Using IPsec with ESXi
When you set up IPsec on an ESXi host, you enable protection of incoming or outgoing data. What happens precisely depends on how you set up the system’s Security Associations (SAs) and Security Policies (SPs).
- An SA determines how the
system protects traffic. When you create an SA, you specify the source and
destination, authentication, and encryption parameters, and an identifier for
the SA with the following options.
esxcli network ip ipsec --sa-source and --sa-destination --sa-spi --sa-mode --encryption-algorithm and --encryption-key --integrity-algorithm and --integrity-key - An SP identifies and selects
traffic that must be protected. An SP consists of two logical sections, a
selector, and an action.
The selector is specified by the following options.
esxcli network ip ipsec --sa-source and --source-port --destination-port --upper-layer-protocol --flow-direction The action is specified by the following options.
esxcli network ip ipsec --sa-name --sp-name --action
Because IPsec allows you to target precisely which traffic should be encrypted, it is well suited for securing your vSphere environment. For example, you can set up the environment so all vMotion traffic is encrypted.