An L2 VPN allows you to stretch multiple logical networks across multiple sites. The networks can be both traditional VLANs and VXLANs. In such a deployment, a virtual machine can move between sites without a change in its IP address.

An L2 VPN is deployed as a client and server where the destination Edge is the server and the source Edge is the client. Both the client and the server learn the MAC addresses of both local and remote sites. For any sites that are not backed by an NSX environment, a standalone NSX Edge gateway can be deployed.

Before we begin configuring L2 VPN, ensure that a sub-interface is added to a trunk interface of the NSX Edge. You can learn more on adding a sub-interface in the Edge configuration section of this chapter.

To begin configuration for an L2 VPN, follow these steps:

1. Go to Home | Networking & Security | NSX Edges, and double click the Edge appliance, and navigate to Manage | VPN | L2 VPN:

2. To configure the L2 VPN server that is the destination Edge, select the L2 VPN Mode to Server and click on the Change button:

3. In the Listener IP, select the primary or the secondary IP of the Edge. Change the port if needed and select the appropriate Encryption Algorithm.
4. Select the certificate if configured and click OK when done. You can always use a system-generated certificate if needed.

5. Next, we add a peer site. Under the Site Configuration Details tab, click the + icon:

6. Enter a unique Name for the peer site and a Description if necessary. Enter the User ID and Password for the peer site for authentication.
7. Click on Select Sub Interfaces and select the appropriate interfaces. These are the interfaces that are stretched with the client.

8. If the default gateway for virtual machines is the same across both sites, type in the gateway IP in the Egress Optimization Gateway Address section. This will allow local routing and increase performance.
9. Enabling the Enable Unstretched Networks field allows you to identify network subnets that you do not wish to extend between two sites.
10. Make sure the top Enable Peer Site tab is checked and then click OK when done.

Let's go ahead and configure the L2 VPN client. The L2 VPN client is the source that NSX Edge initiates communication with alongside the destination Edge (L2 VPN server):

1. In the L2 VPN mode, select Client and click the Change button:

2. Enter the Server Address, which is the L2 VPN server IP or FQDN. Select the same Encryption Algorithm as set on the server and select the appropriate Stretched Interfaces.
3. Type in the Egress Optimization Gateway Address and then type the user credentials.
4. If the client NSX Edge does not have a direct internet connection, it can reach the server NSX Edge over a proxy server, which can be set in the advanced settings.
5. Click OK and Publish Changes.
6. Enable the L2 VPN service on the client; this will establish the L2 VPN connectivity between the sites.