Using vicfg-ipsec for Secure Networking
You can use vicfg-ipsec to set up Internet Protocol Security (IPsec), which secures IP communications coming from and arriving at ESXi hosts. Administrators who perform IPsec setup must have a solid understanding of both IPv6 and IPsec.
ESXi hosts support IPsec only for IPv6 traffic, but not for IPv4 traffic.
You cannot run vicfg-ipsec with a vCenter Server system as the target (using the --vihost option).
The VMware implementation of IPsec adheres to the following IPv6 RFCs:
Using IPsec with ESXi
When you set up IPsec on an ESXi host, you enable protection of incoming or outgoing data. What happens precisely depends on how you set up the system’s Security Associations (SAs) and Security Policies (SPs).
sa-src and sa-dst
spi (security parameter index)
sa-mode (tunnel or transport)
ealgo and ekey
ialgo and ikey
The selector is specified by the following options to vicfg-ipsec.
src-addr and src-port
dst-addr and dst-port
direction (in or out)
The action is specified by the following options to vicfg-ipsec.
action (none, discard, ipsec)
Because IPsec allows you to target precisely which traffic should be encrypted, it is well suited for securing your vSphere environment. For example, you can set up the environment so all vMotion traffic is encrypted.
Managing Security Associations with vicfg-ipsec
You can specify an SA and request that the VMkernel use that SA. The following options for SA setup are supported.
Encryption algorithm to be used. Choose 3des-cbc or aes128-cbc, or null for no encryption.
You can perform these main tasks with SAs:
Create an SA with vicfg-ipsec --add-sa. You specify the source, the destination, and the authentication mode. You also specify the authentication algorithm and authentication key to use. You must specify an encryption algorithm and key, but you can specify null if you want no encryption. Authentication is required and cannot be null. The following example includes extra line breaks for readability. The last option (sa_2 in the example) is the name of the SA.
vicfg-ipsec --add-sa
            --sa-src 2001:DB8:1::121
            --sa-dst 2001:DB8:1::122
            --sa-mode transport
            --spi 0x1000
            --ealgo 3des-cbc
            --ekey 0x6970763672656164796c6f676f336465736362636f757432
            --ialgo hmac-sha1
            --ikey 0x6970763672656164796c6f67736861316f757432
            sa_2
List an SA with vicfg-ipsec --list-sa. This command returns SAs currently available for use by an SP. The list includes SAs you created using vicfg-ipsec.
Remove a single SA with vicfg-ipsec --remove-sa. If the SA is in use when you run this command, the command cannot perform the removal.
Remove all SAs with vicfg-ipsec --flush-sa. This option removes all SAs even when they are in use.
Caution Running vicfg-ipsec --flush-sa removes all SAs on your system and might leave your system in an inconsistent state.
Managing Security Policies with vicfg-ipsec
After you have created one or more SAs, you can add security policies (SPs) to your ESXi hosts. While the SA specifies the authentication and encryption parameters to use, the SP identifies and selects traffic.
The following options for SP management are supported.
Destination port (0-65535). Specify any for any ports. If ulproto is icmp6, this number refers to the icmp6 type. Otherwise, this number refers to the port.
none -- Take no action, that is, allow traffic unmodified.
discard -- Do not allow data in or out.
ipsec -- Use the authentication and encryption information specified in the SA to determine whether the data come from a trusted source.
Mode, either tunnel or transport.
You can perform these main tasks with SPs:
Create an SP with vicfg-ipsec --add-sp. You identify the data to monitor by specifying the selector’s source and destination IP address and prefix, source port and destination port, upper layer protocol, direction of traffic, action to take, and SP mode. The last two option are the name of the SA to use and the name of the SP that is being created. The following example includes extra line breaks for readability.
vicfg-ipsec --add-sp
--sp-src=2001:0DB8:0001:/48
--sp-dst=2001:0DB8:0002:/48
--src-port=23
--dst-port=25
--ulproto=tcp
--dir=out
--action=ipsec
--sp-mode=transport
--sp-name sp_2
List an SP with vicfg-ipsec --list-sp. This command returns SPs currently available. All SPs are created by the administrator.
Remove an SP with vicfg-ipsec --remove-sp. If the SP is in use when you run this command, the command cannot perform the removal. You can run vicfg-ipsec --flush-sp instead to remove the SP even when it is in use.
Caution Running vicfg-ipsec --flush-sp removes all SPs on your system and might leave your system in an inconsistent state.