PCF IPsec Add-On v1.6

Securing Data in Transit with the PCF IPsec Add-On

Page last updated:

This guide describes the Pivotal Cloud Foundry (PCF) IPsec add-on. The topics included in this guide include installation and configuration, troubleshooting, and credential rotation. Your organization may require IPsec if you transmit sensitive data.


The IPsec add-on for PCF provides security to the network layer of the OSI model with a strongSwan implementation of IPsec. The IPsec add-on provides a strongSwan job to each BOSH-deployed virtual machine (VM).

IPsec encrypts IP data flow between hosts, between security gateways, and between security gateways and hosts. The PCF IPsec add-on secures network traffic within a Cloud Foundry deployment and provides internal system protection if a malicious actor breaches your firewall.

PCF IPsec Implementation Details

The PCF IPsec add-on implements the following cryptographic suite:

Key Agreement (Diffie-Hellman) IKEv2 Main Mode
Bulk Encryption AES128GCM16
Hashing SHA2 256
Integrity/Authentication Tag 128 bit GHASH ICV
Digital Signing RSA 3072/4096
Peer Authentication Method Public/Private Key

Refer to the following topics for more information about the IPsec add-on:

Create a pull request or raise an issue on the source for this page in GitHub