Create a security policy to determine when to use the authentication and encryption parameters set in a security association.

You can add a security policy using the vSphere CLI. For information on using the vSphere CLI, see the vSphere Command-Line Interface Installation and Scripting Guide and the vSphere Command-Line Interface Reference.

Before creating a security policy, add a security association with the appropriate authentication and encryption parameters.

1

Use the command esxcfg-ipsec --add-sp.

2

Specify the source IP address and prefix length using --sp-src source address.

3

Specify the destination address and prefix length using --sp-dst destination address.

4

Specify the source port using --src-port port.

The source port must be a number between 0 and 65535.

5

Specify the destination port using --dst-port port.

The destination port must be a number between 0 and 65535.

6

Choose the upper layer protocol using --ulproto protocol.

tcp

udp

icmp6

any

7

Choose the direction, in or out, in which you want to monitor traffic using --dir direction.

8

Specify the action to take when traffic with the specified parameters is encountered using --action action.

Option

Description

none

Take no action.

discard

Do not allow data in or out.

ipsec

Use the authentication and encryption information supplied in the security association to determine whether the data comes from a trusted source.

9

Choose the mode, either tunnel or transport, using --sp-mode mode.

10

Specify the security association for this security policy to use using --sa-name security association name.

11

Specify the name of the security policy by using name.

The following example includes extra line breaks for readability.

esxcfg-ipsec --add-sp
--sp-src 2001:db8:1::/64
--sp-dst 2002:db8:1::/64
--src-port 23
--dst-port 25
--ulproto tcp
--dir out
--action ipsec
--sp-mode transport
--sa-name sa1
sp1