- 31 Dec 2022
- 1 Minute to read
Creating IPSec VPNs on the NSX Firewall
- Updated on 31 Dec 2022
- 1 Minute to read
This guide is intended to introduce you to creating a functional IPSec VPN on an NSX Firewall, hosted with Servers Australia.
If you haven't used your NSX before, please read through Getting Started with an NSX Firewall first before continuing.
Throughout this guide the following example network setup is used:
This guide assumes that the remote side firewall supports:
- Authentication (Digest): SHA1
- Encryption: AES256
- DH Group: DH 14
- Perfect Forward Secrecy (PFS)
1. Once logged into your NSX, navigate to VPN > IPsec VPN.
2. Navigate to the sub-tab IPsec VPN Sites. Click the + button to create a new VPN site
3. There will be a number of settings to configure based on the unique network environment.
- Turn on the enable checkbox.
- Enable PFS if you know the remote peer will support it.
- Provide a Name that is for your reference of what this VPN serves. For example: "Springfield"
- For Local ID, use the WAN IP address of the NSX firewall. This will also need to be selected for Local Endpoint. This will need to be selected, likely in your "Routing" network. Talk to our team if you don't see a usable Public IP.
- Local Subnets should consist of any subnets local to the NSX you wish to advertise over the VPN. In our example, we will advertise 192.168.1.0/24.
- Peer ID and Peer Endpoint will be the remote WAN IP of the peer firewall.
- In a similar fashion, Peer Subnets will be any subnets that should be reachable over the VPN from the peer-end.
- Define a usable and strong Encryption Algorithm, such as AES256.
- Leave Authentication as PSK, and in the Pre-Shared Key field, enter a key (or password) that will be entered on both sides for communication and authentication.
- Define a DH group that is compatible with your peer firewall. For best practice, it is recommended to use DH14 or higher if the peer supports it.
- Digest Algorithm must be defined, this should match the "Authentication" used by the peer.
- IKE Option should in most situations be IKEv2 unless the peer is a legacy device.
4. All together it should look similar to the below example:
5. Click Keep to apply the settings and continue.
6. With a Site configured you must now enable to the "IPSec Service". Navigate to the Activation Status sub-tab and enable the IPSec VPN Service Status button.
7. Save your changes.
To monitor the status of your IPSec VPN, navigate to the Statistics tab.
Under the IPsec VPN sub-tab, you will see the status of the tunnel.