. In the Diffie-Hellman Group field, select the key group number in the key exchange algorithm.
19. In the Digest algorithm field, select the packet integrity control hashing algorithm.
20. In the IKE option field, select the version of the IKE (Internet Key Exchange) protocol.
21. To have Edge not initiate a connection when powered on, but wait for a connection from the remote side, enable the IKE responder only toggle switch.
22. In the Session type field, select the tunnel type. For more information about tunnels, see the Policy-Based IPSec VPN or Route-Based IPSec VPN instructions in the VMware documentation.
23. Press Keep.
24. Open the VPN tab → IPsec VPN → Activation Status.
25. Turn on the IPsec VPN Service Status toggle switch.
26. Open the Statistics → IPsec VPN tab.
27. Verify that the VPN status in the Channel Status column is active.

View tunnel status⁠

The number of IPsec tunnels depends on the size of the deployed Edge router. By default, 512 IPsec tunnels are available.

1. From Control Panel, open the Cloud Director panel: Cloud powered by VMware → Cloud Director.

2. Open the virtual data center page.

3. Go to Networking → Edges.

4. Open the page of the desired Edge.

5. Press Services.

6. Open the Edge settings tab.

7. In the SSH Status block, turn on the Enabled toggle switch.

8. Enter the login and password for SSH access and allow it in the Firewall settings. It is not recommended to leave SSH enabled.

9. In the Edge console, check the status of the service:

   show service ipsec

10. Check the status of the site and agreed parameters:

    show service ipsec site

11. Check the status of the Security Association (SA):

    show service ipsec sa

Connect SSL VPN⁠

SSL VPN-Plus is one of the Remote Access VPN options. It allows individual remote users to securely connect to private networks behind the NSX Edge gateway. An encrypted tunnel in the case of SSL VPN-plus is established between the client (Windows, Linux, Mac) and VMware NSX® Edge™.

1. From Control Panel, open the Cloud Director panel: VMware-based Cloud → Cloud Director.

2. Open the virtual data center page.

3. Go to Networking → Edges.

4. Open the page of the desired Edge.

5. Press Services.

6. Open the SSL VPN-Plus tab → Authentication.

7. Press +Local.

8. Configure and enable the authentication server. During configuration, you can select policies for generating new passwords and configure options to lock out user accounts (for example, the number of retries if the password is incorrect), see the Configure an Authentication Service for SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway VMware documentation for details.

9. Press Keep.

10. Open the SSL VPN-Plus tab → Server Settings.

11. In the IP Address and Port fields, specify the address and port on which the server will listen for incoming connections.

12. Turn on the Enable Logging toggle switch.

13. In the Cipher List box, check the required encryption algorithms.

14. Optional: To change the certificate that the server will use, click CHANGE SERVER CERTIFICATE.

15. Turn on the Enable toggle switch.

16. Click Save changes.

17. Open the SSL VPN-Plus tab → Users.

18. Press +.

19. In the User ID field, enter the user ID.

20. In the Password field, enter the user's password.

21. To enable the user, turn on the Enabled toggle switch.

22. Press Keep.

23. Open the SSL VPN-Plus tab → Installation Packages.

24. To create an installer that a remote employee can download for installation, press +.

25. In the Profile Name field, enter the name of the installation package profile.

26. In the Gateway field, enter the server address, you can view it on the SSL VPN-Plus → Server Settings → IP Address tab.

27. In the Port field enter the server port, you can view it on the SSL VPN-Plus → Server Settings → Port tab.

28. Select installation packages for different operating systems. The Windows package is created by default and is always available.

29. Optional: to have the VPN client added to autostart on the remote machine, check the start client on logon checkbox (Windows only).

30. Optional: To create a VPN client icon on the desktop, check the create desktop icon checkbox (Windows only).

31. Optional: To validate the server certificate on connection, check the server security certificate validation checkbox (Windows only).

