Add a security association to specify encryption parameters for associated IP traffic.

You can add a security association using the esxcli command.


  • At the command prompt, enter the command esxcli network ip ipsec sa add with one or more of the following options.
    Option Description
    --sa-source= source address Required. Specify the source address.
    --sa-destination= destination address Required. Specify the destination address.
    --sa-mode= mode Required. Specify the mode, either transport or tunnel.
    --sa-spi= security parameter index Required. Specify the security parameter index. The security parameter index identifies the security association to the host. It must be a hexadecimal with a 0x prefix. Each security association you create must have a unique combination of protocol and security parameter index.
    --encryption-algorithm= encryption algorithm Required. Specify the encryption algorithm using one of the following parameters.
    • 3des-cbc
    • aes128-cbc
    • null ( provides no encryption)
    --encryption-key= encryption key Required when you specify an encryption algorithm. Specify the encryption key. You can enter keys as ASCII text or as a hexadecimal with a 0x prefix.
    --integrity-algorithm= authentication algorithm Required. Specify the authentication algorithm, either hmac-sha1 or hmac-sha2-256.
    --integrity-key= authentication key Required. Specify the authentication key. You can enter keys as ASCII text or as a hexadecimal with a 0x prefix.
    --sa-name=name Required. Provide a name for the security association.

Example: New Security Association Command

The following example contains extra line breaks for readability.

esxcli network ip ipsec sa add 
--sa-source 3ffe:501:ffff:0::a 
--sa-destination 3ffe:501:ffff:0001:0000:0000:0000:0001
--sa-mode transport
--sa-spi 0x1000
--encryption-algorithm 3des-cbc
--encryption-key 0x6970763672656164796c6f676f336465736362636f757432
--integrity-algorithm hmac-sha1
--integrity-key 0x6970763672656164796c6f67736861316f757432
--sa-name sa1