Configure VPN on an Edge Gateway

Last update: May 30 2026

The VPN server function is built into Edge Gateways. The following VPN types are available:

• IPSec (Site-to-site VPN) — used to create a secure tunnel between sites. For example, between a head office network and a network at a remote site or in the cloud;
• SSL VPN (Remote Access VPN) — used to connect individual users to private corporate networks using a VPN client;
• L2 VPN — allows you to combine networks located at different sites (in different Cloud Director infrastructures) into a single broadcast domain, for example, during virtual machine migration.

Connect IPsec

1. From the control panel, open the Cloud Director panel: in the top menu, click Products → VMware-based cloud → the **Cloud Director **. section.
2. Open the virtual data center page.
3. Go to Networking → Edges.
4. Open the page of the required Edge.
5. Click Services.
6. Open the VPN → IPsec VPN → IPsec VPN Sites.
7. Click +.
8. Optional: to activate the remote site, enable the Enabled toggle switch.
9. Optional: to ensure each new cryptographic key is not linked to any previous key, enable the PFS toggle switch.
10. In the Local Endpoint field, enter the external address of the NSX Edge.
11. In the Local Subnets field, enter the local networks in CIDR format that will use IPsec VPN.
12. In the Peer ID field, enter the address of the remote site.
13. In the Peer Endpoint field, enter the address of the remote site.
14. In the Peer Subnets field, enter the networks that will use IPsec VPN on the remote side.
15. In the Encryption Algorithm field, select the tunnel encryption algorithm.
16. In the Authentication field, select how the peer will be authenticated — using a Pre-Shared Key or a certificate.
17. In the Pre-Shared Key field, enter the key that will be used for authentication. The key must match on both sides.
18. In the Diffie-Hellman Group field, select the key group number in the key exchange algorithm.
19. In the Digest algorithm field, select the packet integrity hashing algorithm.
20. In the IKE option field, select the IKE (Internet Key Exchange) protocol version.
21. To ensure the Edge does not initiate a connection upon startup but waits for a connection from the remote side, enable the IKE responder only toggle switch.
22. In the Session type field, select the tunnel type. For more information about tunnels, see the Policy-Based IPSec VPN or Route-Based IPSec VPN instructions in the VMware documentation.
23. Click Keep.
24. Open the VPN → IPsec VPN → Activation Status.
25. Enable the IPsec VPN Service Status toggle switch.
26. Open the Statistics → IPsec VPN.
27. Check that the VPN status is active in the Channel Status column.

View tunnel status

The number of IPsec tunnels depends on the size of the deployed Edge gateway. By default, 512 IPsec tunnels are available.

1. From the control panel, open the Cloud Director panel: in the top menu, click Products → VMware-based cloud → the **Cloud Director **. section.

2. Open the virtual data center page.

3. Go to Networking → Edges.

4. Open the page of the required Edge.

5. Click Services.

6. Open the Edge settings tab.

7. In the SSH Status block, enable the Enabled toggle switch.

8. Enter the login and password for SSH access and allow it in the Firewall settings. We do not recommend leaving SSH enabled.

9. In the Edge console, check the service status:

   show service ipsec

10. Check the site status and negotiated parameters:

    show service ipsec site

11. Check the Security Association (SA) status:

    show service ipsec sa

Connect SSL VPN

SSL VPN-Plus is a Remote Access VPN option. It allows individual remote users to securely connect to private networks located behind an NSX Edge gateway. In the case of SSL VPN-Plus, an encrypted tunnel is established between the client (Windows, Linux, Mac) and the VMware NSX® Edge™.

1. From the control panel, open the Cloud Director panel: in the top menu, click Products → VMware-based cloud → the **Cloud Director **. section.

2. Open the virtual data center page.

3. Go to Networking → Edges.

4. Open the page of the required Edge.

5. Click Services.

6. Open the SSL VPN-Plus → Authentication.

7. Click +Local.

8. Configure and enable the authentication server. During configuration, you can select policies for generating new passwords and set up options for locking user accounts (for example, the number of failed password attempts); see the Configure an Authentication Service for SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway instructions in the VMware documentation.

9. Click Keep.

10. Open the SSL VPN-Plus → Server Settings.

11. In the IP Address and Port fields, specify the address and port on which the server will listen for incoming connections.

12. Enable the Enable Logging toggle switch.

13. In the Cipher List block, select the required encryption algorithms.

14. Optional: to change the certificate the server will use, click CHANGE SERVER CERTIFICATE.

15. Enable the Enable toggle switch.

16. Click Save changes.

17. Open the SSL VPN-Plus → Users.

18. Click +.

19. In the User ID field, enter the user identifier.

20. In the Password field, enter the user password.

21. To enable the user, turn on the Enabled toggle switch.

22. Click Keep.

23. Open the SSL VPN-Plus → Installation Packages.

24. To create an installer that a remote employee can download for installation, click +.

25. In the Profile Name field, enter a name for the installation package profile.

26. In the Gateway field, enter the server address; you can view it on the SSL VPN-Plus → Server Settings → IP Address.

27. In the Port field, enter the server port; you can view it on the SSL VPN-Plus → Server Settings → Port.

28. Select installation packages for different operating systems. The Windows package is created by default and is always available.

