duc31nik
Contributor
Contributor

IPSec VPN issue.

Hello,

I setup a IPSec VPN between two NSX Edge router.  The tunnel is up.  My problem is traffic is one-way only. 

For example – From vm behind Edge-01, I can ping/ssh/rdp to any vm behind Edge-02.    However, vm behind Edge-02 cannot ping over to vm behind Edge01.

Anyone have any ideas what can be the issue? 

0 Kudos
3 Replies
duc31nik
Contributor
Contributor

I found the issue.

I was under the impression if I enable “Auto Rules Generation” when deployed the Edge it will automatically create the security policy when I enable IPSec.  I do see auto generate rule for the two Peer IP but no rules for the local subnet and remote subnet.  I added firewall rules to allow traffic both way on the edge and it work.

Maybe this is the same see I have with Load Balance not working. lol

0 Kudos
Sreec
VMware Employee
VMware Employee

I'm unsure what rules were in place when traffic was possible in one way. Keeping that aside, auto rules are only for control plane traffic.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
duc31nik
Contributor
Contributor

Sreec,

I'm new to NSX.  Thanks for clarifying the auto rules is for the control plane traffic only.  

Edge01 I have rule allow local subnet to any ( for internet) and on the Edge02 firewall I have any any which allow any traffic. This is why traffic was allowed from Edge01 > Edge02.  

0 Kudos