Create a security policy to determine when to use the authentication and encryption parameters set in a security association. You can add a security policy using the ESXCLI command.
Prerequisites
Before creating a security policy, add a security association with the appropriate authentication and encryption parameters as described in Add an IPsec Security Association.
Procedure
- ♦ At the command prompt, enter the command esxcli network ip ipsec sp add with one or more of the following options.
Option Description --sp-source= source address Required. Specify the source IP address and prefix length. --sp-destination= destination address Required. Specify the destination address and prefix length. --source-port= port Required. Specify the source port. The source port must be a number between 0 and 65535. --destination-port= port Required. Specify the destination port. The source port must be a number between 0 and 65535. --upper-layer-protocol= protocol Specify the upper layer protocol using one of the following parameters. - tcp
- udp
- icmp6
- any
--flow-direction= direction Specify the direction in which you want to monitor traffic using either in or out. --action= action Specify the action to take when traffic with the specified parameters is encountered using one of the following parameters. - none: Take no action.
- discard: Do not allow data in or out.
- ipsec: Use the authentication and encryption information supplied in the security association to determine whether the data comes from a trusted source.
--sp-mode= mode Specify the mode, either tunnel or transport. --sa-name=security association name Required. Provide the name of the security association for the security policy to use. --sp-name=name Required. Provide a name for the security policy.
Example: New Security Policy Command
The following example includes extra line breaks for readability.
esxcli network ip ipsec add --sp-source=2001:db8:1::/64 --sp-destination=2002:db8:1::/64 --source-port=23 --destination-port=25 --upper-layer-protocol=tcp --flow-direction=out --action=ipsec --sp-mode=transport --sa-name=sa1 --sp-name=sp1