Internet Protocol Security (IPSec) VPN secures traffic flowing between two networks connected over a public network through IPSec gateways called endpoints. NSX Edge only supports a tunnel mode that uses IP tunneling with Encapsulating Security Payload (ESP). ESP operates directly on top of IP, using IP protocol number 50.

IPSec VPN uses the IKE protocol to negotiate security parameters. The default UDP port is set to 500. If NAT is detected in the gateway, the port is set to UDP 4500.

NSX Edge supports a policy-based or a route-based IPSec VPN.

Beginning with NSX 2.5, IPSec VPN services are supported on both Tier-0 and Tier-1 gateways. See Add a Tier-0 Gateway or Add a Tier-1 Gateway for more information. The Tier-0 or Tier-1 gateway must be in Active-Standby high-availability mode when used for an IPSec VPN service. You can use segments that are connected to either Tier-0 or Tier-1 gateways when configuring an IPSec VPN service.

An IPsec VPN service in NSX uses the gateway-level failover functionality to support a high-availability service at the VPN service level. Tunnels are re-established on failover and VPN configuration data is synchronized. Before NSX 3.0 release, the IPSec VPN state is not synchronized as tunnels are being re-established. Beginning with NSX 3.0 release, the IPSec VPN state is synchronized to the standby NSX Edge node when the current active NSX Edge node fails and the original standby NSX Edge node becomes the new active NSX Edge node without renegotiating the tunnels. This feature is supported for both policy-based and route-based IPSec VPN services.

Pre-shared key mode authentication and IP unicast traffic are supported between the NSX Edge node and remote VPN sites. In addition, certificate authentication is supported beginning with NSX 2.4. Only certificate types signed by one of the following signature hash algorithms are supported.
  • SHA256withRSA
  • SHA384withRSA
  • SHA512withRSA