You must configure at least one external IP address on the NSX Edge to provide IPSec VPN service.


  1. Log in to the vSphere Web Client.
  2. Click Networking & Security > NSX Edges.
  3. Double-click an NSX Edge.
  4. Click Manage > VPN > IPSec VPN.
  5. Click Add.
  6. Enter a name for the IPSec VPN site.
  7. Configure the endpoint parameters of the IPSec VPN site.
    1. Enter the local Id to identify the local NSX Edge instance. This local Id is the peer Id on the remote site.
      The local Id can be any string. Preferably, use the public IP address of the VPN or a fully qualified domain name (FQDN) for the VPN service as the local Id.
    2. Enter an IP address or an FQDN of the local endpoint.
      If you are adding an IP-to-IP tunnel using a pre-shared key, the local Id and local endpoint IP can be the same.
    3. Enter the subnets to share between the IPSec VPN sites in the CIDR format. Use a comma separator to enter multiple subnets.
    4. Enter the Peer Id to identify the peer site.
      • For peers using certificate authentication, this ID must be the distinguished name (DN) in the peer's certificate. Enter the DN of the certificate as a string of comma-separated values in the following order without spaces: C=xxx,ST=xxx,L=xxx,O=xxx,OU=xxx,CN=xxx,E=xxx.
      • For PSK peers, the peer Id can be any string. Preferably, use the public IP address of the VPN or an FQDN for the VPN service as the peer Id.
      Note: If the Edge has more than one uplink interface that can reach the remote IPSec peer, routing should be done in such a way that IPSec traffic goes out of the Edge interface, which is configured with a local peer IP.
    5. Enter an IP address or an FQDN of the peer endpoint. The default value is any. If you retain the default value, you must configure the Global PSK.
    6. Enter the internal IP address of the peer subnet in the CIDR format. Use a comma separator to type multiple subnets.
  8. Configure the tunnel parameters.
    1. (Optional) Select a security compliance suite to configure the security profile of the IPSec VPN site with predefined values defined by that suite.
      The default selection is none, which means that you must manually specify the configuration values for authentication method, IKE profile, and tunnel profile. When you select a compliance suite, values that are predefined in that standard compliance suite are automatically assigned, and you cannot edit these values. For more information about compliance suites, see Supported Compliance Suites.
      • Compliance suite is supported in NSX Data Center 6.4.5 or later.
      • If FIPS mode is enabled on the Edge, you cannot specify a compliance suite.
    2. Select one of the following Internet Key Exchange (IKE) protocols to set up a security association (SA) in the IPSec protocol suite.
      Option Description
      IKEv1 When you select this option, IPSec VPN initiates and responds to IKEv1 protocol only.
      IKEv2 When you select this option, IPSec VPN initiates and responds to IKEv2 protocol only.
      IKE-Flex When you select this option, and if the tunnel establishment fails with IKEv2 protocol, the source site does not fall back and initiate a connection with the IKEv1 protocol. Instead, if the remote site initiates a connection with the IKEv1 protocol, then the connection is accepted.
      Important: If you configure multiple sites with the same local and remote endpoints, make sure that you select the same IKE version and PSK across all these IPSec VPN sites.
    3. From the Digest Algorithm drop-down menu, select one of the following secure hashing algorithms:
      • SHA1
      • SHA_256
    4. From the Encryption Algorithm drop-down menu, select one of the following supported encryption algorithms:
      • AES (AES128-CBC)
      • AES256 (AES256-CBC)
      • Triple DES (3DES192-CBC).
      • AES-GCM (AES128-GCM)
      • AES-GCM encryption algorithm is not FIPS-compliant.
      • Starting in NSX 6.4.5, Triple DES cypher algorithm is deprecated in IPSec VPN service.

      The following table explains the encryption settings that are used on the peer VPN Gateway for the encryption settings that you select on the local NSX Edge.

      Table 1. Encryption Settings
      Encryption Settings on NSX Edge IKE Settings on Peer VPN Gateway IPSec Settings on Peer VPN Gateway
      AES-256 AES-256 AES-256
      AES-128 AES-128 AES-128
      3DES 3DES 3DES
      AES-GCM, IKEv1 AES-128 AES-GCM
    5. In Authentication Method, select one of the following options:
      Option Description
      PSK (Pre Shared Key) Indicates that the secret key shared between NSX Edge and the peer site is to be used for authentication. The secret key can be a string with a maximum length of 128 bytes.

      PSK authentication is disabled in FIPS mode.

      Certificate Indicates that the certificate defined at the global level is to be used for authentication.
    6. (Optional) Enter the pre-shared key of the peer IPSec VPN site.
    7. To display the key on the peer site, click the Show Pre-Shared Key (Show Icon.) icon or select the Display Shared Key check box.
    8. From the Diffie-Hellman (DH) Group drop-down menu, select one of the following cryptography schemes that allows the peer site and the NSX Edge to establish a shared secret over an insecure communications channel.
      • DH-2
      • DH-5
      • DH-14
      • DH-15
      • DH-16
      DH14 is default selection for both FIPS and non-FIPS mode. DH2 and DH5 are not available when the FIPS mode is enabled.
  9. Configure the advanced parameters.
    1. If the remote IPSec VPN site does not support PFS, disable the Perfect forward secrecy (PFS) option. By default, PFS is enabled.
    2. (Optional) To operate IPSec VPN in a responder-only mode, select the Responder only check box.
      In this mode, IPSec VPN never initiates a connection.
    3. (Optional) In the Extension text box, type one of the following:
      • securelocaltrafficbyip=IPAddress to redirect Edge local traffic over the IPSec VPN tunnel. IP address is the default value. For more information, see .
      • passthroughSubnets=PeerSubnetIPAddress to support overlapping subnets.
  10. Click Add or OK, and then click Publish Changes.
    The IPSec VPN configuration is saved on the NSX Edge.

What to do next

Enable the IPSec VPN service.

Tip: In the vSphere Web Client, you can follow these steps on the IPSec VPN page to generate the configuration script for the Peer VPN Gateway.
  • In NSX 6.4.6 and later, select the IPSec VPN site, and then click Actions > Generate Peer Configuration.
  • In NSX 6.4.5 and earlier, select the IPSec VPN site, and then click the Generate Peer Configure icon. In the dialog box that opens, click Generate Peer Configure.

    The configuration script is generated. You can use this script as reference to configure the IPSec VPN parameters on the peer VPN Gateway.