NSX supports a site-to-site IPSec VPN service between a Tier-0 or Tier-1 gateway and remote sites. You can create a policy-based or a route-based IPSec VPN service. You must create the IPSec VPN service first before you can configure either a policy-based or a route-based IPSec VPN session.

Note: IPSec VPN is not supported in the NSX limited export release.

IPSec VPN is not supported when the local endpoint IP address goes through NAT in the same logical router that the IPSec VPN session is configured.



  1. With admin privileges, log in to NSX Manager.
  2. Navigate to Networking > VPN > VPN Services.
  3. Select Add Service > IPSec.
  4. Enter a name for the IPSec service.
    This name is required.
  5. From the Tier-0/Tier-1 Gateway drop-down menu, select the Tier-0 or Tier-1 gateway to associate with this IPSec VPN service.
  6. Enable or disable Admin Status.
    By default, the value is set to Enabled, which means the IPSec VPN service is enabled on the Tier-0 or Tier-1 gateway after the new IPSec VPN service is configured.
  7. Set the value for IKE Log Level.
    The default is set to the Info level.
  8. Enter a value for Tags if you want to include this service in a tag group.
  9. To enable or disable the stateful synchronization of VPN sessions, toggle Session sync.
    By default, the value is set to Enabled.
  10. Click Global Bypass Rules if you want to allow data packets to be exchanged between the specified local and remote IP addresses without any IPSec protection. In the Local Networks and Remote Networks text boxes, enter the list of local and remote subnets between which the bypass rules are applied.
    If you enable these rules, data packets are exchanged between the specified local and remote IP sites even if their IP addresses are specified in the IPSec session rules. The default is to use the IPSec protection when data is exchanged between local and remote sites. These rules apply for all IPSec VPN sessions created within this IPSec VPN service.
  11. Click Save.
    After the new IPSec VPN service is created successfully, you are asked whether you want to continue with the rest of the IPSec VPN configuration. If you click Yes, you are taken back to the Add IPSec VPN Service panel. The Sessions link is now enabled and you can click it to add an IPSec VPN session.


After one or more IPSec VPN sessions are added, the number of sessions for each VPN service will appear in the VPN Services tab. You can reconfigure or add sessions by clicking the number in the Sessions column. You do not need to edit the service. If the number is zero, it is not clickable and you must edit the service to add sessions.

What to do next

Use information in Adding IPSec VPN Sessions to guide you in adding an IPSec VPN session. You also provide information for the profiles and local endpoint that are required to finish the IPSec VPN configuration.