NSX-T IPSec VPN improvements (#553)

Author: Didainius

.changes/v2.20.0/553-improvements.md

@@ -0,0 +1,2 @@
+* Improve NSX-T IPSec VPN type `types.NsxtIpSecVpnTunnel` to support 'Certificate' Authentication
+  mode [GH-553] 

govcd/certificates_embedded_test.go

@@ -1,4 +1,4 @@
-//go:build functional || openapi || certificate || alb || nsxt || ALL
+//go:build functional || openapi || certificate || alb || nsxt || network || ALL
 
 /*
  * Copyright 2021 VMware, Inc.  All rights reserved.  Licensed under the Apache v2 License.
@@ -16,4 +16,7 @@ var (
 
 	//go:embed test-resources/key.pem
 	privateKey string
+
+	//go:embed test-resources/rootCA.pem
+	rootCaCertificate string
 )

govcd/nsxt_ipsec_vpn_tunnel_test.go

@@ -58,9 +58,10 @@ func (vcd *TestVCD) Test_NsxtIpSecVpnCustomSecurityProfile(check *C) {
 	check.Assert(err, IsNil)
 
 	ipSecDef := &types.NsxtIpSecVpnTunnel{
-		Name:        check.TestName(),
-		Description: check.TestName() + "-description",
-		Enabled:     true,
+		Name:               check.TestName(),
+		Description:        check.TestName() + "-description",
+		Enabled:            true,
+		AuthenticationMode: types.NsxtIpSecVpnAuthenticationModePSK, // Default value even when it is unset
 		LocalEndpoint: types.NsxtIpSecVpnTunnelLocalEndpoint{
 			LocalAddress:  edge.EdgeGateway.EdgeGatewayUplinks[0].Subnets.Values[0].PrimaryIP,
 			LocalNetworks: []string{"10.10.10.0/24"},
@@ -234,3 +235,84 @@ func runIpSecVpnTests(check *C, edge *NsxtEdgeGateway, ipSecDef *types.NsxtIpSec
 		check.Assert(vpnConfig.IsEqualTo(updatedIpSecVpn.NsxtIpSecVpn), Equals, false)
 	}
 }
+
+func (vcd *TestVCD) Test_NsxtIpSecVpnCertificateAuth(check *C) {
+	skipNoNsxtConfiguration(vcd, check)
+	skipOpenApiEndpointTest(vcd, check, types.OpenApiPathVersion1_0_0+types.OpenApiEndpointFirewallGroups)
+
+	org, err := vcd.client.GetOrgByName(vcd.config.VCD.Org)
+	check.Assert(err, IsNil)
+
+	adminOrg, err := vcd.client.GetAdminOrgByName(vcd.config.VCD.Org)
+	check.Assert(err, IsNil)
+
+	nsxtVdc, err := org.GetVDCByName(vcd.config.VCD.Nsxt.Vdc, false)
+	check.Assert(err, IsNil)
+
+	edge, err := nsxtVdc.GetNsxtEdgeGatewayByName(vcd.config.VCD.Nsxt.EdgeGateway)
+	check.Assert(err, IsNil)
+
+	// Upload Certificates to use in the test
+	aliasForPrivateKey := check.TestName() + "cert-with-private-key"
+	privateKeyPassphrase := "test"
+	certificateWithPrivateKeyConfig := &types.CertificateLibraryItem{
+		Alias:                aliasForPrivateKey,
+		Certificate:          certificate,
+		PrivateKey:           privateKey,
+		PrivateKeyPassphrase: privateKeyPassphrase,
+	}
+
+	certWithKey, err := adminOrg.AddCertificateToLibrary(certificateWithPrivateKeyConfig)
+	check.Assert(err, IsNil)
+	openApiEndpoint, err := getEndpointByVersion(&vcd.client.Client)
+	check.Assert(err, IsNil)
+	check.Assert(openApiEndpoint, NotNil)
+	PrependToCleanupListOpenApi(certWithKey.CertificateLibrary.Alias, check.TestName(),
+		openApiEndpoint+certWithKey.CertificateLibrary.Id)
+
+	// Upload CA Certificate to use in the test
+	aliasForCaCertificate := check.TestName() + "ca-certificate"
+	caCertificateConfig := &types.CertificateLibraryItem{
+		Alias:       aliasForCaCertificate,
+		Certificate: rootCaCertificate,
+	}
+
+	caCert, err := adminOrg.AddCertificateToLibrary(caCertificateConfig)
+	check.Assert(err, IsNil)
+	PrependToCleanupListOpenApi(caCert.CertificateLibrary.Alias, check.TestName(),
+		openApiEndpoint+caCert.CertificateLibrary.Id)
+
+	// Create IPSec VPN configuration with certificate authentication mode
+	ipSecDef := &types.NsxtIpSecVpnTunnel{
+		Name:               check.TestName(),
+		Description:        check.TestName() + "-description",
+		Enabled:            true,
+		AuthenticationMode: types.NsxtIpSecVpnAuthenticationModeCertificate,
+		CertificateRef: &types.OpenApiReference{
+			ID: certWithKey.CertificateLibrary.Id,
+		},
+		CaCertificateRef: &types.OpenApiReference{
+			ID: caCert.CertificateLibrary.Id,
+		},
+
+		LocalEndpoint: types.NsxtIpSecVpnTunnelLocalEndpoint{
+			LocalAddress:  edge.EdgeGateway.EdgeGatewayUplinks[0].Subnets.Values[0].PrimaryIP,
+			LocalNetworks: []string{"10.10.10.0/24"},
+		},
+		RemoteEndpoint: types.NsxtIpSecVpnTunnelRemoteEndpoint{
+			RemoteId:       "custom-remote-id",
+			RemoteAddress:  "192.168.140.1",
+			RemoteNetworks: []string{"20.20.20.0/24"},
+		},
+		SecurityType: "DEFAULT",
+		Logging:      true,
+	}
+
+	runIpSecVpnTests(check, edge, ipSecDef)
+
+	// cleanup uploaded certificates
+	err = certWithKey.Delete()
+	check.Assert(err, IsNil)
+	err = caCert.Delete()
+	check.Assert(err, IsNil)
+}

