Route-based IPSec VPN is similar to Generic Routing Encapsulation (GRE) over IPSec, with the exception that no additional encapsulation is added to the packet before applying IPSec processing.

In this VPN tunneling approach, virtual tunnel interfaces (VTI) are created on the ESG appliance. Each VTI is associated with an IPSec tunnel. The encrypted traffic is routed from one site to another site through the VTI interfaces. IPSec processing happens only at the VTI interfaces.

VPN Tunnel Redundancy

With route-based IPSec VPN service, you can configure VPN tunnel redundancy. Tunnel redundancy provides uninterrupted data path connectivity between the two sites when the ISP link fails, or when the remote VPN Gateway fails.

  • In NSX Data Center 6.4.2 and later, IPSec VPN tunnel redundancy is supported only using BGP. OSPF dynamic routing is not supported for routing through IPSec VPN tunnels.
  • Do not use static routing for route-based IPSec VPN tunnels to achieve VPN tunnel redundancy.

The following figure shows a logical representation of IPSec VPN tunnel redundancy between two sites. In this figure, Site A and Site B represent two data centers. For this example, assume that Site A has Edge VPN Gateways that might not be managed by NSX, and Site B has an Edge Gateway virtual appliance that is managed by NSX.

Figure 1. Tunnel Redundancy in Route-Based IPSec VPN
The image is described in the surrounding text.

As shown in the figure, you can configure two independent IPSec VPN tunnels by using VTIs. Dynamic routing is configured using BGP protocol to achieve tunnel redundancy. Both IPSec VPN tunnels remain in service if they are available. All the traffic destined from Site A to Site B through the ESG is routed through the VTI. The data traffic undergoes IPSec processing and goes out of its associated ESG uplink interface. All the incoming IPSec traffic received from Site B VPN Gateway on the ESG uplink interface is forwarded to the VTI after decryption, and then usual routing takes place.

You must configure BGP HoldDown timer and KeepAlive timer values to detect loss of connectivity with peer within the required failover time.

Some key points that you must remember about route-based IPSec VPN service are as follows:
  • You can configure policy-based IPSec VPN tunnels and route-based IPSec tunnels on the same ESG appliance. However, you cannot configure a policy-based tunnel and a route-based tunnel with the same VPN peer site.
  • NSX supports a maximum of 32 VTIs on a single ESG appliance. That is, you can configure a maximum of 32 route-based VPN peer sites.
  • NSX does not support migration of existing policy-based IPSec VPN tunnels to route-based tunnels or conversely.

For information about configuring a route-based IPSec VPN site, see Configure Route-Based IPSec VPN Site.

For a detailed example of configuring a route-based IPSec VPN tunnel between a local NSX Edge and a remote Cisco CSR 1000V VPN Gateway, see Using a Cisco CSR 1000V Appliance.