VMC: Route Based IPSEC VPN

For those of you who don’t know yet, NSX-T backed VMware on AWS is now available for general comsuption. The switch introduces few enhancements that are worth mentioning. Namely DFW, Security Groups,Route Based IPSEC VPN with Redundancy, Direct Connect Private VIF for all traffic, Connectivity from Overlay to Management Infrastructure, vCenter Management Appliance access from connected VPC, DNS Zones,Port Mirroring and IPFIX.

In this blog post, we are going to go through the configuration of a Route Based IPsec VPN. With Route Based VPN we  can configure BGP to run over IPSEC so networks are automatically advertised and learned between the VMware Cloud on AWS SDDC and on-prem. This simplifies operations and also prevents manual errors in configuration updates every time a network change needs to be made. In addition, Route Based IPSEC VPN  provides redundancy where multiple VPNs can be setup to on-prem and BGP can be leveraged to configure active/passive paths.


Log in to the VMC Console at https://vmc.vmware.com.

Select Networking & Security > VPN > Route Based.

Click Add VPN.

Enter a route-based VPN name.

Select the local IP address of the IPsec VPN from the drop-down menu.

Enter the remote public IP address of your on-premises gateway.

(Optional) Enter the remote private IP address if the on-premises gateway is configured behind NAT.

Click Set BGP Neighbor > Add Neighbor.

Enter the BGP neighbor parameters.

IP AddressEnter the remote IP address.
BGP Neighbor AsEnter the AS attribute for BGP to use.
BGP SecretSet a secret password for BGP neighbor authentication.
Local AS

Accept the default setting. The same local AS is used for all the VPN connections. Any changes affect all the VPN connections.

Click Apply.

Local and remote networks are discovered using BGP advertisements.

Enter the VTI subnet CIDR block.

Configure the advanced VPN parameters.

Choose a network of size of /30 from the subnet. The second and third IP addresses in this range are configured as the remote and local VTI (VPN Tunnel interfaces). For example, in the VTI CIDR block (address range, the local (SDDC) interface is and the remote (on-prem) interface

Click Save, wait for a minute or so and you vpn should be up!

I hope this post was helpful and thank you for reading.

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

Sharing is caring!


Leave a Reply

Your email address will not be published. Required fields are marked *