NSX Edge VPN Not Working after Upgrade from 6.2.4 to 6.3.4

November 3, 2017 Jordansphere NSX

Problem: 

 

After an upgrade of NSX from 6.2.4 to 6.3.4 in a vCloud enivronment (8.20) several VPNs refused to connect from NSX Edges to a variety of external devices.

 

 

Troubleshooting:

 

We attempted disabling/re-enabling VPN, redploying the Edge (and thus upgrading to 6.3.4) and removing/add the VPN configuration. All failed.

Looking at the backend NSX Manager.

Web client -> Home -> Network & Security -> NSX Edges -> {Select NSX Edge} -> IP Sec VPN -> Show IPsec Statistics

 

The following error displayed:

 

sending notification
NO_PROPOSAL_CHOSEN to {IP_address} 500, Oakley Transform 
[OAKLEY_AES_CBC (256), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] 
refused due to strict flag, no acceptable Oakley Transform, 
responding to Main Mode

 

oakley_error2

 

Resolution:

Edit the VPN configuration via NSX Manager (by selecting the pencil icon) -> Change the Diffie-Hellman Group from DH14 to DH2

oakley_error3

 

It appears during the upgrade VMware have changed the default DH group to 14 which broke several VPN connections

 

Note; This can also now be changed via vCloud Director Tenant Portal – as seen below:

oakley_error4

Powered by WordPress. Designed by elogi.