NSX · January 1, 2024 0

Troubleshooting IPsec Tunnel Configuration: Challenges and Workarounds

Introduction: In our ongoing network infrastructure development, we’ve encountered a challenge related to establishing an IPsec tunnel between the and 192.168.10/24 networks using Tier 1/VCD Org Edge. Despite successful design intentions, we’ve run into a roadblock: the Tier 1 does not advertise IPsec VPN-learned routes to the connected Tier 0. Furthermore, attempts to create static routes on Tier 0 to direct traffic towards Tier 1 have proven unsuccessful.

Problem Description: The primary issue at hand is that Tier 1 fails to automatically advertise IPsec VPN-learned routes to the connected Tier 0. In our troubleshooting process, we discovered that creating a static route on Tier 0 to point traffic towards Tier 1 wasn’t a viable solution either.

Interestingly, it has been reported that other customers were able to manually configure a route on Tier 0 to address a similar challenge. However, VMware acknowledge that this workaround isn’t optimal and poses limitations.

Known Issue: The crux of the matter lies in a known issue: the VPN static routes are not automatically advertised from the Tier 1 to the Tier 0. Our investigation into this matter has revealed that even creating static routes manually on the Tier 0 to point to the Tier 1 is not as straightforward as expected.

Temporary Workaround: For those grappling with the same issue, a potential workaround involves manually configuring a route on the Tier 0. This workaround entails setting the next hop to the internal Tier 1 IP of the transit T0-T1, without specifying any interface. While this workaround has proven successful for some users, it’s essential to acknowledge its temporary nature and the associated constraints.

Ongoing Investigation and Future Fixes: We want to assure our community that VMware is actively investigating this issue.