3 Replies Latest reply on May 22, 2019 5:50 AM by Sreec

    VXLAN traffic over IPSEC Tunnel

    SkyVega Lurker

      Hello's,

      Had a question that I'm not able to get a clear answer on.

       

      Background:

      1. Two DC sites connected with a Point to Point Link and each running NSX-v. Cross VC NSX is desired.
      2. Different types of traffic traverse the P2P link and for those requiring security options, an IPSEC VPN tunnel exists, homed on Firewalls at each end of the P2P link.
      3. Traffic is selectively routed over this tunnel based on security requirements. VXLAN traffic has been identified as traffic meeting requirements.
      4. Assuming MTU issues are addressed, Is running VXLAN traffic across an IPSEC tunnel supported? If yes, caveats? If no, why not?

       

       

      Thanks all for your expertise,

      Sky

        • 1. Re: VXLAN traffic over IPSEC Tunnel
          Sreec Master
          vExpertCommunity Warriors

          Yes , you can certainly use IP-Sec or L2 VPN based on the requirement. Since the ask is for IP-Sec , we should understand that if the use case falls under route based IP-Sec tunnel , BGP is the only protocol supported (No Static routes as well) . If you have a mix of Policy/Routed tunnels - below points should be noted .

           

          • You can configure policy-based IPSec VPN tunnels and route-based IPSec tunnels on the same ESG appliance. However, you cannot configure a policy-based tunnel and a route-based tunnel with the same VPN peer site.
          • NSX Data Center supports a maximum of 32 VTIs on a single ESG appliance. That is, you can configure a maximum of 32 route-based VPN peer sites.
          • NSX Data Center does not support migration of existing policy-based IPSec VPN tunnels to route-based tunnels or conversely .

           

          Also have a look at MTU requirements , not in every case we need 1600 MTU

           

          • 2. Re: VXLAN traffic over IPSEC Tunnel
            SkyVega Lurker

            Hello Sree,

            Thanks for your response. I'm not sure however that your response addressed the question.

            The IPSEC VPN tunnel in place is not setup by NSX edges. It is configured on the perimeter firewalls e.g Cisco/Palo that the VTEP VXLAN traffic will traverse.

             

            In effect, for VTEP at site A to communicate with VTEP at site B, their traffic will traverse an IPSEC tunnel established by the perimeter firewalls.

            As I type this, I don't see why this wouldn't be supported, but would like to know if it is.

             

            Thanks,

            Sky

            • 3. Re: VXLAN traffic over IPSEC Tunnel
              Sreec Master
              vExpertCommunity Warriors

              Appreciate for clarifying that. I don't find anything wrong with encrypting(IPSEC)  VTEP-VTEP traffic between the sites. Actual Throughput of  the Tunnel will certainly be a factor for BUM traffic considering the NSX design and workload placement. Other than that i'm unsure if there are any potential issues, but it might not be a best candidate when situation demands you to troubleshoot VTEP-VTEP connectivity.