NSX supports IPSec Virtual Private Network (IPSec VPN) and Layer 2 VPN (L2 VPN) on an NSX Edge node. IPSec VPN offers site-to-site connectivity between an NSX Edge node and remote sites. With L2 VPN, you can extend your data center by enabling virtual machines to keep their network connectivity across geographical boundaries while using the same IP address.

Note:

IPSec VPN and L2 VPN are not supported in the NSX limited export release.

You must have a working NSX Edge node, with at least one configured Tier-0 or Tier-1 gateway, before you can configure a VPN service. For more information, see "NSX Edge Installation" in the NSX-T Data Center Installation Guide.

Beginning with NSX 2.4, you can also configure new VPN services using the NSX Manager user interface. In earlier releases of NSX, you can only configure VPN services using REST API calls.

Important: When using NSX 2.4 or later to configure VPN services, you must use new objects, such as Tier-0 gateways, that were created using the NSX Manager UI or Policy APIs that are included with NSX 2.4 or later release. To use existing Tier-0 or Tier-1 logical routers that were configured before the NSX 2.4 release, you must continue to use API calls to configure a VPN service.

System-default configuration profiles with predefined values and settings are made available for your use during a VPN service configuration. You can also define new profiles with different settings and select them during the VPN service configuration.

The Intel QuickAssist Technology (QAT) feature on a bare metal server is supported for IPSec VPN bulk cryptography. Support for this feature began with NSX 3.0. For more information on support of the QAT feature on bare metal servers, see the NSX Installation Guide.