govcd/test-resources/cert.pem

@@ -1,33 +1,27 @@
 -----BEGIN CERTIFICATE-----
-MIIFxzCCA6+gAwIBAgIUVbryzlRw0ahAY7e9sCTJQN5Q5VowDQYJKoZIhvcNAQEL
-BQAwcjELMAkGA1UEBhMCVVMxDzANBgNVBAgMBk9yZWdvbjERMA8GA1UEBwwIUG9y
-dGxhbmQxFTATBgNVBAoMDENvbXBhbnkgTmFtZTEMMAoGA1UECwwDT3JnMRowGAYD
-VQQDDBFvdGhlci5leGFtcGxlLmNvbTAgFw0yMTEwMTIxMTExMjdaGA80NzU5MDkw
-ODExMTEyN1owcjELMAkGA1UEBhMCVVMxDzANBgNVBAgMBk9yZWdvbjERMA8GA1UE
-BwwIUG9ydGxhbmQxFTATBgNVBAoMDENvbXBhbnkgTmFtZTEMMAoGA1UECwwDT3Jn
-MRowGAYDVQQDDBFvdGhlci5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQAD
-ggIPADCCAgoCggIBAPFoIdcexAQJ86OgmU7pS8Wli887AEBUfjIm57vLa7aESwr1
-iI9nABH1Nfgxewj3wp/NtGBpv1TpmlK2L76Wu5veVQ+HnhVZvm+Ya0mIRtbwUyyQ
-WN+ECaJ+E6IGFJqGJjrb5ERu6UOK1CzD5gpaKzHfA0oLWyUzmS6js3Cv8Ln4WiYH
-qK7V1ktFU7pABZk3n58oBYZ+KPzThzuUJqrv0PnYpl/Q5WvpWlEpt1P/IsRLKOop
-q1nMWBB3QKhGAMdaxZELUbw19+9+cEiQZUruOVYBnzKZQMItmIkr+aWRk/XmHn92
-4f13RtPLM4uSWGmr2uG5IBwquxfeJsxSPn9nocs8uTJ9JRodTpyLGbqFdw4Vw10h
-X6LRMvyEuuNvUpKMTF8lGL3v+hIXfx222aB7pH+hnRYHKNb+m0j+J2MQ9O/MNrHz
-LRt/90t8YqHmJBOK9iDGKTjgmuZlshyfgvy89nzlvbKc90df3VI6To/TIKt5tBdC
-jXLxQ+TL6DGL25uPpa7ZHyuKAywHhKBZV6R4jY4wuRuH38LX0fkMdOToYwKZA38M
-5QzTCs9SXtoark3DtKwqaMHWdJk9BviatVaNmLLLerkYDMY/rjR3pGcaa8wCCPNY
-HbzNbC6rD8eyaCluUFVoXLQyJcacA7wzhSR/jeC9G70onPlx0SWl+zzwM5udAgMB
-AAGjUzBRMB0GA1UdDgQWBBRw8FkiYFaoUxPOLBkt43TQ1nK36DAfBgNVHSMEGDAW
-gBRw8FkiYFaoUxPOLBkt43TQ1nK36DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
-DQEBCwUAA4ICAQDSAqiJKyO2WXgsL0sl6iryjEijQ/S+dnrk0ICkCiy3bZYb1b3x
-hHtBYN3aV93GTUCX+qypT8KXJzFSuZKKq5Hh00Hk6YhjO0hzUYvsbkfqluuj4ds7
-W1y+s7lUt9AM6XEfs84D1HZz/ez3vRYZ6pvS0hbO2JhEFq/4gPc0GR75K3elBiwd
-WYKr3Aup9A8gBED0xzSnp5fb4si873DaN68xw5e/KPvYvZFTIZxc4XWwkP4alMcw
-aIlajFR+szGJo4NibfiwBWRtq1yvi9wg/roRiI24kAqEh08pTxiFyq7209DjbW6a
-iWH/qtbzmiBxcdqshFPBjry9oxkujWnjfZ7diwMvjUz5OnOVYJHRL5LFd5bwGbpq
-oZZ9mv2z1srveRN7Nne8NKM94aZnPj/xBYbIvJencF5Yxh3rM6Y/nDP+5mtf/+Ks
