The on-premises end of any IPsec VPN must be configured to match the settings you specified for the SDDC end of that VPN.

Information in the following tables summarizes the available SDDC IPsec VPN settings. Some of the settings can be configured. Some are static. Use this information to verify that your on-premises VPN solution can be configured to match the one in your SDDC. Choose an on-premises VPN solution that supports all the static settings and any of the configurable settings listed in these tables.

Phase 1 Internet Key Exchange (IKE) Settings

Table 1. Configurable IKE Phase 1 Settings
Attribute Allowed Values Recommended Value
Protocol IKEv1, IKEv2, IKE FLEX IKEv2
Encryption Algorithm AES (128, 256), AES-GCM (128, 192, 256) AES GCM
Tunnel/IKE Digest Algorithm SHA-1, SHA-2 SHA-2
Diffie Hellman DH Groups 2, 5, 14-16 DH Group 14-16
Table 2. Static IKE Phase 1 Settings
Attribute Value
ISAKMP mode Main mode (Disable aggressive mode)
ISAKMP/IKE SA lifetime 28800 seconds
IPsec Mode Tunnel
IKE Authentication Pre-Shared Key

Phase 2 IKE Settings

Table 3. Configurable IKE Phase 2 Settings
Attribute Allowed Values Recommended Value
Encryption Algorithm AES-256, AES-GCM, AES AES-GCM
Perfect forward secrecy (PFS) Enabled, Disabled Enabled
Diffie Hellman DH Groups 2, 5, 14-16 DH Group 14-16
Table 4. Static IKE Phase 2 Settings
Attribute Value
Hashing Algorithm SHA-1
Tunnel Mode Encapsulating Security Payload (ESP)
SA lifetime 3600 seconds (one hour)

On-Premises IPsec VPN Configuration

Click DOWNLOAD CONFIG on the status page of any VPN to download a file that contains VPN configuration details. You can use these details to configure the on-premises end of the VPN.
Note: Do not configure the on-premises side of a VPN to have an idle timeout (for example, the NSX Session idle timeout setting). On-premises idle timeouts can cause the VPN to become periodically disconnected.