vCNS, vCD, NSX, and IPSEC

One of my customers emailed me today with a question about their vCD environment. They are running vCD 8 and vCNS 5.5. Yes I know what year it is. No none of this is supported. But helping people is what I do and technical challenge are always fun. They have a plan to upgrade to a more recent environment. The target is vCD 9.1 and NSX-V 6.4.4. There are a bunch of steps in between each with its own problems and gotchas. We’ve worked through a few of them but this one stumped me.

My customer has site to site IPSEC VPN configurations on some of their vCNS edges. This has been working fine and was configured in vCD. After upgrading their vCNS to NSX and then another NSX upgrade in their test environment the IPSEC tunnels went down. After some looking around they found that their Diffie-Hellman group had changed from dh2 to dh14. Somewhere in the process something broke.

Since I had been able to solve some of their other NSX issues quickly they reached out to me. I read a few things they had found and then called one of my colleagues on the NSX team. He doesn’t do social media so I won’t post his name but needless to say he is a very smart guy and a really good researcher. We sat on the phone for about an hour and figured out what we think is a fix and what the problem is.

Some of this has been documented around the internet but putting it all in one spot might help someone else. In vCNS and early versions of NSX (6.2.? and before for sure 6.3.5 and before) the default setting for IPSEC VPN is dh2. Newer releases change to dh14. The old vCNS API in vCD does not specify the dh group and just uses the default. This is a direct call from vCD to the vCNS API. This method of configuration is what is used for standard edges after the upgrade to NSX. When configured as advanced edges in vCD the NSX Proxy API in vCD is used to talk to the NSX API. The only difference between a standard and advanced edge for vCD is a flag in the database that changes the API being used for configuration.

For my customer what all this means is that after upgrading to NSX with a default of dh14 the edges change this configuration from the old default to the new default because vCD didn’t specify the field. It was left blank. The NSX Proxy API used for advanced edges explicitly specified the dh version. By using and advanced edges instead of a standard edge the problem should be mitigated as dh2 will be specified in the configuration instead of a default blank. For production I’ve recommended that once they install NSX change their edges to advanced and set the dh group to 2 before they upgrade NSX to a later version. Hopefully this will avoid the issue for them as it prevent a blank value from defaulting to a different that old default value. This was all fixed in vCD 8.2 for newly deployed standard edges.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: