Using IPsec with
When you set up
IPsec on an
host, you
enable protection of incoming or outgoing data. What happens precisely depends
on how you set up the system’s Security Associations (SAs) and Security
Policies (SPs).
- An SA determines how the system protects traffic. When you create an SA, you specify the source and destination, authentication, and encryption parameters, and an identifier for the SA with the following options.vicfg-ipsecesxcli network ip ipsecsa-srcandsa-dst--sa-sourceand--sa-destinationspi(security parameter index)--sa-spisa-mode(tunnel or transport)--sa-modeealgoandekey--encryption-algorithmand--encryption-keyialgoandikey--integrity-algorithmand--integrity-key
- An SP identifies and selects traffic that must be protected. An SP consists of two logical sections, a selector, and an action.The selector is specified by the following options.vicfg-ipsecesxcli network ip ipsecsrc-addrandsrc-port--sa-sourceand--source-portdst-addranddst-port--destination-portulproto--upper-layer-protocoldirection(inorout)--flow-directionThe action is specified by the following options.vicfg-ipsecesxcli network ip ipsecsa-name--sa-namesp-name--sp-nameaction(none,discard,ipsec)--action
Because IPsec allows you to
target precisely which traffic should be encrypted, it is well suited for
securing your vSphere environment. For example, you can set up the environment
so all vMotion traffic is encrypted.