Add an IPSec VPN Service

NSX-T Data Center supports a site-to-site IPSec VPN service between a Tier-0 or Tier-1 gateway and remote sites. You can create a policy-based or a route-based IPSec VPN service. You must create the IPSec VPN service first before you can configure either a policy-based or a route-based IPSec VPN session.

Note: IPSec VPN is not supported in the NSX-T Data Center limited export release.

IPSec VPN is not supported when the local endpoint IP address goes through NAT in the same logical router that the IPSec VPN session is configured.

Prerequisites

Familiarize yourself with the IPSec VPN. See Understanding IPSec VPN.
You must have at least one Tier-0 or Tier-1 gateway configured and available for use. See Add a Tier-0 Gateway or Add a Tier-1 Gateway for more information.

Procedure

From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
Navigate to Networking > VPN > VPN Services.
Select Add Service > IPSec.
Enter a name for the IPSec service.
This name is required.
From the Tier-0/Tier-1 Gateway drop-down menu, select the Tier-0 or Tier-1 gateway to associate with this IPSec VPN service.
Enable or disable Admin Status.
By default, the value is set to Enabled, which means the IPSec VPN service is enabled on the Tier-0 or Tier-1 gateway after the new IPSec VPN service is configured.
Set the value for IKE Log Level.
The default is set to the Info level.
Enter a value for Tags if you want to include this service in a tag group.
To enable or disable the stateful synchronization of VPN sessions, toggle Session sync.
By default, the value is set to Enabled.
Click Global Bypass Rules if you want to allow data packets to be exchanged between the specified local and remote IP addresses without any IPSec protection. In the Local Networks and Remote Networks text boxes, enter the list of local and remote subnets between which the bypass rules are applied.
If you enable these rules, data packets are exchanged between the specified local and remote IP sites even if their IP addresses are specified in the IPSec session rules. The default is to use the IPSec protection when data is exchanged between local and remote sites. These rules apply for all IPSec VPN sessions created within this IPSec VPN service.
Click Save.
After the new IPSec VPN service is created successfully, you are asked whether you want to continue with the rest of the IPSec VPN configuration. If you click Yes, you are taken back to the Add IPSec VPN Service panel. The Sessions link is now enabled and you can click it to add an IPSec VPN session.

What to do next

Use information in Adding IPSec VPN Sessions to guide you in adding an IPSec VPN session. You also provide information for the profiles and local endpoint that are required to finish the IPSec VPN configuration.