The NSX Edge service gateway supports site-to-site IPSEC VPN that allows you to connect an NSX Edge services gateway-backed network to another device at the remote site. NSX Edge can establish secure tunnels with remote sites to allow secure traffic flow between sites. The number of tunnels an Edge gateway can establish depends on the size of the Edge gateway deployed.

A compact Edge gateway can create a maximum of 512 tunnels. A large Edge gateway can create a maximum of 1600 tunnels, while a quad-large can handle a maximum of 4096 tunnels. An X-Large Edge gateway can handle up to 6000 tunnels.

NSX supports AES (AES128-CBC), AES256 (AES256-CBC), Triple DES (3DES192-CBC), DH-2 (Diffie-Hellman group 2), DH-5 (Diffie-Hellman group 5), and AES-GCM (AES128-GCM) IPSEC VPN algorithms.

Before we begin configuring our IPSEC VPN, ensure dynamic routing is disabled on the Edge uplink to allow specific routes defined for any VPN traffic.

Let's begin by generating a certificate to enable certificate authentication. You can import a CA-signed certificate or use Open-SSL to generate a CA-signed certificate. Self-signed certificates cannot be used with an IPSEC VPN. They can only be used with load balancers and SSL VPNs. Perform the following set of steps to generate a certificate to enable certificate authentication:

1. Go to Home | Networking & Security | NSX Edges, and double click on an Edge appliance, and navigate to the Manage tab | Settings | Certificates:

2. Click Actions and click Generate CSR. This generates your CSR:

3. Fill out the appropriate details and click OK.
4. We will now set the Global configuration status. Click on the VPN tab and click on IPsec VPN:

5. Click on Change beside the Global configuration status:

6. Enter the global Pre-Shared Key that is shared by all the sites whose peer endpoints are set to any.
7. Enable Certificate Authentication and select the appropriate certificate. Click OK when done.
8. Next, we enable logging for our IPsec VPN. Expand the logging policy and check Enable logging. Set the appropriate logging level. Increasing the logging level increases the amount of data stored on the Edge appliance and can negatively impact performance:

9. Next, we configure the IPsec VPN parameters. Click the + icon:

10. Type the Name of the tunnel and enter the Edge gateway IP address in the Local Id field. This will be the Peer ID on the remote site.
11. Type the IP address of the Local Endpoint, which is the IP address of your Edge gateway.
12. Next, type the Local Subnets that are shared between two sites.
13. Enter the Peer ID to uniquely identify the peer site. This ID must be the common name in the peer's certificate for any peers using certificate authentication. Ideally, it is best practice to stick with the IP address as the peer ID.
14. In the Peer Endpoint field, type the IP address of the peer site. Next, type the internal IP address of the Peer Subnets.
15. Next, select the appropriate Encryption Algorithm. If you require anonymous sites to connect to your VPN, enter the Pre-Shared Key to allow such capability. Clicking Display shared key displays the key on the peer site.
16. Next, select the cryptography scheme that allows the NSX Edge and the peer site to establish a shared secret over an insecure channel.
17. In the Extension field, type one of the following:

• securelocaltrafficbyip=IPAddress: This redirects Edge's local traffic through the IPSEC tunnel. This is the value by default.
• passthroughSubnets=PeerSubnetIPAddress: This allows for overlapping subnets on both sides.

18. Click OK when done. NSX Edge now creates a tunnel between the local subnet and the peer subnet.
19. Click Enable and Publish Changes when done.