29. Optional: to have the VPN client added to startup on the remote machine, check the start client on logon checkbox (Windows only).

30. Optional: to create a VPN client icon on the desktop, check the create desktop icon checkbox (Windows only).

31. Optional: to validate the server certificate during connection, check the server security certificate validation checkbox (Windows only).

32. Open the SSL VPN-Plus → IP Pools.

33. Click +.

34. In the IP Range field, specify the range of addresses to be assigned to users when they connect.

35. In the Netmask field, specify the network mask.

36. In the Gateway field, specify the network gateway.

37. Optional: configure DNS and WINS servers.

38. Open the Private Networks tab.

39. Click +.

40. In the Network field, add the local network that remote users will be able to access.

41. In the Send traffic field, select the traffic forwarding method:

    • over tunnel — through the tunnel;
    • bypass tunnel — directly, bypassing the tunnel.

42. If you selected over tunnel as the traffic forwarding method, check the Enable TCP Optimization checkbox.

Connect to the created installation package

1. Open a web browser using the external address and port you defined in the Firewall settings.
2. Enter your user credentials. After successful authorization, a list of created installation packages available for download will open.
3. Download the created installation package.
4. Unpack the downloaded archive.
5. Install the client.
6. Run the client.
7. In the authorization window, click Login.
8. In the certificate verification window, click Yes.
9. Enter your user credentials.

Connect NSX L2 VPN

When moving to a different geographical site, the virtual machine will retain its IP addressing settings and will not lose connectivity with other virtual machines in the same L2 domain. You can use this feature if you have two virtual machines located in different virtual data centers or regions.

The first VM has the address 10.10.10.2/24, and the second VM has 10.10.10.200/24.

Sites combined into a single broadcast domain must be built on the NSX platform. Using a standalone NSX Edge is possible; see the VMware Customer Connect documentation (registration on the site is required to view).

1. From the control panel, open the Cloud Director panel: in the top menu, click Products → VMware-based cloud → the **Cloud Director **. section.

2. Open the virtual data center page.

3. Go to Networking → Networks.

4. Click New.

5. Create a network with the following parameters:

   • Scope — select Current Organization Virtual Data Center;
   • Network Type — select Routed;
   • Interface Type — select subinterface;
   • Gateway CIDR — specify 10.10.10.1/24.

6. Open the Data Centers → Virtual Data Center.

7. Open the page of the second virtual data center.

8. Add a network with the same parameters.

Configure the NSX L2 VPN server

1. From the control panel, open the Cloud Director panel: in the top menu, click Products → VMware-based cloud → the **Cloud Director **. section.
2. Open the virtual data center page.
3. Go to Networking → Edges.
4. Open the page of the required Edge.
5. Click Services.
6. Open the VPN → L2VPN.
7. Enable the L2VPN toggle switch.
8. In the L2VPN mode field, select Server.
9. On the Server Global tab, enter the external IP address of the Edge gateway on which the tunnel port will be listened to. By default, the socket will open on port 443, but you can change it.
10. Specify the encryption settings for the tunnel.
11. Open the Server Sites tab.
12. Click +.
13. Enable the Enabled toggle switch.
14. Enter the peer name.
15. Enter the user name and password.
16. In the Egress Optimization Gateway Address field, enter the gateway address to avoid IP address conflicts, as the created networks use the same gateway address.
17. Click Select sub-interfaces.
18. Select the required subinterface.
19. Save the settings. The created client site will appear in the settings.

Configure the NSX L2 VPN client

1. From the control panel, open the Cloud Director panel: in the top menu, click Products → VMware-based cloud → the **Cloud Director **. section.
2. Open the virtual data center page.
3. Go to Networking → Edges.
4. Open the page of the required Edge.
5. Click Services.
6. Open the VPN → L2VPN.
7. Enable the L2VPN toggle switch.
8. In the L2VPN mode field, select Client.
9. On the Client Global tab, specify the address and port of the NSX Edge of the first virtual data center, which was specified in the Listening IP and Port fields on the server side.
10. Configure encryption the same way as on the server so that settings match when the tunnel is established.
11. Click SELECT SUB-INTERFACES.
12. Select the subinterface through which the tunnel for L2VPN will be established.
13. In the Egress Optimization Gateway Address field, enter the gateway address.
14. In the User Id field, enter the user name.
15. In the Password field, enter the password.
16. In the Confirm Password field, confirm the password.
17. Save the settings.
18. On any Edge gateway, on the Statistics → L2VPN tab, check the tunnel.