32. Open the SSL VPN-Plus → IP Pools tab.

33. Press +.

34. In the IP Range field, specify the range of addresses that will be given to users when they connect.

35. In the Netmask field, specify the network mask.

36. In the Gateway field, specify the network gateway.

37. Optional: configure DNS and WINS servers.

38. Open the Private Networks tab.

39. Press +.

40. In the Network field, add the local network to which remote users will have access.

41. In the Send traffic field, select the method of sending traffic:

    • over tunnel;
    • bypass tunnel — directly bypass tunnel.

42. If you have selected the over tunnel option to send traffic, check the Enable TCP Optimization checkbox.

Connect the created installation package⁠

1. Open a web browser using the external address and port you set when you configured the Firewall.
2. Enter the user's credentials. After successful authorization, the list of created installation packages available for download will open.
3. Download the created installation package.
4. Unzip the downloaded archive.
5. Install the client.
6. Start the client.
7. In the authorization window, click Login.
8. In the Certificate Validation window, click Yes.
9. Enter the user's credentials.

Connect NSX L2 VPN⁠

When moving to a different geographical location, the virtual machine will retain its IP addressing settings and will not lose connectivity with other machines in the same L2 domain as it. You can use this feature if there are two virtual machines located in different virtual data centers and regions.

The first VM has an address of 10.10.10.10.2/24 and the second VM has an address of 10.10.10.200/24.

The sites that are linked into a single broadcast domain must be built on the NSX platform. It is possible to use NSX Edge standalone, see VMware Customer Connect documentation for details (requires site registration to view).

1. From Control Panel, open the Cloud Director panel: VMware-based Cloud → Cloud Director.

2. Open the virtual data center page.

3. Go to Networking → Networks.

4. Press New.

5. Create network with the parameters:

   • Scope — Select Current Organization Virtual Data Center;
   • Network Type — Select Routed;
   • Interface Type — select subinterface;
   • Gateway CIDR — Specify 10.10.10.10.1/24.

6. Open the Data Centers → Virtual Data Center tab.

7. Open the second virtual data center page.

8. Add a network with the same parameters.

Configure NSX L2 VPN server⁠

1. From Control Panel, open the Cloud Director panel: VMware-based Cloud → Cloud Director.
2. Open the virtual data center page.
3. Go to Networking → Edges.
4. Open the page of the desired Edge.
5. Press Services.
6. Open the VPN → L2VPN tab.
7. Turn on the L2VPN toggle switch.
8. In the L2VPN mode field, select Server.
9. On the Server Global tab, enter the external IP address of the Egde router on which the tunnel port will listen. By default, the socket will open on port 443, but this can be changed.
10. Check the encryption settings for the tunnel.
11. Open the Server Sites tab.
12. Press +.
13. Turn on the Enabled toggle switch.
14. Enter the name of the feast.
15. Enter the user's name and password.
16. In the Egress Optimization Gateway Address field, enter the gateway address so that there is no IP address conflict, since the gateway of the created networks has the same address.
17. Click Select sub-interfaces.
18. Select the desired subinterface.
19. Save the settings. The created client site will appear in the settings.

Configure NSX L2 VPN Client⁠

1. From Control Panel, open the Cloud Director panel: VMware-based Cloud → Cloud Director.
2. Open the virtual data center page.
3. Go to Networking → Edges.
4. Open the page of the desired Edge.
5. Press Services.
6. Open the VPN → L2VPN tab.
7. Turn on the L2VPN toggle switch.
8. In the L2VPN mode field, select Client.
9. On the Client Global tab, specify the NSX Edge address and port of the first virtual data center that was specified in the Listening IP and Port fields on the server side.
10. Configure encryption in the same way as on the server so that its settings are consistent when the tunnel is brought up.
11. Press SELECT SUB-INTERFACES.
12. Select the subinterface through which the tunnel for L2VPN will be built.
13. In the Egress Optimization Gateway Address field, enter the gateway address.
14. In the User Id field, enter the user name.
15. In the Password field, enter your password.
16. In the Confirm Password field, confirm the password.
17. Save the settings.
18. On any Edge router, under the Statistics → L2VPN tab, check the tunnel.