An IPsec VPN connection includes multiple components, some of which are interdependent. For example, a VPN connection configuration requires a valid IKE group configuration, a valid ESP group configuration, and a valid tunnel configuration. In addition, the interface specified in the connection must be enabled for IPsec VPN. When you commit a VPN configuration, the vRouter performs a full verification on the configuration. If any required component is missing or incorrectly specified, the commit will fail.

For an IPsec VPN site-to-site connection configuration to successfully commit, all the following must be correctly configured:

• The interface and IP address must already be configured.
• The interface must be enabled for IPsec VPN.
• The peer must be configured.
• The IKE group specified in the peer configuration must be defined.
• The tunnel must be configured.
• The ESP group specified in the tunnel must be defined.
• The local IP address specified for the peer must be configured on the VPN-enabled interface.
• The peer-address type, local-address type, tunnel local prefix network type, and tunnel remote prefix network type, must all match. They must all be IPv4 or all be IPv6.

In addition, note that modifying global parameters (such as auto-update or nat-traversal) requires an IPsec restart, and therefore restarts all tunnels.

Adding, modifying, or deleting a tunnel restarts only the modified tunnel. Modifying an existing IKE group or ESP group restarts any tunnel using the group. Changing authentication information (pre-shared key or RSA signature) does not result in a tunnel restart.