You can configure site-to-site connectivity between an NSX-T Data Center edge gateway and remote sites. The remote sites must use NSX-T Data Center, have third-party hardware routers, or VPN gateways that support IPSec.

VMware Cloud Director supports automatic route redistribution when you configure IPSec VPN on an NSX-T Data Center edge gateway.


  1. From the top navigation bar, select Resources and click Cloud Resources.
  2. In the left panel, click Edge Gateways, and click the name of the target edge gateway.
  3. Under Services, click IPSec VPN.
  4. To configure an IPSec VPN tunnel, click New.
  5. Enter a name and, optionally, a description for the IPSec VPN tunnel.
  6. To enable the tunnel upon creation, toggle on the Enabled option.
  7. Choose a pre-shared key to enter.
    Note: The pre-shared key must be the same on the other end of the IPSec VPN tunnel.
  8. Enter one of the IP addresses that are available to the edge gateway for the local endpoint.
    Note: The IP address must be either the primary IP of the edge gateway, or an IP address that is separately allocated to the edge gateway from the external network .
  9. Enter at least one local IP subnet address in CIDR notation to use for the IPSec VPN tunnel.
  10. Еnter the IP address for the remote site.
  11. Enter at least one remote IP subnet address in CIDR notation to use for the IPSec VPN tunnel.
  12. (Optional) To enable logging, toggle on the Logging option.
  13. Click Save.
  14. To verify that the tunnel is functioning, select it and click View Statisticts.
    If the tunnel is functioning, Tunnel Status and IKE Service Status both display Up.


The newly created IPSec VPN tunnel is listed in the IPSec VPN view. The IPSec VPN tunnel is created with a default security profile.

What to do next

You can edit the IPSec VPN tunnel settings and customize its security profile as needed.