Create a security policy to determine when to use the authentication and encryption parameters set in a security association. You can add a security policy using the ESXCLI command.

Prerequisites

Before creating a security policy, add a security association with the appropriate authentication and encryption parameters as described in Add an IPsec Security Association.

Procedure

  • At the command prompt, enter the command esxcli network ip ipsec sp add with one or more of the following options.
    Option Description
    --sp-source= source address Required. Specify the source IP address and prefix length.
    --sp-destination= destination address Required. Specify the destination address and prefix length.
    --source-port= port Required. Specify the source port. The source port must be a number between 0 and 65535.
    --destination-port= port Required. Specify the destination port. The source port must be a number between 0 and 65535.
    --upper-layer-protocol= protocol Specify the upper layer protocol using one of the following parameters.
    • tcp
    • udp
    • icmp6
    • any
    --flow-direction= direction Specify the direction in which you want to monitor traffic using either in or out.
    --action= action Specify the action to take when traffic with the specified parameters is encountered using one of the following parameters.
    • none: Take no action.
    • discard: Do not allow data in or out.
    • ipsec: Use the authentication and encryption information supplied in the security association to determine whether the data comes from a trusted source.
    --sp-mode= mode Specify the mode, either tunnel or transport.
    --sa-name=security association name Required. Provide the name of the security association for the security policy to use.
    --sp-name=name Required. Provide a name for the security policy.

Example: New Security Policy Command

The following example includes extra line breaks for readability.

esxcli network ip ipsec add
--sp-source=2001:db8:1::/64
--sp-destination=2002:db8:1::/64
--source-port=23
--destination-port=25
--upper-layer-protocol=tcp
--flow-direction=out
--action=ipsec
--sp-mode=transport
--sa-name=sa1
--sp-name=sp1