The Internet Protocol Security (IPSec) profiles provide information about the algorithms that are used to authenticate, encrypt, and establish a shared secret between network sites when you establish an IPSec tunnel.
|Name of Default IPSec Profile||Description|
Instead of the default IPSec profile, you can also select one of the compliance suites supported starting with NSX-T Data Center 2.5. See About Supported Compliance Suites for more information.
If you decide not to use the default IPSec profiles or compliance suites provided, you can configure your own using the following steps.
- With admin privileges, log in to NSX Manager.
- Navigate to the tab.
- Select the IPSec Profiles profile type, and click Add IPSec Profile.
- Enter a name for the IPSec profile.
- From the drop-down menus, select the encryption, digest, and Diffie-Hellman algorithms. You can select multiple algorithms to apply.
Deselect the ones you do not want used.
Table 2. Algorithms Used Type of Algorithm Valid Values Description Encryption
- AES GCM 128 (default)
- AES 128
- AES 256
- AES GCM 192
- AES GCM 256
- No Encryption Auth AES GMAC 128'
- No Encryption Auth AES GMAC 192
- No Encryption Auth AES GMAC 256
- No Encryption
The encryption algorithm used during the Internet Protocol Security (IPSec) negotiation. Digest
- SHA2 256
- SHA2 384
- SHA2 512
The secure hashing algorithm used during the IPSec negotiation. Diffie-Hellman Group
- Group 14 (default)
- Group 2
- Group 5
- Group 15
- Group 16
- Group 19
- Group 20
- Group 21
The cryptography schemes that the peer site and NSX Edge use to establish a shared secret over an insecure communications channel.
- Deselect PFS Group if you decide not to use the PFS Group protocol on your VPN service.
It is selected by default.
- In the SA Lifetime text box, modify the default number of seconds before the IPSec tunnel must be re-established.
By default, an SA lifetime of 24 hours (86400 seconds) is used.
- Select the value for DF Bit to use with the IPSec tunnel.
The value determines how to handle the "Don't Fragment" (DF) bit included in the data packet received. The acceptable values are described in the following table.
Table 3. DF Bit Values DF Bit Value Description COPY The default value. When this value is selected, NSX-T Data Center copies the value of the DF bit from the received packet into the packet which is forwarded. This value implies that if the data packet received has the DF bit set, after encryption, the packet also has the DF bit set. CLEAR When this value is selected, NSX-T Data Center ignores the value of the DF bit in the data packet received, and the DF bit is always 0 in the encrypted packet.
- Provide a description and add a tag, if necessary.
- Click Save.
A new row is added to the table of available IPSec profiles. To edit or delete a non-system created profile, click the three-dot menu ( ) and select from the list of actions available.