IPsec Add-on for PCF

Page last updated:

This guide describes the IPsec Add-on for PCF, which secures data transmissions inside Pivotal Cloud Foundry (PCF). Topics covered in this guide include IPsec Add-on for PCF installation and configuration, troubleshooting, and certificate rotation.

Your org might require IPsec if you transmit sensitive data.


The IPsec Add-on for PCF provides security to the network layer of the OSI model with a strongSwan implementation of IPsec. The IPsec Add-on provides a strongSwan job in FIPS mode to each BOSH-deployed VM.

IPsec encrypts IP data flow between hosts, between security gateways, between service tiles, and between security gateways and hosts. The IPsec Add-on for PCF secures network traffic within a Cloud Foundry deployment and provides internal system protection if a malicious actor breaches your firewall.

Product Snapshot

The following table provides version and version-support information about the IPsec Add-on for PCF.

Element Details
Version v1.9.21
Release date October 17, 2019
Compatible Ops Manager versions 2.4, 2.5, 2.6, and 2.7
Compatible Pivotal Application Service (PAS) versions 2.4, 2.5, 2.6, and 2.7
Compatible BOSH stemcells Ubuntu Xenial and Trusty
IaaS support vSphere, GCP, AWS, Azure, and Openstack

IPsec Implementation Details

The IPsec Add-on for PCF implements the following cryptographic suite:

Key Agreement (Diffie-Hellman) IKEv2 Main Mode
Bulk Encryption AES128GCM16
Hashing SHA2 256
Integrity/Authentication Tag 128 bit GHASH ICV
Digital Signing RSA 3072/4096
Peer Authentication Method Public/Private Key


IPsec Add-on for PCF has the following limitations:

  • Due to an issue in Windows Server OS, apps hosted on PAS for Windows cannot route traffic when deployed with the IPsec Add-on for PCF. For more information about the issue, see hcsshim in GitHub.

  • IPsec is not supported on VMware NSX-T.

  • Pivotal recommends configuring IPsec to use a self-signed certificate to sign instance certificates. Pivotal discourages using a certificate signed by a public or third-party CA.