Post NSX for vSphere to VMware NSX migration, IPSec VPN tunnel "may" not come UP if the IPSec VPN Session uses certificate based authentication.
search cancel

Post NSX for vSphere to VMware NSX migration, IPSec VPN tunnel "may" not come UP if the IPSec VPN Session uses certificate based authentication.

book

Article ID: 322602

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
  • In the NSX for vSphere environment you have an IPSec VPN setup and it uses a certificate for authentication.
  • During the migration the IPSec VPN is migrated to VMware NSX.
  • Once the IPSec VPN migration is complete, the tunnels may go down with an error: "Authentication Failure"


Environment

VMware NSX-T Data Center
VMware NSX-T Data Center 3.x

Cause

In VMware NSX, the Local ID derived from the certificate, can be different from the Local ID derived in NSX for vSphere. Thus they do not match with the configured IPSec VPN peer after the v2t migration.

Resolution



Workaround:
  • On the peer for the IPSec VPN, edit the remote ID to match the now configured Local ID on the VMware NSX IPSec VPN.
  • To find the Remote ID needed for the VPN peer, you can download the configuration from the VMware NSX side under: Networking - VPN - IPSec Sessions, expand the session for this peer and click DOWNLOAD CONFIG. This file will contain details of the VMware NSX IPSec VPN configuration and allow correct configuration of the peer VPN.
  • For further details, please review the VMware NSX administration guide.


Additional Information

Impact/Risks:
Disruption will be observed for the traffic which should flow via the IPSec VPN tunnel.