NSX Edge supports site-to-site IPSec VPN between an NSX Edge instance and remote sites. Certificate authentication, preshared key mode, IP unicast traffic, and no dynamic routing protocol are supported between the NSX Edge instance and remote VPN routers.
Behind each remote VPN router, you can configure multiple subnets to connect to the internal network behind an NSX Edge through IPSec tunnels.
If the local and remote peer across an IPsec VPN have overlapping IP addresses, traffic forwarding across the tunnel might be not consistent depending on whether local connected routes and auto-plumbed routes exist.
You can deploy an NSX Edge agent behind a NAT device. In this deployment, the NAT device translates the VPN address of an NSX Edge instance to a publicly accessible address facing the Internet. Remote VPN routers use this public address to access the NSX Edge instance.
You can place remote VPN routers behind a NAT device as well. You must provide the VPN native address and the VPN Gateway ID to set up the tunnel. On both ends, static one-to-one NAT is required for the VPN address.
|ESG||Number of IPSec Tunnels|
- AES (AES128-CBC)
- AES256 (AES256-CBC)
- Triple DES (3DES192-CBC)
- AES-GCM (AES128-GCM)
- DH-2 (Diffie–Hellman group 2)
- DH-5 (Diffie–Hellman group 5)
- DH-14 (Diffie–Hellman group 14)
- DH-15 (Diffie–Hellman group 15)
- DH-16 (Diffie–Hellman group 16)
For IPSec VPN configuration examples, see IPSec VPN Configuration Examples.
For IPSec VPN troubleshooting, see https://kb.vmware.com/kb/2123580.