vicfg-ipsec - configure IPsec properties
vicfg-ipsec [<conn_options>] [--action [none|discard|ipsec] | --add-sa <sa> | --add-sp <sp> | --dir [in | out] | --dst-port <port> | --flush-sa | --flush-sp | --ealgo [null | 3des-cbc | aes128-cbc]| --ekey <e_key>| --help | --ialgo [hmac-sha1 | hmac-sha2-256] | --ikey <i_key> | --list-sa <sa> | --list-sp <sp> | --remove-sa <sa> | --remove-sp <sp> | --sa-dst <destination> --sa-src <IP> | --sa-name <name> | --sp-dst <destination> | --spi <spi> | --sp-src <source> | --spmode <mode> | --src-port <port> | --ulproto [any | tcp | udp | icmp6]
vicfg-ipsec allows you to configure IPsec on your ESX/ESXi host. The command supports IPv6 but not IPv4 configuration.
Specifies the target server and authentication information if required. Run vicfg-ipsec --help
for a list of all connection options.
Action to take. Specify none to to allow all traffic, discard to discard all traffic, or ipsec to use IPsec with the specified authentication and encryption settings.
Adds a security association. Use this option together with the --sa-src
, --sa-dst
, --sa-mode
, and other parameters to
create a security association. The last parameter is always the name of the association.
Adds a security policy. Use this option together with the <--sp-src>, --sp-dst
, --src-port
, --dst-port
and other parameters
to create a security policy. You must associate this policy with a named security association. The last
argument is always the name of the security policy.
Direction, in our out.
Destination port (0-65535)
Encryption algorithm.
Encryption key; a series of hexadecimal digits preceded with 0x (zero ex).
Authentication algorithm.
Authentication key; a series of hexadecimal digits preceded with 0x (zero ex).
Clear all entries in the Security Associations (sa) database. WARNING This option clears all entries even if SAs are in use.
Clear all entries in the Security Policy (sp) database. WARNING This option clears all entries even if SPs are in use.
Prints a help message for each command-specific and each connection option.
Calling the script with no arguments or with --help
has the same effect.
Display security sssociations.
Display security policies.
Removes a specified security association.
Removes a specified security policy.
Destination IP of the Security Association.
Source IP of the Security Association.
Security Association name. Specify auto
to let the VMkernel choose an SA.
If no suitable SA exists, the VMkernel requests one using IKE.
Destination IP address and prefix length.
Security parameters index. This index identifies security parameters in combination with IP address. The index must be a hexadecimal number with a 0x prefix.
Source IP address and prefix length.
Mode, either tunnel or transport.
Source port (0-65535)
Upper layer protocol.
The following examples assume you are specifying connection options, either
explicitly or, for example, by specifying the server, user name, and password.
Run vicfg-ipsec --help
for a list of common options including connection options.
Display all current IPsec properties:
vicfg-ipsec <conn_options> -l | --list-sa vicfg-ipsec <conn_options> -L | --list-sp
Create a security association:
vicfg-ipsec <conn_options> --add-sa --sa-src 3ffe:501:ffff:0::a --sa-dst 3ffe:501:ffff:0001:0000:0000:0000:0001 --sa-mode transport --spi 0x1000 --ealgo 3des-cbc --ekey 0x6970763672656164796c6f676f336465736362636f757432 --ialgo hmac-sha1 --ikey 0x6970763672656164796c6f67736861316f757432 sa1
Configure a security policy:
vicfg-ipsec <conn_options> --add-sp --sp-src=2001:db8:1::/64 --sp-dst=2002:db8:1::/64 --src-port=23 --dst-port=25 --ulproto=tcp --dir=out --action=ipsec --sp-mode=transport --sa-name sa1 sp1
Remove a security policy:
vicfg-ipsec <conn_options> --remove-sp sp1
Remove a security association:
vicfg-ipsec <conn_options> --remove-sa sa1