NSX edge supports site to site IPSec VPN to remote sites. You can configure multiple internal networks to connect to through the VPN tunnel. Subnets and internal networks behind the NSX edge must not have overlapping addresses. The size of the edge device determines the number of tunnels that are supported. The number of tunnels needed can be found out by using a simple equation of : “local subnets x peer subnets = number of tunnels needed”. Below is a chart taken from the NSX Administrator’s Guide outlining the number of IPSec tunnels that a edge device can handle depending on the size and also the supported algorithms.

To configure the IPSec VPN, first navigate to Networking & Security > NSX Edges > Double click your NSX edge > Manage > VPN > IPSec VPN. Click Change beside Global configuration status.

*Note* Mine already says Configured because I entered the PSK ahead of time

Enter in the Pre-Shared Key. Optionally, you can select a certificate to be used for VPN authentication. Click OK.

Click the green + to add a new IPSec VPN. Enter in the VPN information. Click OK.

Click Start on the IPSec VPN Service. And Publish your changes. Next, move on to the remote site and repeat the process.

Enter in the VPN info for the remote site. Click OK.

Start the IPSec VPN service. Enter in the PSK and select the proper certificate under the Global configuration status. Publish your changes.

Now if you click Show IPSec Statistics, you will see that the VPN tunnel is up.

To test connectivity, I went to the console of one of my VMs that is at SiteA and did a ping and trace route to the VM at SiteB.

*Note* Since I don’t have a true SiteA and SiteB, I mimicked this by having two ESGs connected to a DLR and letting the DLR simulate being a internet router.