IPsec for VMware Tanzu

Note: Pivotal Platform is now part of VMware Tanzu. In v1.9 and later, Pivotal IPsec is named IPsec for VMware Tanzu.

Page last updated:

This guide describes IPsec for VMware Tanzu, which secures data transmissions inside VMware Tanzu Application Service for VMs (TAS for VMs). Topics covered in this guide include IPsec for VMware Tanzu installation and configuration, troubleshooting, and certificate rotation.

Your org might require IPsec if you transmit sensitive data.


IPsec for VMware Tanzu provides security to the network layer of the OSI model with a strongSwan implementation of IPsec. It provides a strongSwan job in FIPS mode to each BOSH-deployed VM.

IPsec for VMware Tanzu encrypts IP data flow between hosts, between security gateways, between service tiles, and between security gateways and hosts. It secures network traffic within a Cloud Foundry deployment and provides internal system protection if a malicious actor breaches your firewall.

Product Snapshot

The following table provides version and version-support information about IPsec for VMware Tanzu.

Element Details
Version v1.9.37
Release date November 1, 2021
Compatible versions 2.10, 2.9, and 2.8
Compatible VMware Tanzu Application Service for VMs versions 2.12, 2.11, 2.10, 2.9, and 2.8
Compatible BOSH stemcells Ubuntu Xenial and Trusty
IaaS support vSphere, GCP, AWS, Azure, and Openstack

IPsec Implementation Details

IPsec for VMware Tanzu implements the following cryptographic suite:

Key Agreement (Diffie-Hellman) IKEv2 Main Mode
Bulk Encryption AES128GCM16
Hashing SHA2 256
Integrity/Authentication Tag 128 bit GHASH ICV
Digital Signing RSA 3072/4096
Peer Authentication Method Public/Private Key


IPsec for VMware Tanzu has the following limitations:

  • IPsec for VMware Tanzu is not compatible with VMware NSX-T Container Plug-in for VMware Tanzu Application Service for VMs.

  • VMware recommends configuring IPsec for VMware Tanzu to use a self-signed certificate to sign instance certificates. VMware does not recommend using a certificate signed by a public or third-party CA.

  • IPsec for VMware Tanzu is not supported on Windows.

  • Container-to-container traffic is not encrypted unless the underlying network is also encrypted. Both the overlay network for container-to-container networking and the underlying, physical network for Diego Cell to Diego Cell networking must be included in the ipsec_subnets section of the IPsec manifest.