You can set up an NSX Edge tunnel between a local subnet and a peer subnet.


If you connect to a remote site via IPSec VPN, the IP address of that site cannot be learnt by Dynamic Routing on the Edge uplink.


You must enable the IPSec VPN service for traffic to flow from the local subnet to the peer subnet.


To enable certificate authentication for IPSec, server certificates and corresponding CA-signed certificates must be imported. Optionally, you can use an open-source command-line tool such as OpenSSL to generate CA-signed certificates.


This enables IPSec VPN on the NSX Edge instance.


You can enable logging of all IPSec VPN traffic.


You must configure at least one external IP address on the NSX Edge to provide IPSec VPN service.