This page shows you how to configure an IPsec VPN between two NSX Edge Gateways.


On your Edge Gateway, go to the Manage tab, then the VPN tab and the section IPsec VPN.

If IPsec VPN Service Status is disabled , clik Enableto enable it. (You need at least one peer to be able to publish)**

You can also enable logging and configure the log level (by default, the value is INFO).

Click Publish Changes to apply what you have just done.


Now you need to configure the IPsec VPN on each site to have a working VPN. (Here each site is a NSX Edge Gateway)

Create a VPN configuration on a NSX Edge Gateway

Click on the "Add" ( ) icon.

Enter the Name of your IPsec VPN peer

Enter a Local Id, it will be the Peer Id on the remote site. In this example, we chose the public IP of the NSX Edge Gateway.

Enter the same value as Local Id for Local Endpoint.

Enter the localsubnets you want to share with the remote site. (CIDR format)

Enter the Peer Id, (remember, it's the Local Id of the remote site)

Enter the same value as Peer Id for Peer Endpoint.

Enter the local subnets of the remote site. (CIDR format)

Select your required encryption algorithm.

Select an authentication method.

You can use Certificate authentication if you enabled it in Global configuration and if you added a certificate on the NSX Edge Gateway.

Type the Pre-SharedKey. (It must be the same on the local and peer sites)

Select a Diffie-Hellman Group.

Click OK and click Publish Changes to put your parameter in production.

Let's configure the remote site as following, using your own requirements and following the instructions above :

Click OK and click Publish Changes to put your parameter in production.

Your configuration is done.

You can display your tunnel state by clicking on Show Ipsec Statistics

In this screenshot, you can see our tunnel status as UP and running

During the NSX Edge Gateway Deployement , if you enabled the auto rule generation, your firewall rules are automatically configured.

If not you need to configure the firewall to allow the IPsec VPN.

This screenshot shows you the auto generated rule on the peer site.