Hi all,
trying to get some insight here... Would appreciate all comments.
NSX-T 3.2, two data centers, stand-alone NSX-T in each.
Single T1 on each site with vlan-backed segments. Gateways are configured as a service interfaces on a single T1, attached to two segments - external network "segment1-dmz" (167.100.110.1/24), internal network "segment2-int" (10.1.0.1/24).
The goal is to have a site-to-site IPsec Policy-based VPN and connectivity between internal segments 10.1.0.1/24 on Site1 and 10.2.0.1/24 on Site2.
When attempting to configure a Site 1 Local Endpoint with IP address 167.100.110.254/24 with VPN Service attached to segment1-dmz, we get a "Realization Error":
Feb 19, 2024, 8:40:00 AM : [error_code=110113, module_name=VPN, error_message='Local
Endpoint IP 167.100.110.254 overlaps with logical router port(s) [t1-t1-gw-default-segment1-dmz-svclrp] IPs.']
T0 cannot be selected for VPN Service attachment (I'm guessing because it's active/active?).
I'm looking for any insights on how to configure the site-to-site IPSec VPN in this case - do we need to create another T1 dedicated to the external segment1-dmz that will house the service_interface1 167.100.110.1/24, and configure the VPN with attachment to segment2-int with local endpoint set to 167.100.110.254?
Site1:
T0-gw: (active/active)
T1-gw: two vlan-backed segments
- segment1-dmz - service_interface1 167.100.110.1/24 (vlan 100)
- segment2-int - service_interface2 10.1.0.1/24 (vlan 10)
Site2:
T0-gw: (active/active)
T1-gw: two vlan-backed segments
- segment1-dmz - service_interface1 167.100.111.1/24 (vlan 200)
- segment2-int - service_interface2 10.2.0.1/24 (vlan 20)
Thanks!