When you add a route-based IPSec VPN, tunneling is provided on traffic that is based on routes that were learned dynamically over a virtual tunnel interface (VTI) using a preferred protocol, such as BGP. IPSec secures all the traffic flowing through the VTI.

The steps described in this topic use the IPSec Sessions tab to create a route-based IPSec session. You also add information for the tunnel, IKE, and DPD profiles, and select an existing local endpoint to use with the route-based IPSec VPN.


You can also add the IPSec VPN sessions immediately after the IPSec VPN service is successfully configured. Click Yes when prompted to continue with the IPSec VPN service configuration and select Sessions > Add Sessions on the Add IPSec Service panel. The first few steps in the following procedure assume you selected No to the prompt to continue with the IPSec VPN service configuration. If you selected Yes, proceed to step 3 to guide you with the rest of the route-based IPSec VPN session configuration.


  • You must have configured an IPSec VPN service before proceeding. See Add an IPSec VPN Service.
  • Obtain the information for the local endpoint, IP address for the peer site, and tunnel service IP subnet address to use with the route-based IPSec session you are adding. To create a local endpoint, see Add Local Endpoints.
  • If you are using a Pre-Shared Key (PSK) for authentication, obtain the PSK value.
  • If you are using a certificate for authentication, ensure that the necessary server certificates and corresponding CA-signed certificates are already imported. See Certificates.
  • If you do not want to use the default values for the IPSec tunnel, IKE, or dead peer detection (DPD) profiles provided by NSX, configure the profiles you want to use instead. See Adding Profiles for information.


  1. With admin privileges, log in to NSX Manager.
  2. Navigate to Networking > VPN > IPSec Sessions.
  3. Select Add IPSec Session > Route Based.
  4. Enter a name for the route-based IPSec session.
  5. From the VPN Service drop-down menu, select the IPSec VPN service to which you want to add this new IPSec session.
    Note: If you are adding this IPSec session from the Add IPSec Sessions dialog box, the VPN Service name is already indicated above the Add IPSec Session button.
  6. Select an existing local endpoint from the drop-down menu.
    The local endpoint value is required and identifies the local NSX Edge node. If you want to create a different local endpoint, click the three-dot menu ( Three black dots aligned vertically. Clicking this icon displays a menu of sub-commands. ) and select Add Local Endpoint.
  7. In the Remote IP text box, enter the IP address of the remote site.
    This is a required value.
  8. Enter an optional description for this route-based IPSec VPN session.
    The maximum length is 1024 characters.
  9. To enable or disable the IPSec session, click Admin Status.
    By default, the value is set to Enabled, which means the IPSec session is to be configured down to the NSX Edge node.
  10. (Optional) From the Compliance suite drop-down menu, select a security compliance suite.
    Note: Compliance suite support is provided beginning with NSX 2.5. See About Supported Compliance Suites for more information.
    The default value is set to None. If you select a compliance suite, the Authentication Mode is set to Certificate and in the Advanced Properties section, the values for IKE profile and IPSec profile are set to the system-defined profiles for the selected compliance suite. You cannot edit these system-defined profiles.
  11. Enter an IP subnet address in Tunnel Interface in the CIDR notation.
    This address is required.
  12. If the Compliance Suite is set to None, select a mode from the Authentication Mode drop-down menu.
    The default authentication mode used is PSK, which means a secret key shared between NSX Edge and the remote site is used for the IPSec VPN session. If you select Certificate, the site certificate that was used to configure the local endpoint is used for authentication.

    For more information about certificate-based authentication, see Using Certificate-Based Authentication for IPSec VPN Sessions.

  13. If you selected PSK for the authentication mode, enter the key value in the Pre-shared Key text box.
    This secret key can be a string with a maximum length of 128 characters.
    Caution: Be careful when sharing and storing a PSK value because it contains some sensitive information.
  14. Enter a value in Remote ID.
    For peer sites using PSK authentication, this ID value must be the public IP address or the FQDN of the peer site. For peer sites using certificate authentication, this ID value must be the common name (CN) or distinguished name (DN) used in the peer site's certificate.
    Note: If the peer site's certificate contains an email address in the DN string, for example,
    C=US, ST=California, O=MyCompany, OU=MyOrg, CN=Site123/emailAddress=user1@mycompany.com
    then enter the Remote ID value using the following format as an example.
    C=US, ST=California, O=MyCompany, OU=MyOrg, CN=Site123, MAILTO=user1@mycompany.com"
    If the local site's certificate contains an email address in the DN string and the peer site uses the strongSwan IPsec implementation, enter the local site's ID value in that peer site. The following is an example.
    C=US, ST=California, O=MyCompany, OU=MyOrg, CN=Site123, E=user1@mycompany.com"
  15. If you want to include this IPSec session as part of a specific group tag, enter the tag name in Tags.
  16. To change the profiles, initiation mode, TCP MSS clamping mode, and tags used by the route-based IPSec VPN session, click Advanced Properties.
    By default, the system-generated profiles are used. Select another available profile if you do not want to use the default. If you want to use a profile that is not configured yet, click the three-dot menu ( Three black dots aligned vertically. Clicking this icon displays a menu of sub-commands. ) to create another profile. See Adding Profiles.
    1. If the IKE Profiles drop-down menu is enabled, select the IKE profile.
    2. Select the IPsec tunnel profile, if the IPSec Profiles drop-down menu is not disabled.
    3. Select the preferred DPD profile if the DPD Profiles drop-down menu is enabled.
    4. Select the preferred mode from the Connection Initiation Mode drop-down menu.
      Connection initiation mode defines the policy used by the local endpoint in the process of tunnel creation. The default value is Initiator. The following table describes the different available connection initiation modes.
      Table 1. Connection Initiation Modes
      Connection Initiation Mode Description
      Initiator The default value. In this mode, the local endpoint initiates the IPSec VPN tunnel creation and responds to incoming tunnel setup requests from the peer gateway.
      On Demand Do not use with the route-based VPN. This mode applies to policy-based VPN only.
      Respond Only The IPSec VPN never initiates a connection. The peer site always initiates the connection request and the local endpoint responds to that connection request.
  17. If you want to reduce the maximum segment size (MSS) payload of the TCP session during the IPSec connection, enable TCP MSS Clamping, select the TCP MSS direction value, and optionally set the TCP MSS Value.
    See Understanding TCP MSS Clamping for more information.
  18. If you want to include this IPSec session as part of a specific group tag, enter the tag name in Tags.
  19. Click Save.


When the new route-based IPSec VPN session is configured successfully, it is added to the list of available IPsec VPN sessions. It is in read-only mode.

What to do next

  • Verify that the IPSec VPN tunnel status is Up. See Monitor and Troubleshoot VPN Sessions for information.
  • Configure routing using either a static route or BGP. See Configure a Static Route or Configure BGP.
  • If necessary, manage the IPSec VPN session information by clicking the three-dot menu ( Three black dots aligned vertically. Clicking this icon displays a menu of sub-commands. ) on the left-side of the session's row. Select one of the actions you can perform.