You can specify an SA and request that the VMkernel use that SA.

The following options for SA setup are supported.

vicfg-ipsec Option

esxcli Option


sa-src <source_IP>

sa-source <source_IP>

Source IP for the SA.

sa-dst <destination_IP>

sa-destination <destination_IP>

Destination IP for the SA.



Security Parameter Index (SPI) for the SA. Must be a hexadecimal number with a 0x prefix.

When IPsec is in use, ESXi uses the ESP protocol (RFC 43030), which includes authentication and encryption information and the SPI. The SPI identifies the SA to use at the receiving host. Each SA you create must have a unique combination of source, destination, protocol, and SPI.

sa-mode [tunnel | transport]

sa-mode [tunnel | transport]

Either tunnel or transport.

In tunnel mode, the original packet is encapsulated in another IPv6 packet, where source and destination addresses are the SA endpoint addresses.

ealgo [null | 3des-cbc | aes128-cbc]

encryption-algorithm [null | 3des-cbc | aes128-cbc]

Encryption algorithm to be used. Choose 3des-cbc or aes128-cbc, or null for no encryption.

ekey <key>

encryption-key <key>

Encryption key to be used by the encryption algorithm. A series of hexadecimal digits with a 0x prefix or an ASCII string.

ialgo [hmac-sha1 | hmac-sha2-256 ]

integrity-algorithm [hmac-sha1 | hmac-sha2-256 ]

Authentication algorithm to be used. Choose hmac-sha1 or hmac-sha2-256.



Authentication key to be used. A series of hexadecimal digits or an ASCII string.

You can perform these main tasks with SAs.

Create an SA. You specify the source, the destination, and the authentication mode. You also specify the authentication algorithm and authentication key to use. You must specify an encryption algorithm and key, but you can specify null if you want no encryption. Authentication is required and cannot be null. The following example includes extra line breaks for readability. The last option, sa_2 in the example, is the name of the SA.

esxcli network ip ipsec sa add
            --sa-source 2001:DB8:1::121
            --sa-destination 2001:DB8:1::122
            --sa-mode transport
            --sa-spi 0x1000
            --encryption-algorithm 3des-cbc
            --encryption-key 0x6970763672656164796c6f676f336465736362636f757432
            --integrity-algorithm hmac-sha1
            --integrity-key 0x6970763672656164796c6f67736861316f757432
            --sa-name sa_2

List an SA by using esxcli network ip ipsec sa list. This command returns SAs currently available for use by an SP. The list includes SAs you created.

Remove a single SA by using esxcli network ip ipsec sa remove. If the SA is in use when you run this command, the command cannot perform the removal.

Remove all SAs by using esxcli network ip ipsec sa remove --removeall. This option removes all SAs even when they are in use.


Running esxcli network ip ipsec sa remove --removeall removes all SAs on your system and might leave your system in an inconsistent state.