The L2 VPN server is the destination NSX edge to which the L2 VPN client is going to connect.

About this task

As described in the NSX Administration Guide, you can connect multiple peer sites to this L2 VPN server.


Changing site configuration settings causes the edge gateway to disconnect and reconnect all existing connections.

You must have the server's listener IP, listener port, encryption algorithm, and at least one peer site configured before you can enable the L2 VPN service.


Verify the edge gateway has a routed organization virtual datacenter network that is configured as a subinterface on the edge gateway. See the vCloud Director Administrator's Guide for the steps on creating an external routed organization virtual datacenter network.

Verify you have completed the steps described in Navigate to the L2 VPN Screen in the Tenant Portal.

If you want to bind a service certificate to the L2 VPN connection, verify that the server certificate has already been uploaded to the edge gateway. See Add a Service Certificate to the Edge Gateway.


  1. On the tenant portal's L2 VPN tab, select Server for the L2 VPN mode.
  2. Click the Server Global tab if it is not already selected.
  3. Configure the L2 VPN server's global configuration details.



    Listener IP

    Type the primary or secondary IP address of an external interface of the edge gateway.

    Listener Port

    The default port for the L2 VPN service is 443. Edit the displayed value as appropriate for your organization's needs.

    Encryption Algorithm

    Select the encryption algorithm for the communication between the server and the client.

    Service Certificate Details

    Click CHANGE SERVER CERTIFICATE to select the certificate to be bound to the L2 VPN server.

    In the window that opens, turn on the Validate Server Certificate toggle, select a server certificate from the list, and click OK.

  4. Configure the peer sites by clicking the Server Sites tab.
  5. Click the + icon.
  6. In the window that opens, configure the following options for an L2 VPN peer site.




    Toggle on to enable this peer site.


    Type a unique name for this peer site.


    (Optional) Type a description.

    User Id


    Confirm Password

    Type the user name and password with which the peer site is to be authenticated. User credentials on the peer site should be the same as those on the client side.

    Stretched Interfaces

    Select the subinterfaces to be stretched with the client.

    The subinterfaces available to select are those organization virtual datacenter networks configured as subinterfaces on the edge gateway.

    Egress Optimization Gateway Address

    (Optional) If the default gateway for virtual machines is the same across the two sites, type the gateway IP addresses of the subinterfaces for which you want the traffic locally routed or blocked over the L2 VPN tunnel.

  7. ClickKeep to add the entry to the on-screen table.
  8. Click Save changes.

    The save operation can take a minute to complete.

What to do next

Enable the L2 VPN service on this edge gateway. See Enable the L2 VPN Service on an Edge Gateway.