-qToqFc3nvIiq7AQicR7kdjPAHjoyCMKBSYO+oNKjhtj5+QHXwToumcriESJAEFg9
-JmftGH5Defg90di/AUmJD60nQ1rgclt1huxpZRurSeawtemEvEorB22bPpvzEgX7
-xb7OSp96aoww4GQ4H7Va3uaxiNnuRPdYIis3Alf7bPw0t1A9I1XKR6cA2vSttmum
-1LxNJS0LKnEhMm3fy8g+TiubQYSOyT6qkUiu+J+rSwrDo1QzmvouQD+Jgg==
+MIIEgzCCAusCCQDsvB5Pim4CNzANBgkqhkiG9w0BAQsFADBPMR4wHAYDVQQKExVt
+a2NlcnQgZGV2ZWxvcG1lbnQgQ0ExEjAQBgNVBAsTCVRlcnJhZm9ybTEZMBcGA1UE
+AxMQbWtjZXJ0IFRlcnJhZm9ybTAgFw0yMzAzMDIwNjM0MjZaGA8yMTIzMDIwNjA2
+MzQyNlowNjELMAkGA1UEBhMCVVMxDTALBgNVBAMMBGNlcnQxGDAWBgkqhkiG9w0B
+CQEWCWNlcnRAdGVzdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKS2
+q+REopxvA3HY1zHRcNO9AcBZ3pGkVR2bSJ+awL9xZk7yjMrhqZ29XtScvs4ZUguS
+3i6hrsY2hUqFWgbucJSObvUc6OBYoelUmNGtzhdwcsppFdZiJSTp2h6+/cZkX+fm
+3xJcrTfzZVeBSniGGuzJHoJNXOaps9ilrOibm7/OZNF13NAe/VIjKPlQA1V3gdGd
+6MAZ0p1IUF3flA9s29bCdsDcdbD6yjIfWfvztWIEx1PbARu9pd6tmg8jc3fvkqru
+d/nfNb3y3rHnSITXxJg3zO8OERXHmw/lGPiJahmzXjTvsk2Qwfb8TKnwtuh7eCEo
+VM54hyY4kxlWKQlpPRv1D+dLzp1BlzJjJxcg+U+86OlwNIaA9+bv9Kzfsw111IOG
+L4CWgxV4F7iYt2CAHdygEqkLImmPpjSXGZN96Rnf3vkSlNMIHatQDIYRZHKP8bq5
+Ww0zIC+pflTA8s1+KfN5qccgiqAwRXv1AKqA9YYx35chljp2qdNbyBQcsnNPiyA5
+XDSgNGsjinKiKWy/VLv947nvgRrPv+iJTuzNyIhmdZr1dDJDPhtjWa7nMgv668e+
+NuAQOitQcFDN9NxjZ6CCJmw33hz0bjXESKsCvUlvfNra/DpESZ8MRKB8CoTgx0ey
+r72C1u/6o+qXZS3mzWdNmyzqR7mUeiRozmxqmiczAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggGBAEf+CntVZefcgpzRNdxgpnEFh4SRiJyjUK7n2mVzd+kzk9K+E9lvJ1Ho
+PPIOdFRvj9rY3k+Q7G4eZL+2tNlN1KSfeRus5awp8tmFDd75kRGSkdCFWjebaq2k
+xvMkxp0E7v/zAN+OghF3ek7JLGQC4e4gCiyYDdB/Rvq3zEex471riqQu8vbs0CCV
+rz8d0NBSWc2XRKFRhLjODhDTLkLnJjIKW7863iFxXxYGHw4ngIXuctXN+QzRuX2r
+OioQSkmmtcmDwugDCX8YcHxZQgqz5+FthO76MugBTcgyBJK4UrJlyW56RZ6orLf3
+527ZRRzWNd2xXMkcXQaneVvqhWydXfk2+vShN+iaU4GMZANP+d+imZuNyHHJKZcP
+CjQJbSQfO3cupfddXUuhEYoCE9WA8GNOWKWBbdyG1gQDyrINCU7XpH0sNH9Sbukz
+iobq+k9KqwClkUOpVr6OIFjmh0s1hdIY3qVa8OVp5Y687FcIGzE/euDqsoFMvkEL
+BIQP07pT0Q==
 -----END CERTIFICATE-----

