Using IPsec with

When you set up IPsec on an
host, you enable protection of incoming or outgoing data. What happens precisely depends on how you set up the system’s Security Associations (SAs) and Security Policies (SPs).
  • An SA determines how the system protects traffic. When you create an SA, you specify the source and destination, authentication, and encryption parameters, and an identifier for the SA with the following options.
    vicfg-ipsec
    esxcli network ip ipsec
    sa-src
    and
    sa-dst
    --sa-source
    and
    --sa-destination
    spi
    (security parameter index)
    --sa-spi
    sa-mode
    (tunnel or transport)
    --sa-mode
    ealgo
    and
    ekey
    --encryption-algorithm
    and
    --encryption-key
    ialgo
    and
    ikey
    --integrity-algorithm
    and
    --integrity-key
  • An SP identifies and selects traffic that must be protected. An SP consists of two logical sections, a selector, and an action.
    The selector is specified by the following options.
    vicfg-ipsec
    esxcli network ip ipsec
    src-addr
    and
    src-port
    --sa-source
    and
    --source-port
    dst-addr
    and
    dst-port
    --destination-port
    ulproto
    --upper-layer-protocol
    direction
    (
    in
    or
    out
    )
    --flow-direction
    The action is specified by the following options.
    vicfg-ipsec
    esxcli network ip ipsec
    sa-name
    --sa-name
    sp-name
    --sp-name
    action
    (
    none
    ,
    discard
    ,
    ipsec
    )
    --action
Because IPsec allows you to target precisely which traffic should be encrypted, it is well suited for securing your vSphere environment. For example, you can set up the environment so all vMotion traffic is encrypted.