Solved: About IPsec VPN Phase 1 Negotiation mode

bustmove-ls · ‎08-16-2023

Hi there. This is my first topic here.

I'm using NSX 4.1.0.2 to creative IPsec VPN with other branches, But I found it did not support aggressive mode, I googled some pages, Only few old docs reference it's only support "Main Mode".

VMware NSX-V docs(2019/5),It shows:"NSX Data Center for vSphere supports only the standard negotiation mode (main mode)":
https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.4/com.vmware.nsx.troubleshooting.doc...

IPsec VPN Settings Reference(2022/6),It shows:"Main mode (Disable aggressive mode)"
https://docs.vmware.com/en/VMware-Cloud-on-AWS-GovCloud-(US)/services/vmc-govcloud-networking-securi...

My questions is: Why did NSX IPsec VPN did not support Agressive Mode? Is there any possible in future to support this mode?

Thanks a lot!

bustmove-ls · ‎09-01-2023

Finally, I found the "NAT-T" was an automatic option, When Peer ID was an internal IP and Peer IP was a public IP, NSX will be automaticlly set NAT-T option on "TRUE".

View solution in original post

DanielKrieger · ‎08-17-2023

I am not a friend of the aggressive mode. The main mode also protects the identity of the endpoints by encrypting their information, while the aggressive mode sends it in plain text. Maybe that's why VMware doesn't support this mode. In general, I don't know of any plans to change it.

----------------------------------------------------------------------
My Blog: https://evoila.com/blog/author/danielkrieger/

bustmove-ls · ‎08-17-2023

Thanks dude.

Some of our customer set the device with internal ip(172.16.x.x,10.x.x.x), and use aggressive mode IKE with NAT traversal.

They don't like to change, so I am trying to figure it out. But NSX did not support aggressive mode.

Or does NSX IPsec VPN can process NAT traversal in main mode?

DanielKrieger · ‎08-18-2023

I haven't done much with VPN and NSX in the past, but if I remember correctly, NSX can't do NAT-T. In this case you need a NAT deivce in front of your edge node. I'm not 100% sure though, maybe someone else can comment.

----------------------------------------------------------------------
My Blog: https://evoila.com/blog/author/danielkrieger/

bustmove-ls · ‎08-31-2023

I was noticed there was a "NAT-T" shows in cli mode, when I input "get ipsecvpn ipsecsa" command on edge, but not sure where is it in web UI.

bustmove-ls · ‎09-01-2023

Finally, I found the "NAT-T" was an automatic option, When Peer ID was an internal IP and Peer IP was a public IP, NSX will be automaticlly set NAT-T option on "TRUE".

All

About IPsec VPN Phase 1 Negotiation mode