Internet Protocol Security (IPsec) secures IP communications coming from and arriving at a host. ESXi hosts support IPsec using IPv6.

When you set up IPsec on an ESXi host, you enable authentication and encryption of incoming and outgoing packets. When and how IP traffic is encrypted depends on how you set up the system's security associations and security policies.

A security association determines how the system encrypts traffic. When you create a security association, you specify the source and destination, encryption parameters, and a name for the security association.

A security policy determines when the system should encrypt traffic. The security policy includes source and destination information, the protocol and direction of traffic to be encrypted, the mode (transport or tunnel) and the security association to use.

List Available Security Associations on ESXi Hosts

ESXi can provide a list of all security associations available for use by security policies. The list includes both user created security associations and any security associations the VMkernel installed using Internet Key Exchange.

You can get a list of available security associations using the esxcli command.

Procedure

  • At the command prompt, enter the command esxcli network ip ipsec sa list.

Results

ESXi displays a list of all available security associations.

Add an IPsec Security Association to an ESXi Host

Add a security association to specify encryption parameters for associated IP traffic.

You can add a security association using the esxcli command.

Procedure

  • At the command prompt, enter the command esxcli network ip ipsec sa add with one or more of the following options.
    Option Description
    --sa-source= source address Required. Specify the source address.
    --sa-destination= destination address Required. Specify the destination address.
    --sa-mode= mode Required. Specify the mode, either transport or tunnel.
    --sa-spi= security parameter index Required. Specify the security parameter index. The security parameter index identifies the security association to the host. It must be a hexadecimal with a 0x prefix. Each security association you create must have a unique combination of protocol and security parameter index.
    --encryption-algorithm= encryption algorithm Required. Specify the encryption algorithm using one of the following parameters.
    • 3des-cbc
    • aes128-cbc
    • null ( provides no encryption)
    --encryption-key= encryption key Required when you specify an encryption algorithm. Specify the encryption key. You can enter keys as ASCII text or as a hexadecimal with a 0x prefix.
    --integrity-algorithm= authentication algorithm Required. Specify the authentication algorithm, either hmac-sha1 or hmac-sha2-256.
    --integrity-key= authentication key Required. Specify the authentication key. You can enter keys as ASCII text or as a hexadecimal with a 0x prefix.
    --sa-name=name Required. Provide a name for the security association.

Example: New Security Association Command

The following example contains extra line breaks for readability. 

esxcli network ip ipsec sa add 
--sa-source 3ffe:501:ffff:0::a 
--sa-destination 3ffe:501:ffff:0001:0000:0000:0000:0001
--sa-mode transport
--sa-spi 0x1000
--encryption-algorithm 3des-cbc
--encryption-key 0x6970763672656164796c6f676f336465736362636f757432
--integrity-algorithm hmac-sha1
--integrity-key 0x6970763672656164796c6f67736861316f757432
--sa-name sa1

Remove an IPsec Security Association from an ESXi Host

You can remove a security association using the ESXCLI command.

Prerequisites

Verify that the security association you want to use is not currently in use. If you try to remove a security association that is in use, the removal operation fails.

Procedure

  • At the command prompt, enter the command esxcli network ip ipsec sa remove --sa-name security_association_name.

List Available IPsec Security Policies on an ESXi Host

You can list available security policies using the ESXCLI command.

Procedure

  • At the command prompt, enter the command esxcli network ip ipsec sp list.

Results

The host displays a list of all available security policies.

Create an IPSec Security Policy on an ESXi Host

Create a security policy to determine when to use the authentication and encryption parameters set in a security association. You can add a security policy using the ESXCLI command.

Prerequisites

Before creating a security policy, add a security association with the appropriate authentication and encryption parameters as described in Add an IPsec Security Association to an ESXi Host.

Procedure

  • At the command prompt, enter the command esxcli network ip ipsec sp add with one or more of the following options.
    Option Description
    --sp-source= source address Required. Specify the source IP address and prefix length.
    --sp-destination= destination address Required. Specify the destination address and prefix length.
    --source-port= port Required. Specify the source port. The source port must be a number between 0 and 65535.
    --destination-port= port Required. Specify the destination port. The source port must be a number between 0 and 65535.
    --upper-layer-protocol= protocol Specify the upper layer protocol using one of the following parameters.
    • tcp
    • udp
    • icmp6
    • any
    --flow-direction= direction Specify the direction in which you want to monitor traffic using either in or out.
    --action= action Specify the action to take when traffic with the specified parameters is encountered using one of the following parameters.
    • none: Take no action.
    • discard: Do not allow data in or out.
    • ipsec: Use the authentication and encryption information supplied in the security association to determine whether the data comes from a trusted source.
    --sp-mode= mode Specify the mode, either tunnel or transport.
    --sa-name=security association name Required. Provide the name of the security association for the security policy to use.
    --sp-name=name Required. Provide a name for the security policy.

Example: New Security Policy Command

The following example includes extra line breaks for readability. 

esxcli network ip ipsec add
--sp-source=2001:db8:1::/64
--sp-destination=2002:db8:1::/64
--source-port=23
--destination-port=25
--upper-layer-protocol=tcp
--flow-direction=out
--action=ipsec
--sp-mode=transport
--sa-name=sa1
--sp-name=sp1

Remove an IPsec Security Policy from an ESXi Host

You can remove a security policy from the ESXi host using the ESXCLI command.

Prerequisites

Verify that the security policy you want to use is not currently in use. If you try to remove a security policy that is in use, the removal operation fails.

Procedure

  • At the command prompt, enter the command esxcli network ip ipsec sp remove --sa-name security policy name.
    To remove all security policies, enter the command esxcli network ip ipsec sp remove --remove-all.