Managing Security
Associations
You can specify an
SA and request that the VMkernel use that SA.
The following options for SA
setup are supported.
vicfg-ipsec Option | esxcli
Option | Description |
|---|---|---|
sa-src
<source_IP>
| sa-source
<source_IP>
| Source IP for the SA. |
sa-dst
<destination_IP>
| sa-destination
<destination_IP>
| Destination IP for the
SA. |
spi
| sa-spi
| Security Parameter Index
(SPI) for the SA. Must be a hexadecimal number with a 0x prefix.
When IPsec is in use,
uses the
ESP protocol (RFC 43030), which includes authentication and encryption
information and the SPI. The SPI identifies the SA to use at the receiving
host. Each SA you create must have a unique combination of source, destination,
protocol, and SPI.
|
sa-mode [tunnel |
transport]
| sa-mode [tunnel |
transport]
| Either tunnel or
transport.
In tunnel mode, the
original packet is encapsulated in another IPv6 packet, where source and
destination addresses are the SA endpoint addresses.
|
ealgo [null | 3des-cbc |
aes128-cbc]
| encryption-algorithm [null |
3des-cbc | aes128-cbc]
| Encryption algorithm to be
used. Choose
3des-cbc or
aes128-cbc , or
null for no encryption. |
ekey
<key>
| encryption-key
<key>
| Encryption key to be used by the
encryption algorithm. A series of hexadecimal digits with a 0x prefix or an
ASCII string. |
ialgo [hmac-sha1 | hmac-sha2-256
]
| integrity-algorithm [hmac-sha1 |
hmac-sha2-256 ]
| Authentication algorithm to be used.
Choose
hmac-sha1 or
hmac-sha2-256 . |
ikey
| integrity-key
| Authentication
key to be used. A series of hexadecimal digits or an ASCII string. |
You can perform these main tasks
with SAs.
- Create an SA. You specify the source, the destination, and the authentication mode. You also specify the authentication algorithm and authentication key to use. You must specify an encryption algorithm and key, but you can specifynullif you want no encryption. Authentication is required and cannot benull. The following example includes extra line breaks for readability. The last option,sa_2in the example, is the name of the SA.esxcli network ip ipsec sa add --sa-source 2001:DB8:1::121 --sa-destination 2001:DB8:1::122 --sa-mode transport --sa-spi 0x1000 --encryption-algorithm 3des-cbc --encryption-key 0x6970763672656164796c6f676f336465736362636f757432 --integrity-algorithm hmac-sha1 --integrity-key 0x6970763672656164796c6f67736861316f757432 --sa-name sa_2
- List an SA by usingesxcli network ip ipsec sa list. This command returns SAs currently available for use by an SP. The list includes SAs you created.
- Remove a single SA by usingesxcli network ip ipsec sa remove. If the SA is in use when you run this command, the command cannot perform the removal.
- Remove all SAs by usingesxcli network ip ipsec sa remove --removeall. This option removes all SAs even when they are in use.Runningesxcli network ip ipsec sa remove --removeallremoves all SAs on your system and might leave your system in an inconsistent state.