NSX Networking – IPSec VPN


The NSX Advanced Edge supports site-to-site IPSec VPN between an NSX Edge instance and remote sites. Behind each remote VPN router, you can configure multiple subnets to connect to the internal network behind an NSX Edge through IPSec tunnels. These subnets and the internal network behind a NSX Edge must have address ranges that do not overlap. The number of tunnels needed is defined by the number of local subnets multiplied by the number of peer subnets. For example, if there are 10 local subnets and 10 peer subnets you need 100 tunnels. The maximum number of tunnels supported is determined by the ESG size, as shown below.

Number of IPSec Tunnels per NSX Edge
NSX Edge Number of IPSec Tunnels
Compact 512
Large 1600
X-Large 6000

IPSec VPN Configuration

To enable a IPSec VPN for your VMware VDC:

  1. Click on the “IPSec VPN” tab of your vDC
  2. Click “Add a VPN”, enter you VPN details, click “Save”
  3. Click “Save Config” to commit your new VPN configuration into NSX


ipsec_howto_5   ipsec_howto_4

VPN Settings

Field Description Required Options/Example
Enable VPN Ensure that this is Enabled. Yes  On / Off
Perfect Forward Security Ensure that this is enabled. PFS will ensure the same key will not be generated again, so forcing a new diffie-hellman key exchange Yes  On / Off
Encryption Algorithm The Encryption Protocol reflects what is configured on the remote site VPN device  Yes  AES-256, AES, 3DES
DH Group The cryptography scheme that will allow the peer site and the NSX Edge to establish a shared secret over an insecure communications channel. Yes  DH2, DH5
Name  Enter the name of the VPN tunnel Yes  e.g. VPN1
Local ID  This is used to describe the Local Endpoint. Generally the Local Public IP is used. Yes e.g.
Local IP  Select the Uplink Interface IP of the Edge Gateway. (Available on the “Overview” tab of the VDC) Yes e.g.
Local Subnets Enter the network(s) you want to designate as the internal network for the VPN. Subnets should be entered in CIDR format with comma as a separator. Yes e.g.,
Peer ID  This is used to describe the Remote Endpoint. Generally the Remote Public IP is used. Yes e.g.
Peer IP  Enter the Public IP address (outside) of the remote device with which you are establishing the VPN. Yes e.g.
Peer Subnets Enter the network(s) you want to designate as the remote network for the VPN. Subnets should be entered in CIDR format with comma as a separator. Yes  e.g.
Pre-Shared Key  Indicates that the secret key shared between NSX Edge and the peer site is to be used for authentication. The secret key can be a string with a maximum length of 128 bytes. Yes  MySecretKey1234
Extension securelocaltrafficbyip=IPAddress to re-direct Edge’s local traffic over the IPSec VPN tunnel. This is the default value
passthroughSubnets=PeerSubnetIPAddress to support overlapping subnets
No securelocaltrafficbyip=<IPAddress>


VPN Status

In this release of the NSX Advanced Networking there is no status indicator in the MyAccount UI that tells you if an IPSec Tunnel is up or down. This will need to be confirmed at the peer end or by attempting to ping the remote network from a machine at the local end.

More Information

For information about other features of NSX Advanced Networking click here.