Configure an IPSec VPN

The NSX Advanced Edge supports site-to-site IPSec VPN between an NSX Edge instance and remote sites. Behind each remote VPN router, you can configure multiple subnets to connect to the internal network behind an NSX Edge through IPSec tunnels. These subnets and the internal network behind a NSX Edge must have address ranges that do not overlap. The number of tunnels needed is defined by the number of local subnets multiplied by the number of peer subnets. For example, if there are 10 local subnets and 10 peer subnets you need 100 tunnels. The maximum number of tunnels supported is determined by the ESG size, as shown below.

Number of IPSec Tunnels per NSX Edge
NSX EdgeNumber of IPSec Tunnels

IPSec VPN Configuration

To enable a IPSec VPN for your VMware VDC:

  1. Click on the ?IPSec VPN? tab of your vDC
  2. Click ?Add a VPN?, enter you VPN details, click ?Save?
  3. Click ?Save Config? to commit your new VPN configuration into NSX


VPN Settings

Enable VPNEnsure that this is Enabled.Yes On / Off
Perfect Forward SecurityEnsure that this is enabled. PFS will ensure the same key will not be generated again, so forcing a new diffie-hellman key exchangeYes On / Off
Encryption AlgorithmThe Encryption Protocol reflects what is configured on the remote site VPN device Yes AES-256, AES, 3DES
DH GroupThe cryptography scheme that will allow the peer site and the NSX Edge to establish a shared secret over an insecure communications channel.Yes DH2, DH5
Name Enter the name of the VPN tunnelYes e.g. VPN1
Local ID This is used to describe the Local Endpoint. Generally the Local Public IP is used.Yese.g.
Local IP Select the Uplink Interface IP of the Edge Gateway. (Available on the ?Overview? tab of the VDC)Yese.g.
Local SubnetsEnter the network(s) you want to designate as the internal network for the VPN. Subnets should be entered in CIDR format with comma as a separator.Yese.g.,
Peer ID This is used to describe the Remote Endpoint. Generally the Remote Public IP is used.Yese.g.
Peer IP Enter the Public IP address (outside) of the remote device with which you are establishing the VPN.Yese.g.
Peer SubnetsEnter the network(s) you want to designate as the remote network for the VPN. Subnets should be entered in CIDR format with comma as a separator.Yes e.g.
Pre-Shared Key Indicates that the secret key shared between NSX Edge and the peer site is to be used for authentication. The secret key can be a string with a maximum length of 128 bytes.Yes MySecretKey1234
Extensionsecurelocaltrafficbyip=IPAddress to re-direct Edge?s local traffic over the IPSec VPN tunnel. This is the default value
passthroughSubnets=PeerSubnetIPAddress to support overlapping subnets


VPN Status

In this release of the NSX Advanced Networking there is no status indicator in the MyAccount UI that tells you if an IPSec Tunnel is up or down. This will need to be confirmed at the peer end or by attempting to ping the remote network from a machine at the local end.