Setting Up IPsec

You can set Internet Protocol Security with
esxcli network ip ipsec
commands or with the
vicfg-ipsec
command, which secures IP communications coming from and arriving at
hosts. Administrators who perform IPsec setup must have a solid understanding of both IPv6 and IPsec.
hosts support IPsec only for IPv6 traffic, but not for IPv4 traffic.
In
4.1,
5.0, and
5.1, IPv6 is by default disabled. You can turn on IPv6 by running one of the following vCLI commands.
esxcli <conn_options> network ip interface ipv6 set --enable-dhcpv6 esxcli <conn_options> network ip interface ipv6 address add vicfg-vmknic <conn_options> --enable-ipv6
You cannot run
vicfg-ipsec
with a
system as the target, by using the
--vihost
option.
You can r
un esxcli network ip ipsec
commands with a
system as a target, by using the
--vihost
option.
The VMware implementation of IPsec adheres to the following IPv6 RFCs.
  • 4301 Security Architecture for the Internet Protocol
  • 4303 IP Encapsulating Security Payload (ESP)
  • 4835 Cryptographic Algorithm Implementation Requirements for ESP
  • 2410 The NULL Encryption Algorithm and Its Use With IPsec
  • 2451 The ESP CBC-Mode Cipher Algorithms
  • 3602 The AES-CBC Cipher Algorithm and Its Use with IPsec
  • 2404 The Use of HMAC-SHA-1-96 within ESP and AH
  • 4868 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512