NSX Edge supports site-to-site IPSec VPN between an NSX Edge instance and remote sites. The IPSec VPN tunnel is made up of two ends. The tunnel must be consistent on both sides, including IP subnets and encryption standard.

The following ports must be open on all the components of the IPSec VPN tunnel:
  • Port 500. This port is used when there is no NAT device between the endpoints.
  • Port 4500. This port is used where there is a NAT device between the endpoints.

Make sure that firewall rules permit Encapsulating Security Payload (ESP) packets.

Some common misconfiguration issues that can cause an IPSec tunnel to fail are as follows:
  • MTU configuration on the vSphere Distributed Switch is set too low. Low MTU configuration causes packet fragmentation and results in a tunnel creation failure.
  • Some third-party VPN solutions offer an aggressive negotiation mode. NSX Data Center for vSphere supports only the standard negotiation mode (main mode).
  • Virtual machines are configured for IPv6 communication through the IPSec VPN tunnel. Currently, NSX Data Center for vSphere does not support IPv6.