Learn how to configure an IPsec tunnel with NSX.
Requirements
- Being the administrative contact for the Hosted Private Cloud powered by VMware, and having received the connection credentials.
- An active user account with specific rights for NSX (created in the OVHcloud Control Panel).
- Having NSX deployed with two configured segments in your NSX configuration. Refer to our guide on NSX segment management for more information.
Instructions
Here is the tunnel we want to establish between two infrastructures:
From the NSX interface:
- Go to the
Networking
tab. - Select
VPN
in the Network Services section. - Under the VPN Services tab, click on
ADD SERVICE
. - Select
IPSec
.
To set up your IPsec service:
- Enter a name under Name.
- Enter
ovh-T0-gw | Tier-0 Gateway
under Tier-0/Tier-1 Gateway. - Click
SAVE
.
Next, you need to specify the parameter type for the different IPSec stages. To do this, you will need to provide the IKE, IPSec, and DPD profiles (default profiles may already be provided).
From the NSX interface:
- Go to the
Networking
tab. - Select
VPN
in the Network Services section. - Select the
Profiles
tab at the top of the page. - Click on
ADD IKE PROFILE
.
Provide the following information with your parameters:
- Name: Enter a name.
- IKE Version: Enter the IKE version.
- Encryption Algorithm: Choose the algorithm.
- Digest Algorithm: Choose the algorithm.
- Diffie-Hellman: Choose the group.
Then, click SAVE
.
Next, while under the Profiles tab:
- Choose
IPSec PROFILES
. - Click
ADD IPSEC PROFILE
. - Complete the IPSec information with the same parameters as the IKE Profile you just created.
- Click
SAVE
.
Finally, while still under the Profiles tab:
- Choose
DPD PROFILES
. - Click
ADD DPD PROFILE
. - Complete the DPD information with your parameters.
- Click
SAVE
.
Next, you need to create a Local Endpoint.
From the NSX interface:
- Go to the
Networking
tab. - Under Network Services, select
VPN
. - Then click the
Local Endpoint
tab. - Click
ADD LOCAL ENDPOINT
.
Complete the following information with your parameters:
- Name: Enter a name.
- IPSec Service: Select the previously created VPN service.
- IP Address: Select an available IP from your range of public IPs associated with the PCC.
- Local ID: Enter the local ID of the IPSec tunnel.
Finally, you need to complete the IPSec session configuration.
From the NSX interface:
- Go to the
Networking
tab. - Under Network Services, select
VPN
. - Click the
IPSec Sessions
section. - Click
ADD IPSEC SESSION
. - Select
Policy Based
.
Complete the following information with your parameters:
- Name: Enter a name.
- VPN Service: Select the previously created VPN Service.
- Local Endpoint: Select the previously created Local Endpoint.
- Remote IP: Select the IP of the remote IPSec tunnel.
- Authentication Mode: Choose the authentication mode (e.g. PSK).
- Pre-shared Key: Enter the shared key for the IPSec tunnel.
- Local Networks: Enter the local networks to advertise.
- Remote Networks: Enter the remote networks to know.
- Remote ID: Enter the remote ID of the tunnel.
Select Advanced Properties
.
Complete the following information with your parameters:
- IKE Profiles: The previously created IKE profile or default profiles.
- IPSec Profiles: The previously created IPSec profile or default profiles.
- DPD Profiles: The previously created DPD profile or default profiles.
Click SAVE
.
If everything is properly configured on the other side, you should see a green "Success" status.
Go further
For more information and tutorials, please see Getting Started with NSX, Segment Management in NSX, VMware Documentation on NAT in NSX or our other NSX support guides.