NSX Edge supports site-to-site IPSec VPN between an NSX Edge instance and remote sites. Certificate authentication, preshared key mode, IP unicast traffic, and no dynamic routing protocol are supported between the NSX Edge instance and remote VPN routers.

Behind each remote VPN router, you can configure multiple subnets to connect to the internal network behind an NSX Edge through IPSec tunnels.

Note:

Subnets and the internal network behind a NSX Edge must have address ranges that do not overlap.

If the local and remote peer across an IPsec VPN have overlapping IP addresses, traffic forwarding across the tunnel might be not consistent depending on whether local connected routes and auto-plumbed routes exist.

You can deploy an NSX Edge agent behind a NAT device. In this deployment, the NAT device translates the VPN address of an NSX Edge instance to a publicly accessible address facing the Internet. Remote VPN routers use this public address to access the NSX Edge instance.

You can place remote VPN routers behind a NAT device as well. You must provide the VPN native address and the VPN Gateway ID to set up the tunnel. On both ends, static one-to-one NAT is required for the VPN address.

The number of tunnels needed is defined by the number of local subnets multiplied by the number of peer subnets. For example, if there are 10 local subnets and 10 peer subnets you need 100 tunnels. The maximum number of tunnels supported is determined by the ESG size, as shown below.

Table 1. Number of IPSec Tunnels per ESG

ESG

Number of IPSec Tunnels

Compact

512

Large

1600

Quad-Large

4096

X-Large

6000

The following IPSec VPN algorithms are supported:

  • AES (AES128-CBC)

  • AES256 (AES256-CBC)

  • Triple DES (3DES192-CBC)

  • AES-GCM (AES128-GCM)

  • DH-2 (Diffie–Hellman group 2)

  • DH-5 (Diffie–Hellman group 5)

  • DH-14 (Diffie–Hellman group 14)

  • DH-15 (Diffie–Hellman group 15)

  • DH-16 (Diffie–Hellman group 16)

For IPSec VPN configuration examples, see IPSec VPN Configuration Examples.

For IPSec VPN troubleshooting, see https://kb.vmware.com/kb/2123580.