IPsec Add-On for PCF v1.7

IPsec Add-on for PCF

Page last updated:

Note: IPSec Add-on for PCF v1.7 is no longer supported. The support period for v1.7 has expired. To stay up-to-date with the latest software and security updates, upgrade to a supported version.

This guide describes the IPsec Add-on for PCF, which secures data transmissions inside Pivotal Cloud Foundry (PCF). Topics covered in this guide include IPsec Add-on for PCF installation and configuration, troubleshooting, and certificate rotation.

Your organization may require IPsec if you transmit sensitive data.


The IPsec Add-on for PCF provides security to the network layer of the OSI model with a strongSwan implementation of IPsec. The IPsec Add-on provides a strongSwan job to each BOSH-deployed virtual machine (VM).

IPsec encrypts IP data flow between hosts, between security gateways, and between security gateways and hosts. The IPsec Add-on for PCF secures network traffic within a Cloud Foundry deployment and provides internal system protection if a malicious actor breaches your firewall.

Product Snapshot

The following table provides version and version-support information about the IPsec Add-on for PCF.

Element Details
Version v1.7.1
Release date August 24, 2017
Compatible Ops Manager version(s) v1.10.x, v1.11.x, v1.12.x, v2.0.x, and v2.1.x
Compatible Elastic Runtime version(s) v1.10.x, v1.11.x, and v1.12.x
Compatible Pivotal Application Service (PAS)* version(s) v2.0.x and 2.1.x
IaaS support vSphere, GCP, AWS, Azure, and Openstack

IPsec Implementation Details


IPsec Add-on for PCF has the following limitations:

  • Due to a known issue in Windows Server OS, apps hosted on PAS for Windows cannot route traffic when deployed with the IPsec add-on for PCF.

  • Pivotal recommends configuring IPsec to use a self-signed certificate to sign instance certs. Using a certificate signed by a public or third-party CA is not recommended.

Create a pull request or raise an issue on the source for this page in GitHub