Configuration of the gateway device in your on-premises data center might need to be performed by a member of your networking team. Consult the documentation for your gateway or firewall device to learn how to configure it to match the VPN settings you've configured.


Configuring an on-premises VPN requires the following:
  • An on-premises router or firewall capable of terminating an IPsec VPN, such as Cisco ISR, Cisco ASA, CheckPoint Firewall, Juniper SRX, NSX Edge, or any other device capable of IPsec tunneling.

    The SDDC end of an IPSec VPN supports only time-based rekeying. Your on-premises device must disable lifebytes rekeying.

    Do not configure the on-premises side of the VPN to have an idle timeout (for example, the NSX Session idle timeout setting). On-premises idle timeouts can cause the VPN to become periodically disconnected.

  • If your on-premises gateway is behind another firewall, you must configure that firewall to forward IPsec VPN protocol traffic:
    • Open UDP port 500 to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through the firewall.
    • Set IP protocol ID 50 to allow IPsec Encapsulating Security Protocol (ESP) traffic to be forwarded through the firewall.
    • Set IP protocol ID 51 to allow Authentication Header (AH) traffic to be forwarded through the firewall.


  1. Navigate to the Network tab of your SDDC.
  2. Under Management Gateway, click IPsec VPNs and open the VPN that you created in the SDDC.
  3. Download the SDDC management VPN configuration details.
    Under Remote VPN Config File, click Download to download a configuration file listing the configuration parameters for the SDDC side of the management VPN.
  4. Configure the on-premises management VPN.
    Use the information in the file you downloaded in Step 3. See VPN Configuration File for an example of the information that this file contains.

Example: VPN Configuration File

# Configuration for IPsec VPN connection
# Peer NSX Edge and IPSec Site configuration details.
# IPsec site Id         : ipsecsite-17
# IPsec site name       : VPN1
# IPsec site description: 
# IPsec site enabled    : true
# IPsec site vpn type   : Policy based VPN
# NSX Edge Id           : edge-1
# Feature version       : 45
# Time stamp            : 040618_182347GMT

# Internet Key Exchange Configuration
# Phase 1
# Configure the IKE SA as outlined below
IKE version                  : ikev1
Connection initiation mode   : initiator
Authentication method        : psk
Pre shared key               : 123456
Authentication algorithm     : sha1
Encryption algorithm         : aes256
SA life time                 : 28800 seconds
Phase 1 negotiation mode     : main
DH group                     : DH14

# IPsec_configuration
# Phase 2
# Configure the IPsec SA as outlined below
Protocol                        : ESP
Authentication algorithm        : sha1
Sa life time                    : 3600 seconds
Encryption algorithm            : aes256
Encapsulation mode              : Tunnel mode
Enable perfect forward secrecy  : true
Perfect forward secrecy DH group: DH14

# Peer configuration
Peer address    : # Peer gateway public IP.
Peer id         :
Peer subnets    : [ ]

# IPsec Dead Peer Detection (DPD) settings
DPD enabled     : true
DPD interval    : 30 seconds
DPD timeout     : 150 seconds

# Local configuration
Local address   : # Local gateway public IP.
Local id        :
Local subnets   : [ ]

What to do next

Configure firewall rules to manage traffic between the on-premises and SDDC ends of the management VPN. By default, your new management gateway firewall rules deny all traffic through the firewall. See Add or Modify Management Gateway Firewall Rules in the VMware Cloud on AWS Networking and Security guide.