govcd/test-resources/key.pem

@@ -1,54 +1,52 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIyZJXaPnPUVgCAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECMwPqNNhiaSbBIIJSHGxsPf33TZn
-xUbOZJcoRk7DNxnUMwNgbUnK+WL213AU0IAaJ5qMsNO8dwk8oOSkNs2K66h9ZGUI
-8GXP/76ndkZEbNy6Xk2Uu7PI+mGSItAQBLdG8izPgYALlEVscqRbDb4NP2v9H7Eu
-oJFvLuxL2xxjC8QL1R/MKqo4ZllKoCxzwdE949UPViPbpm49wMgUOEeS8Kwv0N/1
-HI8o7+KI5enPaIYUjQF6HdkZtcJ/zcMbNzdMNfPfQljBHl1KmGQfVV92Vaoa+E9a
-bj4vf1PUd2Y4QCLhT8yxEYHSm4x7szky3ecsA2lLZPluuEKQOmDdcC596wCQ4Mmv
-/p32xpzuT4eoDBeDHPCM2AdJl/lXFEgdvZQrNUsYGHHhf79aEsZbbREHVxMkcSPz
-3K0IoWAPf3c3zTtG9MJEHLZavwBuGOu5xHIXnL6VIOWHvok/lhNPGbE6azXVTXjD
-9tXV/478GDa5XnGxOzBrsIIWGqf0OMbySG2YIIr7g7BhsQpVVOgCQE3UsVMtWrud
-UUXC68kdreT37V1zDkqpHyUHydvx1eSDAdJHmhnEYW+Dolk80IhfZcYUKEDQEO0z
-nIdfcNjYgKljyvqHRADoK+eNV6p75KMDY5f/E4bGxpirrrijj6duFm+dtDTWNtIm
-RgOj/eLrshbgxRr0GBZSupu0tN86+/TuL/OK9L3yWbJJ1vv+vwGisKysiy2m0D7q
-KnTDK9hpSFOJg2MY7DWgaKl/qAXHgjG3YPfP0T69FYX/mf1tfjwwd3f4GfBdUPus
-7RQJ6nZlk23ajrbvQBYF9KRCelQhVd81h3puSWc2Ip9IVvxb8eZ9s0gGpCBTGj9o
-SFHPStYA8U0h5JEJOkHniy3apytjVmYa+CWBglLF6R+EEDSwZKDsZhWBozxPpUuC
-9p7Lyqj3syJUdfnoCj8jcqWq3dIbWrjsWaKQLVJJW2uNrdNQS7hJpgSaug3qBkFG
-I4hdK+gszYH9qTRrfAXcgqo4wGEELc0eCXhrHETrD98GGT7UpYzONxQ1wYOJ5u+f
-OpTpb2pap08KihLBq4cdwi+S+6alWjEqDPxaZ/4cS2FZCPX/JcghOydEWeH8IarO
-V/iT7wXF4b5yw/SfLq0bsHS8hiGuq9HE3QQrj+1b1Q0I2pxec3Kjvrqd3GUJjk5p
-+MysONs2LGQu8+j8EHodQZjfSpjNmGhqXA7ligmNvfHayT4925xrZZfajUsl8dOO
-a6yNQ6uXUd65JpQz8JOSPqgfhH7IPTSyRgQA9zltkt69w79E370n1cCz15/ujsm6
-JRJsD1519NZhXDOanx5BBQdlMqp+1CsAZNbKMKv4H9hwVJnN+sudOPIXB7cGeeVs
-+xOZsLlw9MgJNOvjbVsFdhduQINcWiKtLkOWST0cZD5uFtvRPpZGvYCQvkbIN8BT
-Qs7J21MFtpmodMLK1AIu3jQJrUScpVGgvsleP/esmibnhi5wO571DT1fDqLXm4aV
-DodEAejG6UgMF2oxK3x5wuVxI6NZYZYjS+PB7HhaFKnRBf5IuFmk+MYJWab9Md+r
-C99Ra/l8SeGmrSw5q1wsUUw6rFOi4hn2jm7u8/oqc2h1z1chmAOQyqaM3Fp0PZRp
-ZO6rMRjSWDRBNrpZU1dEAFxbQ8vsWtkvX07Ov3vSpXUHKg229BFAKAsOnUAhu8MI
-8dT+k5AlTjmRq5NoeLhqkcN+SWYaIe6A46pCY8sDJPs1XUR/dbQVZLcaQCSkcVZQ
-VhAy3t1f2GY8vfCZrW6z4C5v0Zj/Vt/JtkClr8EEkGKuwuPHgca1a7wXXmVA/P4G
-meigHEE6WHIkbjZu6uq2pn4KxhZLhUWg3EXewOQWxNpWzPac8lE5W2/w/tsAb6+o
-xtixRCjAOxin8hJP72aL/kmbBKfrH/8Wkh7uusWSLvJ+iSYOBYRUZ7TKW7nuasXx
-hk3aw7SCEHBkjSU+hmUjaren08R6Cja2usgmIXZPwnO1gTsn8f39CnIlJQ6XbxN+
