Post NSX for vSphere to VMware NSX migration, IPSec VPN tunnel "may" not come UP if the IPSec VPN Session uses certificate based authentication.
Article ID: 322602
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
- In the NSX for vSphere environment you have an IPSec VPN setup and it uses a certificate for authentication.
- During the migration the IPSec VPN is migrated to VMware NSX.
- Once the IPSec VPN migration is complete, the tunnels may go down with an error: "Authentication Failure"
Environment
VMware NSX-T Data Center
VMware NSX-T Data Center 3.x
VMware NSX-T Data Center 3.x
Cause
In VMware NSX, the Local ID derived from the certificate, can be different from the Local ID derived in NSX for vSphere. Thus they do not match with the configured IPSec VPN peer after the v2t migration.
Resolution
- On the peer for the IPSec VPN, edit the remote ID to match the now configured Local ID on the VMware NSX IPSec VPN.
- For further details, please review the Configure Certificate-Based Authentication for an IPSec VPN Session and Add Local Endpoints on how to add local ID and download the configuration file, see section 8.c..
Workaround:
- On the peer for the IPSec VPN, edit the remote ID to match the now configured Local ID on the VMware NSX IPSec VPN.
- To find the Remote ID needed for the VPN peer, you can download the configuration from the VMware NSX side under: Networking - VPN - IPSec Sessions, expand the session for this peer and click DOWNLOAD CONFIG. This file will contain details of the VMware NSX IPSec VPN configuration and allow correct configuration of the peer VPN.
- For further details, please review the VMware NSX administration guide.
Additional Information
Impact/Risks:
Disruption will be observed for the traffic which should flow via the IPSec VPN tunnel.
Disruption will be observed for the traffic which should flow via the IPSec VPN tunnel.
Feedback
Yes
No
Powered by
