VMware NSX Edge Gateway

This guide outlines the steps required to establish a secure IPSec connection between Timus and VMware NSX Edge Gateway in Timus and VMware Cloud Director.

Timus Configuration

Phase 1 – Parameters

• Local Peer Identifier: Timus Gateway Public IP
• Remote Peer Identifier: VMware Gateway Public IP
• Key Exchange Type: IKEv1
• Preshared Key: Your Preshared Key
• Authentication Algorithm: SHA1
• Encryption Algorithm: AES256
• DH Group: modp2048 (Group 14)
• Mode: Main
• Create Firewall Rules Automatically: Enabled

Phase 1 – Miscellaneous

• Responder Only: False
• Margin Time: 60 seconds
• Lifetime: 28800 seconds
• Dead Peer Detection (DPD): Enabled
  • DPD Delay: 10 seconds
  • DPD Max Failure: 5
• NAT Traversal: Enabled

Phase 2

• Authentication Algorithm: SHA256
• Encryption Algorithm: AES256
• Protocol: ESP
• Perfect Forward Secrecy (PFS): Disabled
  • PFS Group: modp1024 (Group 2)
• Lifetime: 3600 seconds
• Tunnel Protocol: ALL
• Create Firewall Rules Automatically: Enabled

VMware NSX Edge Gateway Configuration

1. Locate the Edge Gateway

• Navigate to Networking → Edge Gateways
• Select your gateway (e.g., Your GW Name)

2. Create the IPSec Tunnel

• Click on IPSec VPN then New

General Settings:

• Name: Timus
• Type: Policy Based
• Security Profile: Default
• Status: Active
• Logging: Inactive (optional)

Peer Authentication:

• Mode: Pre-Shared Key
• Key: Must match Timus

Endpoint Configuration:

• Local IP: VMware Public IP (e.g., 1.2.3.4)
• Local Networks: Your LAN Subnet
• Remote IP: Timus GW Public IP
• Remote Networks: 192.168.249.0/24

3. Customize the Security Profile

Click the three dots next to the tunnel and select Security Profile Customization.

Phase 1 (IKE Profile):

• Version: IKEv1
• Encryption: AES 256
• Digest: SHA1
• DH Group: Group 14
• Lifetime: 28800 seconds

Phase 2 (Tunnel):

• Encryption: AES 256
• Digest: SHA256
• DH Group: Group 2
• PFS: Disabled
• Lifetime: 3600 seconds
• DPD Interval: 5 seconds

4. Create IP Sets

• Go to Networking → IP Sets
• Click New
• Add subnets like 192.168.249.0/24 (Timus) and your internal LAN

5. Configure Firewall Rules

• Navigate to Firewall → Rules → New
• Add two-way traffic rules between VMware LAN and Timus subnet

Example Rules:

• Source: Your LAN Subnet → Destination: Timus subnet → Action: Allow
• Source: Timus subnet → Destination:Your LAN Subnet → Action: Allow

Final Checks

• Ensure tunnel state is Active
• Firewall rules must match real subnets
• Encryption and DH groups must align on both sides