VMware vSphere SDKs and Tools 6.7

8.0 7.0 6.7 6.5

Managing Security Policies

After you have created one or more SAs, you can add security policies (SPs) to your
hosts. While the SA specifies the authentication and encryption parameters to use, the SP identifies and selects traffic.
The following options for SP management are supported.
vicfg-ipsec Option
esxcli Option
Description
sp-src <ip>/<p_len>
sp-source <ip>/<p_len>
Source IP address and prefix length.
sp-dst <ip>/<p_len>
sp-destination <ip>/<p_len>
Destination IP address and prefix length.
src-port <port>
source-port <port>
Source port (0-65535). Specify
any
 for any ports.
dst-port <port>
destination-port <port>
Destination port (0-65535). Specify
any
 for any ports. If
ulproto
 is
icmp6
, this number refers to the icmp6 type. Otherwise, this number refers to the port.
ulproto [any | tcp | udp | icmp6]
upper-layer-protocol [any | tcp | udp | icmp6]
Upper layer protocol. Use this option to restrict the SP to only certain protocols, or use any to apply the SP to all protocols.
dir [in | out]
flow-direction [in | out]
Direction in which you want to monitor the traffic. To monitor traffic in both directions, create two policies.
action [none | discard | ipsec]
action [none | discard | ipsec]
Action to take when traffic with the specified parameters is encountered.
  • none
     - Take no action, that is, allow traffic unmodified.
  • discard
     - Do not allow data in or out.
  • ipsec
     - Use the authentication and encryption information specified in the SA to determine whether the data come from a trusted source.
sp-mode [tunnel | transport]
sp-mode [tunnel | transport]
Mode, either
tunnel
 or
transport
.
sa-name
sa-name
Name of the SA to use by this SP.
You can perform the following main tasks with SPs.
  • Create an SP by using
    esxcli network ip ipsec add
    . You identify the data to monitor by specifying the selector’s source and destination IP address and prefix, source port and destination port, upper layer protocol, direction of traffic, action to take, and SP mode. The last two option are the name of the SA to use and the name of the SP that is being created. The following example includes extra line breaks for readability. 
    esxcli network ip ipsec add
   --sp-source=2001:0DB8:0001:/48
   --sp-destination=2001:0DB8:0002:/48
   --source-port=23
   --destination-port=25
   --upper-layer-protocol=tcp
   --flow-direction=out
   --action=ipsec
   --sp-mode=transport
   --sp-name sp_2
  • List an SP by using
    esxcli network ip ipsec list
    . This command returns SPs currently available. All SPs are created by the administrator.
  • Remove an SP by using
    esxcli network ip ipsec remove
    . If the SP is in use when you run this command, the command cannot perform the removal. You can run
    esxcli network ip ipsec remove --removeall
     instead to remove the SP even when it is in use.
    Running
    esxcli network ip ipsec remove --removeall
     removes all SPs on your system and might leave your system in an inconsistent state.

Content feedback and comments