Yes , you can certainly use IP-Sec or L2 VPN based on the requirement. Since the ask is for IP-Sec , we should understand that if the use case falls under route based IP-Sec tunnel , BGP is the only protocol supported (No Static routes as well) . If you have a mix of Policy/Routed tunnels - below points should be noted .
- You can configure policy-based IPSec VPN tunnels and route-based IPSec tunnels on the same ESG appliance. However, you cannot configure a policy-based tunnel and a route-based tunnel with the same VPN peer site.
- NSX Data Center supports a maximum of 32 VTIs on a single ESG appliance. That is, you can configure a maximum of 32 route-based VPN peer sites.
- NSX Data Center does not support migration of existing policy-based IPSec VPN tunnels to route-based tunnels or conversely .
Also have a look at MTU requirements , not in every case we need 1600 MTU
Thanks for your response. I'm not sure however that your response addressed the question.
The IPSEC VPN tunnel in place is not setup by NSX edges. It is configured on the perimeter firewalls e.g Cisco/Palo that the VTEP VXLAN traffic will traverse.
In effect, for VTEP at site A to communicate with VTEP at site B, their traffic will traverse an IPSEC tunnel established by the perimeter firewalls.
As I type this, I don't see why this wouldn't be supported, but would like to know if it is.
Appreciate for clarifying that. I don't find anything wrong with encrypting(IPSEC) VTEP-VTEP traffic between the sites. Actual Throughput of the Tunnel will certainly be a factor for BUM traffic considering the NSX design and workload placement. Other than that i'm unsure if there are any potential issues, but it might not be a best candidate when situation demands you to troubleshoot VTEP-VTEP connectivity.