NSX Edge supports site-to-site IPSec VPN between an NSX Edge instance and remote sites. Certificate authentication, preshared key mode, and IP unicast traffic are supported between the NSX Edge instance and remote VPN sites.
Starting with NSX Data Center 6.4.2, you can configure both policy-based IPSec VPN service and route-based IPSec VPN service. However, you can configure, manage, and edit route-based IPSec VPN parameters only by using REST APIs. You cannot configure or edit route-based IPSec VPN parameters in the vSphere Web Client. For more information about using APIs to configure route-based IPSec VPN, see the NSX API Guide.
In NSX 6.4.1 and earlier, you can configure only policy-based IPSec VPN service.