You can set Internet Protocol Security with esxcli network ip ipsec commands or with the vicfg-ipsec command, which secures IP communications coming from and arriving at ESXi hosts. Administrators who perform IPsec setup must have a solid understanding of both IPv6 and IPsec.

ESXi hosts support IPsec only for IPv6 traffic, but not for IPv4 traffic.

Important

In ESXi 4.1, ESXi 5.0, and ESXi 5.1, IPv6 is by default disabled. You can turn on IPv6 by running one of the following vCLI commands. 

esxcli <conn_options> network ip interface ipv6 set --enable-dhcpv6
esxcli <conn_options> network ip interface ipv6 address add
 
vicfg-vmknic <conn_options> --enable-ipv6

You cannot run vicfg-ipsec with a vCenter Server system as the target, by using the --vihost option.

You can run esxcli network ip ipsec commands with a vCenter Server system as a target, by using the --vihost option.

The VMware implementation of IPsec adheres to the following IPv6 RFCs.

4301 Security Architecture for the Internet Protocol

4303 IP Encapsulating Security Payload (ESP)

4835 Cryptographic Algorithm Implementation Requirements for ESP

2410 The NULL Encryption Algorithm and Its Use With IPsec

2451 The ESP CBC-Mode Cipher Algorithms

3602 The AES-CBC Cipher Algorithm and Its Use with IPsec

2404 The Use of HMAC-SHA-1-96 within ESP and AH

4868 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512

Subtopics