Create a security policy to determine when to use the authentication and encryption parameters set in a security association. You can add a security policy using the ESXCLI vSphere CLI command.

Prerequisites

Before creating a security policy, add a security association with the appropriate authentication and encryption parameters as described in Add an IPsec Security Association.

Procedure

At the command prompt, enter the command esxcli network ip ipsec sp add with one or more of the following options.

Option

Description

--sp-source= source address

Required. Specify the source IP address and prefix length.

--sp-destination= destination address

Required. Specify the destination address and prefix length.

--source-port= port

Required. Specify the source port. The source port must be a number between 0 and 65535.

--destination-port= port

Required. Specify the destination port. The source port must be a number between 0 and 65535.

--upper-layer-protocol= protocol

Specify the upper layer protocol using one of the following parameters.

  • tcp

  • udp

  • icmp6

  • any

--flow-direction= direction

Specify the direction in which you want to monitor traffic using either in or out.

--action= action

Specify the action to take when traffic with the specified parameters is encountered using one of the following parameters.

  • none: Take no action

  • discard: Do not allow data in or out.

  • ipsec: Use the authentication and encryption information supplied in the security association to determine whether the data comes from a trusted source.

--sp-mode= mode

Specify the mode, either tunnel or transport.

--sa-name=security association name

Required. Provide the name of the security association for the security policy to use.

--sp-name=name

Required. Provide a name for the security policy.

New Security Policy Command

The following example includes extra line breaks for readability.

esxcli network ip ipsec add
--sp-source=2001:db8:1::/64
--sp-destination=2002:db8:1::/64
--source-port=23
--destination-port=25
--upper-layer-protocol=tcp
--flow-direction=out
--action=ipsec
--sp-mode=transport
--sa-name=sa1
--sp-name=sp1