Add a security association to specify encryption parameters for associated IP traffic.

You can add a security association using the esxcli vSphere CLI command.


At the command prompt, enter the command esxcli network ip ipsec sa add with one or more of the following options.
Option Description
--sa-source= source address Required. Specify the source address.
--sa-destination= destination address Required. Specify the destination address.
--sa-mode= mode Required. Specify the mode, either transport or tunnel.
--sa-spi= security parameter index Required. Specify the security parameter index. The security parameter index identifies the security association to the host. It must be a hexadecimal with a 0x prefix. Each security association you create must have a unique combination of protocol and security parameter index.
--encryption-algorithm= encryption algorithm Required. Specify the encryption algorithm using one of the following parameters.
  • 3des-cbc
  • aes128-cbc
  • null ( provides no encryption)
--encryption-key= encryption key Required when you specify an encryption algorithm. Specify the encryption key. You can enter keys as ASCII text or as a hexadecimal with a 0x prefix.
--integrity-algorithm= authentication algorithm Required. Specify the authentication algorithm, either hmac-sha1 or hmac-sha2-256.
--integrity-key= authentication key Required. Specify the authentication key. You can enter keys as ASCII text or as a hexadecimal with a 0x prefix.
--sa-name=name Required. Provide a name for the security association.

New Security Association Command

The following example contains extra line breaks for readability.

esxcli network ip ipsec sa add 
--sa-source 3ffe:501:ffff:0::a 
--sa-destination 3ffe:501:ffff:0001:0000:0000:0000:0001
--sa-mode transport
--sa-spi 0x1000
--encryption-algorithm 3des-cbc
--encryption-key 0x6970763672656164796c6f676f336465736362636f757432
--integrity-algorithm hmac-sha1
--integrity-key 0x6970763672656164796c6f67736861316f757432
--sa-name sa1