VMware Networking Community
vmsysadmin20111
Enthusiast
Enthusiast

help with NSX-T site-to-site IPSec Policy-based VPN setup

Hi all,

trying to get some insight here... Would appreciate all comments.

 

NSX-T 3.2, two data centers, stand-alone NSX-T in each.

Single T1 on each site with vlan-backed segments. Gateways are configured as a service interfaces on a single T1, attached to two segments - external network "segment1-dmz" (167.100.110.1/24), internal network "segment2-int" (10.1.0.1/24).

The goal is to have a site-to-site IPsec Policy-based VPN and connectivity between internal segments 10.1.0.1/24 on Site1 and 10.2.0.1/24 on Site2.

When attempting to configure a Site 1 Local Endpoint with IP address 167.100.110.254/24 with VPN Service attached to segment1-dmz, we get a "Realization Error":
Feb 19, 2024, 8:40:00 AM : [error_code=110113, module_name=VPN, error_message='Local
Endpoint IP 167.100.110.254 overlaps with logical router port(s) [t1-t1-gw-default-segment1-dmz-svclrp] IPs.']

T0 cannot be selected for VPN Service attachment (I'm guessing because it's active/active?).

I'm looking for any insights on how to configure the site-to-site IPSec VPN in this case - do we need to create another T1 dedicated to the external segment1-dmz that will house the service_interface1 167.100.110.1/24, and configure the VPN with attachment to segment2-int with local endpoint set to 167.100.110.254?

Site1:
T0-gw: (active/active)
T1-gw: two vlan-backed segments
- segment1-dmz - service_interface1 167.100.110.1/24 (vlan 100)
- segment2-int - service_interface2 10.1.0.1/24 (vlan 10)

Site2:
T0-gw: (active/active)
T1-gw: two vlan-backed segments
- segment1-dmz - service_interface1 167.100.111.1/24 (vlan 200)
- segment2-int - service_interface2 10.2.0.1/24 (vlan 20)

 

Thanks!

Reply
0 Kudos
9 Replies
vmsysadmin20111
Enthusiast
Enthusiast

Thanks for the link, but it's still not clear what our options are. The page you linked to says:

"...for the local endpoint. The IP address must be either the primary IP of the edge gateway, or an IP address that is separately allocated to the edge gateway."

Does that mean that if we want to configure the VPN Local Endpoint on our shared T1, we need to use the service interface IP address 167.100.110.1 and not 167.100.110.254?

Reply
0 Kudos
vmsysadmin20111
Enthusiast
Enthusiast

I'm sorry, but the last documentation link is not helpful - it talks about L2 VPN, and we are setting up IPsec VPN, without the Cloud Director. 

If you have a configuration example for an IPsec VPN given the T1 service interfaces configuration provided in the original post, please share.

Thanks!

Reply
0 Kudos
mhb4ever
Enthusiast
Enthusiast

ok .. what's not clear in the first document

Reply
0 Kudos
mhb4ever
Enthusiast
Enthusiast

and can you check this and give me ur feedback

https://faatech.be/configuring-ipsec-vpn-in-nsx-t/

Reply
0 Kudos
vmsysadmin20111
Enthusiast
Enthusiast

I've tried to use the "primary IP of the edge gateway" for the Local Endpoint IP, unfortunately it gave the same error. 

T1 service interface:

gateway_interface.png

Local Endpoint, realization failure with "Local Endpoint IP XX.XX.10.254 overlaps with logical router port(s) IPs. 

local_endpoint.png

 

 

Reply
0 Kudos
mhb4ever
Enthusiast
Enthusiast

can u check the status of IPSec Sessions under the VPN Services tab

Reply
0 Kudos
vmsysadmin20111
Enthusiast
Enthusiast

Please refer to the original question, where I describe the current configuration. The external segment "segment1-dmz" with the service_interface1 167.100.110.1/24 (the vlan-backed segment where we are trying to attach the VPN Local Endpoint interface) is on the same T1. It's not hosted somewhere upstream. I already did the google search, and I'm not looking for links to random posts or documentation.

I'm looking for ideas on what the VPN configuration will look like where the external IPs are on the same T1 as the internal ones that we are trying to connect, if that's even possible. It sounds like a separate T1 would be required to host external service_interface1 167.100.110.1/24, and another T1 would be hosting internal service_interface2 10.1.0.1/24, with VPN service attachment and 167.100.110.254 IP for the endpoint.

Thanks!

 

 

Reply
0 Kudos