-IuzHWnY45ihadez6JHfxTbT09hlaO04ojlBLhEyNHJF0r2+LGOcJqGz6SZEHoc4n
-21EGZ4uN6wVZep8Y+telu3h5rBEKc+gV4S8qOCHPkdb9aavCrD+OowVQh4QIHGEr
-m17oGAyBg184DLQvDc4680wGR2R9av3aDs7CK396pVmBx/OBwTODCejJ3t7NT3DS
-+X5P35zNNM6WMZknWRJk9i3kT4NL7kBx0j30o7J4pKnhtW2VLDekaDPp25eqkRLw
-c3re0lcpJF88OqUrH46o7t6XiuXWkFmoJYKqUEqemWiXX94NHpnzROpIk03Td9Mj
-9dQI+KdqjWSazhYQSulbOAU9k4N5IiZgB4tsPY2vZs9iowIrw/BIZrmChx3d63Od
-8uAHN3hldPN2Myqe0p7DA7V0p9Nr4qqM0JbeG7EEDf4XjgeytLYWRm5TJmNBiqA1
-40IWIqHcjQpqf6eD0RzxO0mcy4ZoeIU7dXMzdNsqg66yxRGynHmkKinrwoqsADV9
-gEWVdPqsSgNLycpcuGcOsdH1lTMDovrHvLzOnk8nT/F1LgH2czzRxHcrx2/2Zm60
-nkZ/sU5FKVAE7imuUbYyKRm6tXxLx7a/NNtac51GgcNXC808ycO2KdNJpqsgO6Ub
-1apZe3+WxyiWSRMaQ+Dw7GlR4ZXgdtQTAniDe8I3Be8ZI1uHQtth+IN9mA9CLIb6
-9qQy3eOo5Ip4RIVTdOX3rVGOzOPD57T2K4Cg2XDgWC8g2o+X6Sgv0orwwoqR1QWa
-HN6VOc82KonKAdo1ctnrxWq7JodhQOqZvFRBxvRV9Rdww/GKKE8q0PHYBGNfGAXY
-MC9vflAFIRTaiNTGkmpUwWg0iTaXGu2dVCO/4yTUBVcfubzPacXFocxU0zcEk/ll
-M2yoil/kfRu8JZav9/RZpxLZMz5c32We3xePnDUcSpFYhFdF8MILLc8YaRZ6xRRT
-hwQb1w9x0YvrtUqEE1k8UmSKP0P+H4LfunGp6uTU2zOTHulHQe2VCaARuRO6K3HG
-lDT9qQZ7HVxF+4vuLPMv5pFwjVoxi4LK9NBL0bJ1VoaSQ/uqOjYxdv00bo1gb9I4
-fdRskEjVssBI4Aie5ml/CShML1Unys6hLtvmsY+5pFcXRhgoPRPJDVghkqqe7rJh
-X/zTeUPmGZPiLyL4CMCPoQ==
------END ENCRYPTED PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCktqvkRKKcbwNx
+2Ncx0XDTvQHAWd6RpFUdm0ifmsC/cWZO8ozK4amdvV7UnL7OGVILkt4uoa7GNoVK
+hVoG7nCUjm71HOjgWKHpVJjRrc4XcHLKaRXWYiUk6doevv3GZF/n5t8SXK0382VX
+gUp4hhrsyR6CTVzmqbPYpazom5u/zmTRddzQHv1SIyj5UANVd4HRnejAGdKdSFBd
+35QPbNvWwnbA3HWw+soyH1n787ViBMdT2wEbvaXerZoPI3N375Kq7nf53zW98t6x
+50iE18SYN8zvDhEVx5sP5Rj4iWoZs14077JNkMH2/Eyp8Lboe3ghKFTOeIcmOJMZ
+VikJaT0b9Q/nS86dQZcyYycXIPlPvOjpcDSGgPfm7/Ss37MNddSDhi+AloMVeBe4
+mLdggB3coBKpCyJpj6Y0lxmTfekZ3975EpTTCB2rUAyGEWRyj/G6uVsNMyAvqX5U
+wPLNfinzeanHIIqgMEV79QCqgPWGMd+XIZY6dqnTW8gUHLJzT4sgOVw0oDRrI4py
+oilsv1S7/eO574Eaz7/oiU7szciIZnWa9XQyQz4bY1mu5zIL+uvHvjbgEDorUHBQ
+zfTcY2eggiZsN94c9G41xEirAr1Jb3za2vw6REmfDESgfAqE4MdHsq+9gtbv+qPq
+l2Ut5s1nTZss6ke5lHokaM5saponMwIDAQABAoICAELFRmMvq5esrQHOvFWWqJ09
+BmO6Sq5Rpqts0oDY1AAHcUjZrFdmKUMnjDS2IeccfpTwgZ73rgjt+xSdgERFDmA6
+aSJ2CLVBWMlkoNqHEX+Q9we0l8SjXplbLy+9jtSIxhQVFCK2bQW8Zj2VzOGUw39v
+fC2oPNvIuX4+kxxsUDPt8BK1K8E2fsx4Mlj2pZNU8cxOrhaJoUZfFS0owDWMlIW3
+qTo/ZHpNAABXkzu+rK3CcCc/JXDgbUgaqdQvM9TPym3+Y6ZoZLnOpZYKwuwPJ8Pp
