Add a security association to specify encryption parameters for associated IP traffic.

About this task

You can add a security association using the esxcli vSphere CLI command.

Procedure

At the command prompt, enter the command esxcli network ip ipsec sa add with one or more of the following options.

Option

Description

--sa-source= source address

Required. Specify the source address.

--sa-destination= destination address

Required. Specify the destination address.

--sa-mode= mode

Required. Specify the mode, either transport or tunnel.

--sa-spi= security parameter index

Required. Specify the security parameter index. The security parameter index identifies the security association to the host. It must be a hexadecimal with a 0x prefix. Each security association you create must have a unique combination of protocol and security parameter index.

--encryption-algorithm= encryption algorithm

Required. Specify the encryption algorithm using one of the following parameters.

  • 3des-cbc

  • aes128-cbc

  • null ( provides no encryption)

--encryption-key= encryption key

Required when you specify an encryption algorithm. Specify the encryption key. You can enter keys as ASCII text or as a hexadecimal with a 0x prefix.

--integrity-algorithm= authentication algorithm

Required. Specify the authentication algorithm, either hmac-sha1 or hmac-sha2-256.

--integrity-key= authentication key

Required. Specify the authentication key. You can enter keys as ASCII text or as a hexadecimal with a 0x prefix.

--sa-name=name

Required. Provide a name for the security association.

New Security Association Command

The following example contains extra line breaks for readability.

esxcli network ip ipsec sa add 
--sa-source 3ffe:501:ffff:0::a 
--sa-destination 3ffe:501:ffff:0001:0000:0000:0000:0001
--sa-mode transport
--sa-spi 0x1000
--encryption-algorithm 3des-cbc
--encryption-key 0x6970763672656164796c6f676f336465736362636f757432
--integrity-algorithm hmac-sha1
--integrity-key 0x6970763672656164796c6f67736861316f757432
--sa-name sa1