Add a security association to specify encryption parameters for associated IP traffic.
You can add a security association using the esxcli command.
Procedure
- ♦ At the command prompt, enter the command esxcli network ip ipsec sa add with one or more of the following options.
Option Description --sa-source= source address Required. Specify the source address. --sa-destination= destination address Required. Specify the destination address. --sa-mode= mode Required. Specify the mode, either transport or tunnel. --sa-spi= security parameter index Required. Specify the security parameter index. The security parameter index identifies the security association to the host. It must be a hexadecimal with a 0x prefix. Each security association you create must have a unique combination of protocol and security parameter index. --encryption-algorithm= encryption algorithm Required. Specify the encryption algorithm using one of the following parameters. - 3des-cbc
- aes128-cbc
- null ( provides no encryption)
--encryption-key= encryption key Required when you specify an encryption algorithm. Specify the encryption key. You can enter keys as ASCII text or as a hexadecimal with a 0x prefix. --integrity-algorithm= authentication algorithm Required. Specify the authentication algorithm, either hmac-sha1 or hmac-sha2-256. --integrity-key= authentication key Required. Specify the authentication key. You can enter keys as ASCII text or as a hexadecimal with a 0x prefix. --sa-name=name Required. Provide a name for the security association.
Example: New Security Association Command
The following example contains extra line breaks for readability.
esxcli network ip ipsec sa add --sa-source 3ffe:501:ffff:0::a --sa-destination 3ffe:501:ffff:0001:0000:0000:0000:0001 --sa-mode transport --sa-spi 0x1000 --encryption-algorithm 3des-cbc --encryption-key 0x6970763672656164796c6f676f336465736362636f757432 --integrity-algorithm hmac-sha1 --integrity-key 0x6970763672656164796c6f67736861316f757432 --sa-name sa1
