You can set Internet Protocol Security with esxcli network ip ipsec commands or with the vicfg-ipsec command, which secures IP communications coming from and arriving at ESXi hosts. Administrators who perform IPsec setup must have a solid understanding of both IPv6 and IPsec.
ESXi hosts support IPsec only for IPv6 traffic, but not for IPv4 traffic.
Important: In
ESXi 4.1,
ESXi 5.0, and
ESXi 5.1, IPv6 is by default disabled. You can turn on IPv6 by running one of the following vCLI commands.
esxcli <conn_options> network ip interface ipv6 set --enable-dhcpv6 esxcli <conn_options> network ip interface ipv6 address add vicfg-vmknic <conn_options> --enable-ipv6
You cannot run vicfg-ipsec with a vCenter Server system as the target, by using the --vihost option.
You can run esxcli network ip ipsec commands with a vCenter Server system as a target, by using the --vihost option.
The VMware implementation of IPsec adheres to the following IPv6 RFCs.
- 4301 Security Architecture for the Internet Protocol
- 4303 IP Encapsulating Security Payload (ESP)
- 4835 Cryptographic Algorithm Implementation Requirements for ESP
- 2410 The NULL Encryption Algorithm and Its Use With IPsec
- 2451 The ESP CBC-Mode Cipher Algorithms
- 3602 The AES-CBC Cipher Algorithm and Its Use with IPsec
- 2404 The Use of HMAC-SHA-1-96 within ESP and AH
- 4868 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512