Create a security policy to determine when to use the authentication and encryption parameters set in a security association. You can add a security policy using the ESXCLI vSphere CLI command.

Prerequisites

Before creating a security policy, add a security association with the appropriate authentication and encryption parameters as described in Add an IPsec Security Association.

Procedure

At the command prompt, enter the command esxcli network ip ipsec sp add with one or more of the following options.
Option Description
--sp-source= source address Required. Specify the source IP address and prefix length.
--sp-destination= destination address Required. Specify the destination address and prefix length.
--source-port= port Required. Specify the source port. The source port must be a number between 0 and 65535.
--destination-port= port Required. Specify the destination port. The source port must be a number between 0 and 65535.
--upper-layer-protocol= protocol Specify the upper layer protocol using one of the following parameters.
  • tcp
  • udp
  • icmp6
  • any
--flow-direction= direction Specify the direction in which you want to monitor traffic using either in or out.
--action= action Specify the action to take when traffic with the specified parameters is encountered using one of the following parameters.
  • none: Take no action
  • discard: Do not allow data in or out.
  • ipsec: Use the authentication and encryption information supplied in the security association to determine whether the data comes from a trusted source.
--sp-mode= mode Specify the mode, either tunnel or transport.
--sa-name=security association name Required. Provide the name of the security association for the security policy to use.
--sp-name=name Required. Provide a name for the security policy.

New Security Policy Command

The following example includes extra line breaks for readability.

esxcli network ip ipsec add
--sp-source=2001:db8:1::/64
--sp-destination=2002:db8:1::/64
--source-port=23
--destination-port=25
--upper-layer-protocol=tcp
--flow-direction=out
--action=ipsec
--sp-mode=transport
--sa-name=sa1
--sp-name=sp1