You want to configure a route-based IPSec tunnel between an NSX Edge on the local site and a remote VPN Gateway on the peer site.

Unlike a policy-based IPSec tunnel configuration where you configure local and remote subnets, in a route-based IPSec tunnel configuration, you do not define the local and peer subnets that want to communicate with each other. In a route-based IPSec tunnel configuration, you must define a VTI with a private IP address on both the local and peer sites. Traffic from the local subnets is routed through the VTI to the peer subnets. Use a dynamic routing protocol, such as BGP, to route traffic through the IPSec tunnel. The dynamic routing protocol decides traffic from which local subnet is routed using the IPSec tunnel to the peer subnet.

Following steps explain the procedure to configure a route-based IPSec tunnel between the two sites:
  1. Configure the IPSec VPN parameters on the local NSX Edge. In NSX Data Center 6.4.2 and later, you can configure route-based IPSec VPN parameters only by using REST APIs. For more information, see the NSX API Guide.
    • Local endpoint IP address and local ID to identify the local NSX Edge Gateway.
    • Peer endpoint IP address and peer ID to identify the peer VPN Gateway.
    • IKE version to set up a security association between both the sites.
    • Digest algorithm.
    • Encryption algorithm.
    • Authentication mechanism (either pre-shared key or certificate).
    • Diffie-Hellman (DH) Group public key cryptography scheme.
    • Enable or disable perfect forward secrecy.
    • Enable or disable the Responder-only mode.
    • Virtual tunnel interface (VTI) on the NSX Edge. Provide a static private IP address for the VTI.
    Note: The VTI that you configure is a static VTI. Therefore, it cannot have more than one IP address. The best practice is to ensure that the IP address of the VTI on both the local and peer sites are on the same subnet.
  2. Use the IPSec Config Download API to fetch the peer configuration for reference purposes and configure the peer VPN Gateway.
  3. Configure BGP peering between the VTIs at both the sites. Peering ensures that BGP at the local site advertises the local subnets to the peer VPN gateway, and similarly BGP at the peer site advertises the remote subnets to the local VPN gateway. For more details about configuring BGP, see the Routing section in the NSX Administration Guide.
    Important: In NSX 6.4.2 and later, static routing and OSPF dynamic routing through an IPSec tunnel are not supported.
  4. If you want to configure tunnel redundancy through more than one tunnel, configure BGP Hold Down timer and Keep Alive timer values. The timer values help in detecting loss of connectivity with the remote VPN gateway within the required failover time.

For a detailed example of configuring a route-based IPSec tunnel between a local NSX Edge and a remote Cisco CSR 1000V VPN Gateway, see Using a Cisco CSR 1000V Appliance.