Create a security policy to determine when to use the authentication and encryption parameters set in a security association.

You can add a security policy using the vicfg-ipsec vSphere CLI command.

In the procedure, --server=server_name specifies the target server. The specified target server prompts you for a user name and password. Other connection options, such as a configuration file or session file, are supported. For a list of connection options, see Getting Started with vSphere Command-Line Interfaces.

Before creating a security policy, add a security association with the appropriate authentication and encryption parameters as described in Add a Security Association.

Install vCLI or deploy the vSphere Management Assistant (vMA) virtual machine. See Getting Started with vSphere Command-Line Interfaces. For troubleshooting, run esxcli commands in the ESXi Shell.

At the command prompt, enter the command vicfg-ipsec --server=server_name --add-sp with one or more of the following options.

Option

Description

--sp-src source address

Specify the source IP address and prefix length.

--sp-dst destination address

Specify the destination address and prefix length.

--src-port port

Specify the source port. The source port must be a number between 0 and 65535.

--dst-port port

Specify the destination port. The source port must be a number between 0 and 65535.

--ulproto protocol

Specify the upper layer protocol using one of the following parameters.

tcp

udp

icmp6

any

--dir direction

Specify the direction in which you want to monitor traffic using either in or out.

--action action

Specify the action to take when traffic with the specified parameters is encountered using one of the following parameters.

none: Take no action

discard: Do not allow data in or out.

ipsec: Use the authentication and encryption information supplied in the security association to determine whether the data comes from a trusted source.

--sp-mode mode

Specify the mode, either tunnel or transport.

--sa-namesecurity association name

Provide the name of the security association for the security policy to use.

name

Provide a name for the security policy.

The following example includes extra line breaks for readability.

vicfg-ipsec --server=server_name --add-sp
--sp-src 2001:db8:1::/64
--sp-dst 2002:db8:1::/64
--src-port 23
--dst-port 25
--ulproto tcp
--dir out
--action ipsec
--sp-mode transport
--sa-name sa1
sp1