When you use certificate-based authentication for an IPSec VPN session, you must configure the certificate details for the IPSec session in the associated local endpoint.


Wildcard certificates are not supported for IPSec VPN.

Refer to the following workflow for details on how to configure the certificate details for a IPSec VPN session.

Configure Certificate-Based Authentication for an IPSec VPN Session

  1. Create and enable an IPSec VPN service using an existing Tier-0 or Tier-1 gateway. See Add an IPSec VPN Service.
  2. If you do not have the necessary server certificates or CA certificates in NSX Manager, import the certificates. See Import a Self-signed or CA-signed Certificate and Import a CA Certificate.
  3. Use Add Local Endpoints to create a VPN server hosted on the logical router and select the certificates for it.

    The local ID is derived from the certificate associated with the local endpoint and depends on the X509v3 extensions present in the certificate. The local ID can be either the X509v3 extension Subject Alternative Name (SAN) or Distinguished Name (DN). The Local ID is not required and the ID specified there is ignored. However, for the remote VPN gateway, you need to configure the local ID as remote ID in the peer VPN gateway.

    • If X509v3 Subject Alternative Name is found in the certificate, then one of the SAN strings is taken as the local ID value.
      If the certificate has multiple SAN fields, then following order is used to select the local ID.
      Order SAN Field
      1 IP Address
      2 DNS
      3 Email Address

      For example, if the configured site certificate has the following SAN fields,

      X509v3 Subject Alternative Name:
      DNS:Site123.vmware.com, email:user1@company.com, IP Address:

      then the IP address is used as the local ID. If the IP address is not available, then the DNS string is used. And if the IP address and the DNS are not available, then the email address is used.

    • If X509v3 Subject Alternative Name is not present in the certificate, then the Distinguished Name (DN) is used as the local ID value.

      For example, if the certificate does not have any SAN fields, and its DN string is

      C=US, ST=California, O=MyCompany, OU=MyOrg, CN=Site123

      then the DN string automatically becomes the local ID. The local ID is the peer ID on the remote site.

    Note: If the certificate details are not properly configured, it might cause the VPN session to go down with the Down alarm of Authentication failed.
  4. Configure either a policy-based or route-based IPSec VPN session. See Add a Policy-Based IPSec Session or Add a Route-Based IPSec Session.

    Make sure to configure the following settings.

    1. From the Authentication Mode drop-down menu, select Certificate.
    2. In the Remote ID textbox, enter a value to identify the peer site.

      The remote ID must be a distinguished name (DN), IP address, DNS, or an email address used in the peer site's certificate.


      If the peer site's certificate contains an email address in the DN string, for example,

      C=US, ST=California, O=MyCompany, OU=MyOrg, CN=Site123/emailAddress=user1@mycompany.com

      then enter the Remote ID value using the following format as an example.

      C=US, ST=California, O=MyCompany, OU=MyOrg, CN=Site123, MAILTO=user1@mycompany.com