Add a security association to specify encryption parameters for associated IP traffic.

You can add a security association using the vSphere CLI. For information on using the vSphere CLI, see the vSphere Command-Line Interface Installation and Scripting Guide and the vSphere Command-Line Interface Reference.

1

Use the command esxcfg-ipsec --add-sa.

2

Specify the source address using --sa-src source address.

3

Specify the destination address using --sa-dst destination address.

4

Choose the mode, either transport or tunnel, using --sa-mode mode.

5

Provide the security parameter index using --spi security parameter index.

The security parameter index identifies the security association to the host. It must be a hexadecimal with a 0x prefix. Each security association you create must have a unique combination of protocol and security parameter index.

6

Choose the encryption algorithm using --ealgo encryption algorithm.

3des-cbc

aes128-cbc

null provides no encryption

7

Provide the encryption key using --ekey encryption key.

You can enter keys as ASCII text or as a hexadecimal with a 0x prefix.

8

Choose the authentication algorithm, hmac-sha1 or hmac-sha2-256, using --ialgo authentication algorithm.

9

Provide the authentication key using --ikey authentication key.

You can enter keys as ASCII text or as a hexadecimal with a 0x prefix.

10

Provide a name for the security association using name.

The following example contains extra line breaks for readability.

esxcfg-ipsec --add-sa 
--sa-src 3ffe:501:ffff:0::a 
--sa-dst 3ffe:501:ffff:0001:0000:0000:0000:0001
--sa-mode transport
--spi 0x1000
--ealgo 3des-cbc
--ekey 0x6970763672656164796c6f676f336465736362636f757432
--ialgo hmac-sha1
--ikey 0x6970763672656164796c6f67736861316f757432
sa1