VMware NSX

 View Only
  • 1.  NSX - ESG IPSec VPN with certificates - cannot publish changes

    Posted Jan 09, 2019 06:29 AM

    Trying to get IPSec VPN working with certificates but I keep getting this error when trying to publish changes.  The certificates are valid and I can resolve the fqdn via DNS fine.  Works fine using PSK.  I have tried using the fqdn in the PeerID as the error suggests but it made no difference.  The hosts are on the same subnet so there is nothing blocking them.  The remote peer is a Palo Alto firewall if that changes anything. 

    Any thoughts as to why certs won't work please?

    Thank you.



  • 2.  RE: NSX - ESG IPSec VPN with certificates - cannot publish changes

    Posted Jan 09, 2019 09:53 AM

    Hi,

    I am sure you are following the steps correctly as per the article Configure the IPsec VPN Site Connections for the Edge Gateway , still would it be possible for you to confirm if you have followed the same steps.



  • 3.  RE: NSX - ESG IPSec VPN with certificates - cannot publish changes

    Posted Jan 10, 2019 07:16 AM

    Thanks for your reply.  My configuration is exactly like the one in the document you linked.  When I use PSK it works and very little config changes should be necessary for the cert authenticated version to work.



  • 4.  RE: NSX - ESG IPSec VPN with certificates - cannot publish changes

    Posted Jan 10, 2019 09:11 AM

    Is it a self signed cert or 3rd party? and does it have correct DN, SAN, and authentication (Server or client).



  • 5.  RE: NSX - ESG IPSec VPN with certificates - cannot publish changes

    Posted Jan 10, 2019 06:37 PM

    I'm using this Openssl based tool to generate certs.  Link​   I have used these certs for web browsing but I suspect they may not be the right cert type that NSX requires.  I need to do some more investigation...