VMware Networking Community
GuyManDude
Contributor
Contributor
‎01-08-2019 10:29 PM

NSX - ESG IPSec VPN with certificates - cannot publish changes

Trying to get IPSec VPN working with certificates but I keep getting this error when trying to publish changes.  The certificates are valid and I can resolve the fqdn via DNS fine.  Works fine using PSK.  I have tried using the fqdn in the PeerID as the error suggests but it made no difference.  The hosts are on the same subnet so there is nothing blocking them.  The remote peer is a Palo Alto firewall if that changes anything. 

Any thoughts as to why certs won't work please?

Thank you.

NSX ESG VPN error.JPG

Reply
0 Kudos
4 Replies
Beingnsxpaddy
Enthusiast
Enthusiast
‎01-09-2019 01:53 AM

Hi,

I am sure you are following the steps correctly as per the article Configure the IPsec VPN Site Connections for the Edge Gateway , still would it be possible for you to confirm if you have followed the same steps.

Regards Pradhuman VCIX-NV, VCAP-NV, vExpert, VCP2X-DCVNV If my Answer resolved your query don't forget to mark it as "Correct Answer".
Reply
0 Kudos
GuyManDude
Contributor
Contributor
‎01-09-2019 11:15 PM

Thanks for your reply.  My configuration is exactly like the one in the document you linked.  When I use PSK it works and very little config changes should be necessary for the cert authenticated version to work.

Reply
0 Kudos
Beingnsxpaddy
Enthusiast
Enthusiast
‎01-10-2019 01:11 AM

Is it a self signed cert or 3rd party? and does it have correct DN, SAN, and authentication (Server or client).

Regards Pradhuman VCIX-NV, VCAP-NV, vExpert, VCP2X-DCVNV If my Answer resolved your query don't forget to mark it as "Correct Answer".
Reply
0 Kudos
GuyManDude
Contributor
Contributor
‎01-10-2019 10:37 AM

I'm using this Openssl based tool to generate certs.  Link​   I have used these certs for web browsing but I suspect they may not be the right cert type that NSX requires.  I need to do some more investigation...

Reply
0 Kudos