Add a security association to specify encryption parameters for associated IP traffic.

About this task

You can add a security association using the esxcli vSphere CLI command.


At the command prompt, enter the command esxcli network ip ipsec sa add with one or more of the following options.



--sa-source= source address

Required. Specify the source address.

--sa-destination= destination address

Required. Specify the destination address.

--sa-mode= mode

Required. Specify the mode, either transport or tunnel.

--sa-spi= security parameter index

Required. Specify the security parameter index. The security parameter index identifies the security association to the host. It must be a hexadecimal with a 0x prefix. Each security association you create must have a unique combination of protocol and security parameter index.

--encryption-algorithm= encryption algorithm

Required. Specify the encryption algorithm using one of the following parameters.

  • 3des-cbc

  • aes128-cbc

  • null ( provides no encryption)

--encryption-key= encryption key

Required when you specify an encryption algorithm. Specify the encryption key. You can enter keys as ASCII text or as a hexadecimal with a 0x prefix.

--integrity-algorithm= authentication algorithm

Required. Specify the authentication algorithm, either hmac-sha1 or hmac-sha2-256.

--integrity-key= authentication key

Required. Specify the authentication key. You can enter keys as ASCII text or as a hexadecimal with a 0x prefix.


Required. Provide a name for the security association.

New Security Association Command

The following example contains extra line breaks for readability.

esxcli network ip ipsec sa add 
--sa-source 3ffe:501:ffff:0::a 
--sa-destination 3ffe:501:ffff:0001:0000:0000:0000:0001
--sa-mode transport
--sa-spi 0x1000
--encryption-algorithm 3des-cbc
--encryption-key 0x6970763672656164796c6f676f336465736362636f757432
--integrity-algorithm hmac-sha1
--integrity-key 0x6970763672656164796c6f67736861316f757432
--sa-name sa1