The on-premises end of any IPsec VPN must be configured to match the settings you specified for the SDDC end of that VPN.

Information in the following tables summarizes the available SDDC IPsec VPN settings. Some of the settings can be configured. Some are static. Use this information to verify that your on-premises VPN solution can be configured to match the one in your SDDC. Choose an on-premises VPN solution that supports all the static settings and any of the configurable settings listed in these tables.

Understanding how Diffie-Hellman Groups Affect IPsec VPN Performance and Security

IPsec VPN configuration requires you to choose a Diffie-Hellman (DH) group, which is used in both phases of the IKE negotiation to securely communicate private keys between endpoints over an untrusted path. DH Groups 19-21 represent a significant increase in security over groups 14-16 and consume fewer resources during encryption. The NIST Guide to IPsec VPNs (PDF) provides considerably more detail on these and other IPsec VPN configuration choices.
Note: DH Groups 2 and 5 are not NIST-approved, and should be used only when required for compatibility with an older on-premises device.

As a best practice, configurable settings should be the same for both phases.

Phase 1 (IKE Profile) IPsec VPN Settings

Table 1. Configurable Settings
Attribute Allowed Values Recommended Value
Protocol IKEv1, IKEv2, IKE FLEX IKEv2
Encryption Algorithm AES (128, 256), AES-GCM (128, 192, 256) AES GCM

Encryption with higher bit depths is harder to crack but creates more load on your endpoint device.

Tunnel/IKE Digest Algorithm SHA1, SHA2 (256, 384, 512)

If you specify a GCM-based cipher for IKE Encryption, set IKE Digest Algorithm to None. The digest function is integral to the GCM cipher. You must use IKE V2 if you use a GCM-based cipher

Diffie Hellman DH Groups 2, 5, 14-16, 19-21 DH Groups 19-21 or 14-16
Table 2. Static Settings
Attribute Value
ISAKMP mode Main mode
ISAKMP/IKE SA lifetime 86400 seconds (24 hours)
IPsec Mode Tunnel
IKE Authentication Pre-Shared Key

Phase 2 (IPsec Profile) IPsec VPN Settings

Configurable settings are the same for Phase 1 and Phase 2.

Table 3. Configurable Settings
Attribute Allowed Values Recommended Value
Protocol IKEv1, IKEv2, IKE FLEX IKEv2
Encryption Algorithm AES (128, 256), AES-GCM (128, 192, 256) AES GCM

Encryption with higher bit depths is harder to crack but creates more load on your endpoint device.

Tunnel/IKE Digest Algorithm SHA-1, SHA2 (256, 384, 512)

If you specify a GCM-based cipher for IKE Encryption, set IKE Digest Algorithm to None. The digest function is integral to the GCM cipher. You must use IKE V2 if you use a GCM-based cipher

Diffie Hellman DH Groups 2, 5, 14-16, 19-21 DH Groups 19-21 or 14-16
Table 4. Static Settings
Attribute Value
Tunnel Mode Encapsulating Security Payload (ESP)
SA lifetime 3600 seconds (one hour)

On-Premises IPsec VPN Configuration

Click DOWNLOAD CONFIG on the status page of any VPN to download a file that contains VPN configuration details. You can use these details to configure the on-premises end of the VPN.
Note: Do not configure the on-premises side of a VPN to have an idle timeout (for example, the NSX Session idle timeout setting). On-premises idle timeouts can cause the VPN to become periodically disconnected.
The VMware Tech Zone IPSec VPN Configuration Reference provides detailed endpoint configuration advice, and sample configuration files for several popular endpoint devices are available on VMware {code}.