NSX | Plan upgrade with care

Good Morning Folks,

Purpose of this post is to make all of you aware about one of the supported feature of NSX which is no more supported started from version 6.4.4.

Why specifically I am sharing it because it can be a good example on "How you should plan the upgrade".

Feature is "Starting from 6.4.4, 3DES as an encryption algorithm in NSX Edge IPsec VPN service is no longer supported."

Now question is what does it mean and how it will impact production.

What does it mean?
Hope you know that in IPSec VPN tunnel there are two endpoints, one is local and other is remote. 3DES is encryption algorithm which we use to secure the connection between these two endpoints. In place of 3DES, we have AES, AES256 and AES-GCM. We have to select anyone of above because 3DES is no more supported or listed in nsx edge version 6.4.4.

Why it is depreciated?

Because it is not that strong. To elaborate, 3DES designed to auto-negotiate the encryption value to establish the connection, which is not a secure way to make a connection with remote site. Whereas other cipher must be common on both end to establish the connection.

How it will impact the production?

Let's say you have 3DES configured on remote end in phase2 configuration and your local end is configured with AES256. With prior version 6.4.4, IPSec VPN tunnel will continue to work but as you will upgrade NSX edge to 6.4.4, your tunnel will down because both values are not matching any more. You must change the value at remote end to match the value at local site(end).

So please be aware and always check the Documentation of every new version of all products before upgrade.

Feel free to share any thought\doubt\feedback.

Thank you,
Team vCloudNotes


Post a Comment