You can set Internet Protocol Security with esxcli network ip ipsec commands or with the vicfg-ipsec command, which secures IP communications coming from and arriving at ESXi hosts. Administrators who perform IPsec setup must have a solid understanding of both IPv6 and IPsec.

ESXi hosts support IPsec only for IPv6 traffic, but not for IPv4 traffic.

Important: In ESXi 4.1, ESXi 5.0, and ESXi 5.1, IPv6 is by default disabled. You can turn on IPv6 by running one of the following vCLI commands.
esxcli <conn_options> network ip interface ipv6 set --enable-dhcpv6
esxcli <conn_options> network ip interface ipv6 address add
 
vicfg-vmknic <conn_options> --enable-ipv6

You cannot run vicfg-ipsec with a vCenter Server system as the target, by using the --vihost option.

You can run esxcli network ip ipsec commands with a vCenter Server system as a target, by using the --vihost option.

The VMware implementation of IPsec adheres to the following IPv6 RFCs.

  • 4301 Security Architecture for the Internet Protocol
  • 4303 IP Encapsulating Security Payload (ESP)
  • 4835 Cryptographic Algorithm Implementation Requirements for ESP
  • 2410 The NULL Encryption Algorithm and Its Use With IPsec
  • 2451 The ESP CBC-Mode Cipher Algorithms
  • 3602 The AES-CBC Cipher Algorithm and Its Use with IPsec
  • 2404 The Use of HMAC-SHA-1-96 within ESP and AH
  • 4868 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512