Route-based VPN uses the routed tunnel interface as the endpoint of the SDDC network to allow access to multiple subnets within the network.

When traffic is passing through the tunnel interface, according to the IPsec settings the traffic is encrypted and decrypted.


  1. Log in to the VMC Console at
  2. Select Networking & Security > VPN > Route Based.
  3. Click Add VPN.
  4. Enter a route-based VPN name.
  5. Select the local IP address of the IPsec VPN from the drop-down menu.
  6. Enter the remote public IP address of your on-premises gateway.
  7. (Optional) Enter the remote private IP address if the on-premises gateway is configured behind NAT.
  8. Click Set BGP Neighbor > Add Neighbor.

    The BGP session uses the local tunnel interface.

  9. Enter the BGP neighbor parameters.



    IP Address

    Enter the remote IP address.

    BGP Neighbor As

    Enter the AS attribute for BGP to use.

    BGP Secret

    Set a secret password for BGP neighbor authentication.

    Local AS

    Accept the default setting.

    The same local AS is used for all the VPN connections. Any changes affect all the VPN connections.

  10. Click Apply.

    Local and remote networks are discovered using BGP advertisements.

  11. Enter the VTI subnet CIDR block.

    Choose a network of size of /30 from the subnet. The second and third IP addresses in this range are configured as the remote and local VTI (VPN Tunnel interfaces). For example, in the VTI CIDR block (address range, the local (SDDC) interface is and the remote (on-prem) interface


    The following subnets are reserved for internal use, so the VTI CIDR block you choose must not overlap either of them.



  12. Configure the advanced VPN parameters.



    Tunnel Encryption

    Accept the AES-256 default cipher setting for securing tunnel traffic.

    Tunnel Digest Algorithm

    Accept the SHA-2 default hashing algorithm setting.

    Perfect Forward Secrecy

    Accept the Enabled default setting.

    Preshared Key

    Enter the preshared key string.

    The maximum key length is 128 characters. This key must be identical for both ends of the VPN tunnel.

    IKE Encryption

    Accept the AES-256 default cipher setting for encryption.

    IKE Digest Algorithm

    Accept the SHA-2 default hashing algorithm setting.

    IKE Type

    Accept the IKE V2 default protocol for the routed VPN connection.

    Diffie Hellman

    Select a Diffie Hellman group that your on-premises VPN gateway can also support.


    This value must be identical for both ends of the VPN tunnel. Higher group numbers offer better protection. The best practice is to select group 14 or higher.

  13. Click Save.


Depending on your SDDC environment, the VPN creation process might take a few minutes. When the route-based VPN becomes available, the status changes to Up, and you can take additional actions:

  • Click DOWNLOAD CONFIG to download a file that contains VPN configuration details. You can use these details to configure the on-premises end of this VPN.

  • Click VIEW STATISTICS to view packet traffic statistics for this VPN.

  • Click VIEW ROUTES to open a display of routes advertised and learned by this VPN.

  • Click DOWNLOAD ROUTES to download a list of Advertised Routes or Learned Routes in CSV format.

What to do next

Create or update compute gateway firewall rules as needed. To allow traffic through the route-based VPN, specify VPN Tunnel Interface in the Applied to field. The All Uplinks option does not include the routed VPN tunnel.