Internet Protocol Security (IPsec) is a protocol suite for securing the IP packets of a communication session. vCloud Air supports using IPsec to create a secure VPN connection between your vCloud Air service and a remote site, such as your on-premises data center.

The edge gateway supports site-to-site IPsec VPN between an edge gateway instance and remote sites. Additionally, the edge gateway supports certificate authentication, preshared key mode, and IP unicast traffic between itself and remote VPN routers.

Using an IPsec tunnel, you can configure multiple subnets to connect to the internal network behind an edge gateway. These subnets and the internal network behind an edge gateway must have address ranges that do not overlap.

You can deploy an edge gateway agent behind a NAT device. In this deployment, the NAT device translates the VPN address of an edge gateway instance to a publicly accessible address facing the Internet. Remote VPN routers use this public address to access the edge gateway instance. You can place remote VPN routers behind a NAT device as well. You must provide the VPN native address and the VPN Gateway ID to set up the tunnel. On both ends, static one-to-one NAT is required for the VPN address.

You can have a maximum of 64 tunnels across a maximum of 10 sites.


When you configure an IPsec VPN tunnel between a vCloud Air edge gateway and a physical gateway VPN at a remote site, you cannot configure dynamic routing using BGP for that connection.

The following IPsec VPN algorithms are supported:








For IPsec VPN configuration examples, see NSX Edge VPN Configuration Examples in the NSX Administration Guide.

See also About Setting up an IPsec VPN Connection in the vCloud Air Networking Guide.