2 Replies Latest reply on Jun 2, 2019 9:52 PM by RShankar22

    L3 and L2 VPN

    TamoorAliKhan Lurker

      Hi Champs, 

       

      I have a very silly question regarding the design of NSX if using IPSEC or SSL VPN on NSX Edge, for that we need to have Vlan configured for Public IP and that too must be reachable to NSX host for VPN on NSX Edge. Dont you think that it can cause security problems spanning public IP all the way through your physical infrastructure to the NSX hosts ? Same with L2 VPN?

        • 1. Re: L3 and L2 VPN
          Sreec Master
          vExpertCommunity Warriors

          There is no difference between how L3/L2 VPN(ISAKMP,DH keys,IKE etc) operates in NSX comparing with configuring/operating it on a physical device. Ideally appropriate VPN Firewall rules will get auto plumbed or we could manually configure the same at ESG level and ensure that only required rules for ingress/egress is enabled while configuring VPN. I don't find a security concern here irrespective whether we are using a private/public IP . In fact NSX makes the whole network more secure (This is a broader topic ) So my advice is , compare your company security standards with NSX VPN ( For eg : DH key, SHA values etc ) if you have a use case ,and if NSX supports same parameters there shouldn't be a second thought. There are other points as well, like from a routing perspective , redundancy etc to confirm what is supported/unsupported as well and it has much do with second phase- designing the network end to end for the connectivity.

          • 2. Re: L3 and L2 VPN
            RShankar22 Enthusiast
            VMware Employees

            Configuring Public IP address on EDGE Uplink is for reachability  to remote Peer. There is no security concern with this design as in Physical Devices we generally block various type of attacks (Flood/DDOS).

            Based on your company design you can install Physical Firewall or use NAT-T for VPN.