Internet Protocol Security (IPSec) VPN secures traffic flowing between two networks connected over a public network through IPSec gateways called endpoints. NSX Edge only supports a tunnel mode that uses IP tunneling with Encapsulating Security Payload (ESP). ESP operates directly on top of IP, using IP protocol number 50.

IPSec VPN uses the IKE protocol to negotiate security parameters. The default UDP port is set to 500. If NAT is detected in the gateway, the port is set to UDP 4500.

NSX Edge supports a policy-based or a route-based IPSec VPN.

IPSec VPN services are supported on Tier-0 gateways that must be in Active-Standby high-availability mode. See Add a Tier-0 Gateway for information. Beginning with NSX-T Data Center 2.5, IPSec VPN is also supported on Tier-1 gateways. You can use segments that are connected to either Tier-0 or Tier-1 gateways when configuring an IPSec VPN service.

IPsec VPN service in NSX-T Data Center uses the gateway-level failover functionality to support a high-availability service. Tunnels are re-established on failover and VPN configuration data is synchronized. The IPSec VPN state is not synchronized as tunnels are re-established.

Pre-shared key mode authentication and IP unicast traffic are supported between the NSX Edge node and remote VPN sites. In addition, certificate authentication is supported beginning with NSX-T Data Center 2.4. Only certificate types signed by one of the following signature hash algorithms are supported.
  • SHA256withRSA
  • SHA384withRSA
  • SHA512withRSA