Add a security association to specify encryption parameters for associated IP traffic.

You can add a security association using the vicfg-ipsec vSphere CLI command.

In the procedure, --server=server_name specifies the target server. The specified target server prompts you for a user name and password. Other connection options, such as a configuration file or session file, are supported. For a list of connection options, see Getting Started with vSphere Command-Line Interfaces.

Install vCLI or deploy the vSphere Management Assistant (vMA) virtual machine. See Getting Started with vSphere Command-Line Interfaces. For troubleshooting, run esxcli commands in the ESXi Shell.

At the command prompt, enter the command vicfg-ipsec --server=server_name --add-sa with one or more of the following options.



--sa-src source address

Specify the source address.

--sa-dst destination address

Specify the destination address.

--sa-mode mode

Specify the mode, either transport or tunnel.

--spi security parameter index

Specify the security parameter index. The security parameter index identifies the security association to the host. It must be a hexadecimal with a 0x prefix. Each security association you create must have a unique combination of protocol and security parameter index.

--ealgo encryption algorithm

Specify the encryption algorithm using one of the following parameters.




null provides no encryption.

--ekey encryption key

Specify the encryption key. You can enter keys as ASCII text or as a hexadecimal with a 0x prefix.

--ialgo authentication algorithm

Specify the authentication algorithm, either hmac-sha1 or hmac-sha2-256.

--ikey authentication key

Specify the authentication key. You can enter keys as ASCII text or as a hexadecimal with a 0x prefix.


Provide a name for the security association.

The following example contains extra line breaks for readability.

vicfg-ipsec --server=server_name --add-sa 
--sa-src 3ffe:501:ffff:0::a 
--sa-dst 3ffe:501:ffff:0001:0000:0000:0000:0001
--sa-mode transport
--spi 0x1000
--ealgo 3des-cbc
--ekey 0x6970763672656164796c6f676f336465736362636f757432
--ialgo hmac-sha1
--ikey 0x6970763672656164796c6f67736861316f757432