Some SPs reported losing IPSEC tunnels on their vCD edges after upgrading from NSX 6.2.X to NSX 6.3.x+ with the below error:
NO_PROPOSAL_CHOSEN to “IP address” 500, Oakley Transform [OAKLEY AES CBC (256), OAKLEY SHA1, OAKLEY GROUP MODP1024] refused due to strict flag, no acceptable Oakley Transform, responding to Main Mode.”
After investigating this internally with Engineering, we found out the reason for that is that NSX changed the default Diffie-Hellman to DH-14 from DH-2.
Diffie-Hellman is a protocol used as part of the negotiation for a secure connection
The change was made by the NSX team was obviously for security reasons. However, this change broke the IPSEC tunnels on the vCD edges that are not aware of the change due to the fact that 8.20 vCD has its own Database.
The temporary workaround?
To workaround the issue, the admin will have to change the DH manually from DH14 to DH2 from either NSX UI or the VCD UI noting that each time you do redeploy the vCD edge, you will have to change the DH to 2 as config will override based on the service config in the vCD database.
The Permanent Fix:
The permanent fix is in vCD 9.0 as NSX would be the source of truth in 9.0 even for non advanced edges. With 9.0, we don’t use the service config anymore and doing a redeploy will maintain the state the edge had in NSX.
If you can’t upgrade to vCD 9.0, you can request a hotpatch from GSS for 8.20 that will basically set the vCD edges to be DH2.
Important to note if you haven’t upgraded NSX yet:
If you are ready to upgrade NSX to 6.3+ and you are still on vCD 8.2, requesting and applying this vCD hot patch prior to the NSX upgrade will reduce downtimes and manual work.
Update From Engineering and GSS:
vCD version 184.108.40.206 will have the hot patch described above included. The release is still being tested with QA and will be be launched after it gets the green light from QA.