Policy-based IPSec VPN requires a VPN policy to be applied to packets to determine which traffic is to be protected by IPSec before being passed through the VPN tunnel.

This type of VPN is considered static because when a local network topology and configuration change, the VPN policy settings must also be updated to accommodate the changes.

When using a policy-based IPSec VPN with NSX-T Data Center, you use IPSec tunnels to connect one or more local subnets behind the NSX Edge node with the peer subnets on the remote VPN site.

You can deploy an NSX Edge node behind a NAT device. In this deployment, the NAT device translates the VPN address of an NSX Edge node to a publicly accessible address facing the Internet. Remote VPN sites use this public address to access the NSX Edge node.

You can place remote VPN sites behind a NAT device as well. You must provide the remote VPN site's public IP address and its ID (either FQDN or IP address) to set up the IPSec tunnel. On both ends, static one-to-one NAT is required for the VPN address.
Note: DNAT is not supported on a tier-1 gateway where policy-based IPSec VPN is configured.
The size of the NSX Edge node determines the maximum number of supported tunnels, as shown in the following table.
Table 1. Number of IPSec Tunnels Supported
Edge Node Size # of IPSec Tunnels Per

VPN Session (Policy-Based)

# of Sessions Per VPN Service # of IPSec Tunnels Per VPN Service

(16 tunnels per session)

Small N/A (POC/Lab Only) N/A (POC/Lab Only) N/A (POC/Lab Only)
Medium 128 128 2048
Large 128 (soft limit) 256 4096
Bare Metal 128 (soft limit) 512 6000
Restriction: The inherent architecture of policy-based IPSec VPN restricts you from setting up a VPN tunnel redundancy.

For information about configuring a policy-based IPSec VPN, see Add an IPSec VPN Service.