VMware vSphere SDKs and Tools 7.0

8.0 7.0 6.7 6.5

Managing Security Associations

You can specify an SA and request that the VMkernel use that SA.
The following options for SA setup are supported.
esxcli Option
Description
sa-source <source_IP>
Source IP for the SA.
sa-destination <destination_IP>
Destination IP for the SA.
sa-spi
Security Parameter Index (SPI) for the SA. Must be a hexadecimal number with a 0x prefix.
When IPsec is in use,
ESXi
 uses the ESP protocol (RFC 43030), which includes authentication and encryption information and the SPI. The SPI identifies the SA to use at the receiving host. Each SA you create must have a unique combination of source, destination, protocol, and SPI.
sa-mode [tunnel | transport]
Either tunnel or transport.
In tunnel mode, the original packet is encapsulated in another IPv6 packet, where source and destination addresses are the SA endpoint addresses.
encryption-algorithm [null | 3des-cbc | aes128-cbc]
Encryption algorithm to be used. Choose
3des-cbc
 or
aes128-cbc
, or
null
 for no encryption.
encryption-key <key>
Encryption key to be used by the encryption algorithm. A series of hexadecimal digits with a 0x prefix or an ASCII string.
integrity-algorithm [hmac-sha1 | hmac-sha2-256 ]
Authentication algorithm to be used. Choose
hmac-sha1
 or
hmac-sha2-256
.
integrity-key
Authentication key to be used. A series of hexadecimal digits or an ASCII string.
You can perform these main tasks with SAs.
  • Create an SA. You specify the source, the destination, and the authentication mode. You also specify the authentication algorithm and authentication key to use. You must specify an encryption algorithm and key, but you can specify
    null
     if you want no encryption. Authentication is required and cannot be
    null
    . The following example includes extra line breaks for readability. The last option,
    sa_2
     in the example, is the name of the SA. 
    esxcli network ip ipsec sa add
            --sa-source 2001:DB8:1::121
            --sa-destination 2001:DB8:1::122
            --sa-mode transport
            --sa-spi 0x1000
            --encryption-algorithm 3des-cbc
            --encryption-key 0x6970763672656164796c6f676f336465736362636f757432
            --integrity-algorithm hmac-sha1
            --integrity-key 0x6970763672656164796c6f67736861316f757432
            --sa-name sa_2
  • List an SA by using
    esxcli network ip ipsec sa list
    . This command returns SAs currently available for use by an SP. The list includes SAs you created.
  • Remove a single SA by using
    esxcli network ip ipsec sa remove
    . If the SA is in use when you run this command, the command cannot perform the removal.
  • Remove all SAs by using
    esxcli network ip ipsec sa remove --removeall
    . This option removes all SAs even when they are in use.
    Running
    esxcli network ip ipsec sa remove --removeall
     removes all SAs on your system and might leave your system in an inconsistent state.

Content feedback and comments