+Aut5kVV56BMGdRvzYI5wluTwsiAdaXO9DTrquMr/mlAesFpOo8LLtl3T/qiw/7MZ
+4AV8E4uYSxkLL7fAfec9CbOoO3sup1imM8JTMxx0gRuJBn6wi82NtDhd2q2qfFbO
+hgZIP5GwIUGDMwZMz1CniGKiUGKz/YkKo7qXF4MewQadBGmfUDuRoCQ/j9QcdvAF
+cJ+OsvrC7T3XLiD/GegJuw/cBX281bCoLYItA7F9+CA4RuLpIxphUH4ITqhbtvtJ
+XCECXYcYQN0LOPhw9BbtsVV/pYoQ2CWNmFRWZADw03rpSWVChMbnDUfI6QAbMx8g
+pyVNll75Eb6+FHDOVaMIfIL6yDlMKrGSVjsvgWKN5pL+zqb4kLTUGiQZXyLrgDUJ
+TJ1K8qYPxJx2r+Jga34xAoIBAQDZZzyLgvHR1J842LAR5EpgR9AyEQMbx4zhfP0p
+r3GoxVYKxfiA0bpD02dc+D18Q2I9RtCnfTkKsk5IZXxRN7MzfyPqh34ztazUPszg
+/9O/RLFHWSPUPq4C/HmrA+dPiZ9V0s5eL/CIsvqSczcRkEkwj4TEY/ERTI4hbunJ
+mOSase4Cmx1T1wvtx1USiuBYErCf8laxM0R95aiKX+YNwM8nzWmy2UD2+JOvMsMn
+MZFlj8QiE87C9Fbpq90ePwYoKz7azOw3ATRzgi5/ScYzSDlTlsEMasvy4D8+l+XL
+bY50nquZ9YdER+t2/bj1BzoVR9Kf5eiecW/mZREW35EtgxAbAoIBAQDB9L1n0UHF
+A0l+xKp9Xp+YsO761G+mV67eD9f2BZ3ATi/rMJDzENub2zAOTYD+V3HZiGoQWl3S
+Nv+nyIOZwdD9LASnv5QE4fngO3wqd0YOJIUamVNl+XGFZpPUiGdtWzRxidDwqOWx
+uoapVFE5nigqehQ+BUKKps7Ihq61cj4Q3czjJrNzHuMTKRSXgSvlI703MUfQhAkL
+u05N8um1ORv8sinyVj2VIxjGwqO5Nv8IN3ecSceipcMFC/tKy10Q82oWX4Xf0IVC
+DzEosWR1+RUZaFFCZBozlB9C10bgjnM+owlMQSqaGpnkwuDcOCg7cwRCOziQVJZD
+VnQe3lIE06bJAoIBAQCZ4YzlYwYvc8RPxHC7+U7731jqV0hP/WsmoAXB38EfqK5C
+aeZ/p/Oj1psvHzbGIhwDK4C9TNF3VMY8UDkyc66QIMoXU1hs2Yc/pEP4bpw+oiyp
+R9sofEVHL9YeymCL1+nEIbaYzG4BFE5wIsUz1WE40h0ztVoI2Jsx5wPsAiCtrou9
+pHWZxnlXEOSSf2JUdMY4MJxUSOmOA2TMrRx1V6hJkAfk5Aorxb8jH1crAtbbgGtf
+g42ySKjMNS4KHqoI/LM8xBfexyeNKvQmfN2hptmM5QQ3+c/qVffuIi4xU5alzTnB
+fB0Go7FzRBwKs9bVAUWAkIeavshp19fEzPJBuKdJAoIBAG5Tp/XJC29kykao2g4M
+aB4z7wyREJ1/XQIF4yOX2D8OeqV+78TDvxft220XWxvSY/mIZkS9EodEL7KiFXG9
+1QJeKpu9Fxab8EZDsAJ77EaZMXmK4+yqso9eZRLNMH/9FFzNNyPd/yJU5sqlIrry
+owhefus0lMBH2HIqYnDl9jYj5KsFVahTVnmMsaDooi5qYPRnPOF4aajZt9YRKi2i
+ua/JLKEju039M9fD2du+U925p3koYr27Kq7RPPUzrtG4lIz7cyx38YU9HQp3tZyB
+viXAuBBa3qieRhYAXNnZTebAWMaefvw/y3BcBgpei0wdxbti8m7vHrZZFB6G+gKy
+3jkCggEBAJZzYmGvjlDumPElX3hzzAjPMhz3CmoyGC6aJN05ezK/z3iOG9CGJLcG
+vyU3yD/iEy2TbQtPjrVz+HMBF0Zs7FAK9XKNj20TCu0tOKIUa7KWTaKJjbn7qg0q
+k3v09Pj/ZevPrdNL4DKGLCbgsTJLGZK+HSE3jJ/SPSNHuoOaRetpsJtMcjJgDmqr
+URs3t0xNZt6zRR9/1SrAmVCBrJpMuiPQNgJJppx+jw6d8FUTHqp4iyfX190UeJV8
+X/g4SS47VcjjJBJMKyMmZl+D8p32wuc4YE99/ycZdLpUxVhla5Q1alKIj5bUc0o+
+8YHtmZ19oGLMOCHqJ8T4bvoSYGTi+8c=
+-----END PRIVATE KEY-----

