After creating an L2 VPN Server service, you must add an L2 VPN session and attach it to an existing segment.

The following steps use the L2 VPN Sessions tab on the NSX Manager UI to create an L2 VPN Server session. You also select an existing local endpoint and segment to attach to the L2 VPN Server session.

Note: You can also add an L2 VPN Server session immediately after you have successfully configured the L2 VPN Server service. You click Yes when prompted to continue with the L2 VPN Server configuration and select Sessions > Add Sessions on the Add L2 VPN Server panel. The first few steps in the following procedure assume you selected No to the prompt to continue with the L2 VPN Server configuration. If you selected Yes, proceed to step 3 in the following steps to guide you with the rest of the L2 VPN Server session configuration.


  • You must have configured an L2 VPN Server service before proceeding. See Add an L2 VPN Server Service.
  • Obtain the information for the local endpoint and remote IP to use with the L2 VPN Server session you are adding. To create a local endpoint, see Add Local Endpoints.
  • Obtain the values for the pre-shared key (PSK) and the tunnel interface subnet to use with the L2 VPN Server session.
  • Obtain the name of the existing segment you want to attach to the L2 VPN Server session you are creating. See Add a Segment for information.


  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Navigate to the Networking > VPN > L2 VPN Sessions tab.
  3. Select Add L2 VPN Session > L2 VPN Server.
  4. Enter a name for the L2 VPN Server session.
  5. From the VPN Service drop-down menu, select the IPsec service on the same Tier-0 gateway for which the L2 VPN session is being created.
    Note: If you are adding this L2 VPN Server session from the Set L2VPN Server Sessions dialog box, the L2 VPN Server service is already indicated above the Add L2 Session button.
  6. Select an existing local endpoint from the drop-down menu.
    If you want to create a different local endpoint, click the three-dot menu ( Three black dots aligned vertically. Clicking this icon displays a menu of sub-commands. ) and select Add Local Endpoint.
  7. Enter the IP address of the remote site under Remote IP.
  8. To enable or disable the L2 VPN Server session, click Admin Status.
    By default, the value is set to Enabled, which means the L2 VPN Server session is to be configured down to the NSX Edge node.
  9. Enter the secret key value in Pre-shared Key.
    Caution: Be careful when sharing and storing a PSK value because it is considered sensitive information.
  10. Enter an IP subnet address in the Tunnel Interface using the CIDR notation.
    For example, This subnet address is required.
  11. Enter a value in Remote ID.
    For peer sites using certificate authentication, this ID must be the common name in the peer site's certificate. For PSK peers, this ID can be any string. Preferably, use the public IP address of the VPN or an FQDN for the VPN services as the Remote ID.
  12. If you want to include this session as part of a specific group, enter the tag name in Tags.
  13. Click Advanced Properties. if you want to reduce the maximum segment size (MSS) payload of the TCP session during the L2 VPN connection.
    By default, TCP MSS Clamping is enabled and the TCP MSS Direction is set to Both. See Understanding TCP MSS Clamping for more information.
    1. Enable or disable TCP MSS Clamping.
    2. Set the TCP MSS Value, if necessary. If the field is left blank, the value is automatically assigned.
  14. Click Save and click Yes when prompted if you want to continue with the VPN service configuration.
    You are returned to the Add L2VPN Sessions panel and the Segments link is now enabled.
  15. Attach an existing segment to the L2 VPN Server session.
    1. Click Segments > Set Segments.
    2. In the Set Segments dialog box, click Set Segment to attach an existing segment to the L2 VPN Server session.
    3. From the Segment drop-down menu, select the VNI-based or VLAN-based segment that you want to attach to the session.
    4. Enter a unique value in the VPN Tunnel ID that is used to identify the segment that you selected.
    5. In the Local Egress Gateway IP text box, enter the IP address of the local gateway that your workload VMs on the segment use as their default gateway. The same IP address can be configured in the remote site on the extended segment.
    6. Click Save and then Close.
    In the Set L2VPN Sessions pane or dialog box, the system has incremented the Segments count for the L2 VPN Server session.
  16. To finish the L2 VPN Server session configuration, click Close Editing.


In the VPN Services tab, the system incremented the Sessions count for the L2 VPN Server service that you configured.

If you have attached one or more segments to the session, you see the number of segments for each session in the L2 VPN Sessions tab. You can reconfigure or add segments by clicking the number in the Segments column. You do not need to edit the session. If the number is zero, it is not clickable and you must edit the session to add segments.

What to do next

To complete the L2 VPN service configuration, you must also create an L2 VPN service in Client mode and an L2 VPN client session. See Add an L2 VPN Client Service and Add an L2 VPN Client Session.