NSX-T Data Center supports IPSec VPN and Layer 2 VPN (L2VPN) on the NSX Edge.
IPSec VPN secures traffic flowing between two networks connected over a public network through IPSec gateways called endpoints. NSX Edge only supports a tunnel mode which uses IP tunneling with Encapsulating Security Payload (ESP).
IPSec VPN uses the IKE protocol to negotiate security parameters. The default UDP port is set to 500. If NAT is detected in the gateway, the port is set to 4500.
NSX Edge supports two types of VPN, policy-based VPN and route-based VPN.
Policy-based VPN requires a policy to be applied to packets forwarded to the IPSec service. This type of VPN is considered static because when local network topology and configuration changes the policy settings must also be updated to accommodate the changes.
Route-based VPN provides tunneling on traffic based on the routes learned dynamically over a special interface called virtual tunnel interface (VTI) using, for example, BGP as protocol. IPSec secures all the traffic flowing through the virtual tunnel interface (VTI).
L2VPN connectivity allows extending the Layer 2 networks from an on-premise datacenter to the cloud such as, VMware Cloud on Amazon (VMC). This connection is secured with the route-based IPSec tunnel.
The extended network is a single subnet with a single broadcast domain, so you can migrate VMs between the on-premise datacenter and public cloud without having to change their IP addresses.
In addition to supporting datacenter migration, an on-premises network extended with an L2VPN is useful for disaster recovery and dynamically engaging off-premise compute resources to meet an increase in demand which is called cloud bursting.
Each L2VPN session has one GRE tunnel. Tunnel redundancy is not supported. An L2VPN session can extend up to 4094 Layer 2 networks.