govcd/test-resources/rootCA.pem

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbzCCAtegAwIBAgIQYl7uyKCXFwpi+qNH8QN6pTANBgkqhkiG9w0BAQsFADBP
+MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExEjAQBgNVBAsTCVRlcnJh
+Zm9ybTEZMBcGA1UEAxMQbWtjZXJ0IFRlcnJhZm9ybTAgFw0yMzAzMDIwNjE4MDNa
+GA8zMTIzMDMwMjA2MTgwM1owTzEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50
+IENBMRIwEAYDVQQLEwlUZXJyYWZvcm0xGTAXBgNVBAMTEG1rY2VydCBUZXJyYWZv
+cm0wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCwlYSqjG7xrleLkO2D
+aOB3Z2cZQH1XCLFD//o8ctIDY1mmvlthlZ47H8FOpbI9/O+40oon27XmBxPCuYyy
++/ZbmdBf4QB3BBcGGxhR8gInuCT65rraoAeLSRqNOwYcPduRBvrdNeCj2vyK98kR
+4U8M+K64nx0hQlusu6Cyd5KiOyKg6CuoXnBKWZ1W2s8En23SIaxg+rydPM/jtjmW
+G6ArF2TtzuBPZ/z0rqroHw2Kwtna5r6mTaW9u4EKIaPyWn1Ay7iFABIs6DS/BEiS
+xnZHeXTqRD32HnMKXawrG0Fm++MX1c+qA2/k5JM2CF2BtoPbnekK7gWj38JHSrNg
+YLafYkMA5d/eTR8EnrGLGvHUTRQwK8CpG1bHRJSdbDwhvgQxgjLpcbeZzv+g42v8
+vXaXImDZEhiLeMIDM4XphyfH3l2W0WztqBM1GlM3Ycf9LvISqTH5z9QRM3JX0mRS
+xYFfCb8XC7vWaWkWoIHJ5RYQ6tHZ8wTtrvO34qtEAVSIte0CAwEAAaNFMEMwDgYD
+VR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNA4nzDg
+xEjwbJXhr47p/mub8cKEMA0GCSqGSIb3DQEBCwUAA4IBgQAyg+3HGr4dUnEJXpk3
+FocS0Bup2ds+wREejACEIgP1PzbcdJpHG4Qswt/6FvIRAzH84nGucZVeWdRI7jOk
+qT5I8nOQ/UTlZkEnt5QBIQX/ghg77mQrRY6neeI99NRm/28k9SERrpfpJStLeDwH
+jNnAGkfSxZP1QZACebrTPFAY8vGGGIDZ1ZeUwxJgfbrD9dF5cTJYftSwOndQVeKS
+SeRBsgwe7NLCmLzQOlmlo83KoGoGd6n9P7vTtB8Uj8WPv7O12+XTNjv8CuWR1Zhq
+LERLEBwtHd6POAjSvi1/58UKRJIPqa04dCSCGRrF5eeJVAzP3IiFWZz0aGZNj/gW
+Ynp8DVyF5ur5fGrA9Ao5r12avoYMnqzbgRPTY/u55Ab1SowU4xLbSzTGmD/Msg3s
+A2+dDBPQn3+6z88TZSVFKy/t83qXM156YMpgk2f37yIxHcPp+MJNNxKp1GzkrCXJ
+uo41rJCOGpVx/gWXsG+DKr0ZITWf5/oQF6AsWWxIIfaUEjU=
+-----END CERTIFICATE-----

