Create a security policy to determine when to use the authentication and encryption parameters set in a security association.

About this task

You can add a security policy using the esxcli vSphere CLI command.


Before creating a security policy, add a security association with the appropriate authentication and encryption parameters as described in Add a Security Association.


At the command prompt, enter the command esxcli network ip ipsec sp add with one or more of the following options.



--sp-source= source address

Required. Specify the source IP address and prefix length.

--sp-destination= destination address

Required. Specify the destination address and prefix length.

--source-port= port

Required. Specify the source port. The source port must be a number between 0 and 65535.

--destination-port= port

Required. Specify the destination port. The source port must be a number between 0 and 65535.

--upper-layer-protocol= protocol

Specify the upper layer protocol using one of the following parameters.

  • tcp

  • udp

  • icmp6

  • any

--flow-direction= direction

Specify the direction in which you want to monitor traffic using either in or out.

--action= action

Specify the action to take when traffic with the specified parameters is encountered using one of the following parameters.

  • none: Take no action

  • discard: Do not allow data in or out.

  • ipsec: Use the authentication and encryption information supplied in the security association to determine whether the data comes from a trusted source.

--sp-mode= mode

Specify the mode, either tunnel or transport.

--sa-name=security association name

Required. Provide the name of the security association for the security policy to use.


Required. Provide a name for the security policy.

New Security Policy Command

The following example includes extra line breaks for readability.

esxcli network ip ipsec add