types/v56/constants.go

@@ -584,3 +584,9 @@ var NsxvProtocolCodes = map[string]int{
 	DFWProtocolUdp:  17,
 	DFWProtocolIcmp: 1,
 }
+
+// NSX-T IPSec VPN authentication modes
+const (
+	NsxtIpSecVpnAuthenticationModePSK         = "PSK"
+	NsxtIpSecVpnAuthenticationModeCertificate = "CERTIFICATE"
+)

types/v56/nsxt_types.go

@@ -585,6 +585,15 @@ type NsxtIpSecVpnTunnel struct {
 	// Note. Up to version 10.3 VCD only supports INITIATOR
 	ConnectorInitiationMode string `json:"connectorInitiationMode,omitempty"`
 
+	// CertificateRef points server certificate which will be used to secure the tunnel's local
+	// endpoint. The certificate must be the end-entity certificate (leaf) for the local endpoint.
+	CertificateRef *OpenApiReference `json:"certificateRef,omitempty"`
+
+	// CaCertificateRef points to certificate authority used to verify the remote endpoint's
+	// certificate. The selected CA must be a root or intermediate CA. The selected CA should be
+	// able to directly verify the remote endpoint's certificate.
+	CaCertificateRef *OpenApiReference `json:"caCertificateRef,omitempty"`
+
 	// Version of IPsec VPN Tunnel configuration. Must not be set when creating, but required for updates
 	Version *struct {
 		// Version is incremented after each update
@@ -607,10 +616,16 @@ type NsxtIpSecVpnTunnelLocalEndpoint struct {
 
 // NsxtIpSecVpnTunnelRemoteEndpoint corresponds to the device on the remote site terminating the VPN tunnel
 type NsxtIpSecVpnTunnelRemoteEndpoint struct {
-	// RemoteId is needed to uniquely identify the peer site. If this tunnel is using PSK authentication,
-	// the Remote ID is the public IP Address of the remote device terminating the VPN Tunnel. When NAT is configured on
-	// the Remote ID, enter the private IP Address of the Remote Site. If the remote ID is not set, VCD will set the
-	// remote ID to the remote address.
+	// This Remote ID is needed to uniquely identify the peer site. If the remote ID is not set, it
+	// will default to the remote IP address. The requirement for remote id depends on the
+	// authentication mode for the tunnel:
+	// * PSK - The Remote ID is the public IP Address of the remote device terminating the VPN
+	// Tunnel. When NAT is configured on the Remote ID, enter the private IP Address of the Remote
+	// Site.
+	// * CERTIFICATE - The remote ID needs to match the certificate SAN (Subject Alternative Name)
+	// if available. If the remote certificate does not contain a SAN, the remote ID must match the
+	// the distinguished name of the certificate used to secure the remote endpoint (for example,
+	// C=US,ST=Massachusetts,O=VMware,OU=VCD,CN=Edge1).
 	RemoteId string `json:"remoteId,omitempty"`
 	// RemoteAddress is IPv4 Address of the remote endpoint on the remote site. This is the Public IPv4 Address of the
 	// remote device terminating the IPsec VPN Tunnel connection. This is required