When you set up IPsec on an ESXi host, you enable protection of incoming or outgoing data. What happens precisely depends on how you set up the system’s Security Associations (SAs) and Security Policies (SPs).

An SA determines how the system protects traffic. When you create an SA, you specify the source and destination, authentication, and encryption parameters, and an identifier for the SA with the following options.

vicfg-ipsec

esxcli network ip ipsec

sa-src and sa-dst

--sa-source and --sa-destination

spi (security parameter index)

--sa-spi

sa-mode (tunnel or transport)

--sa-mode

ealgo and ekey

--encryption-algorithm and --encryption-key

ialgo and ikey

--integrity-algorithm and --integrity-key

An SP identifies and selects traffic that must be protected. An SP consists of two logical sections, a selector, and an action.

The selector is specified by the following options.

vicfg-ipsec

esxcli network ip ipsec

src-addr and src-port

--sa-source and --source-port

dst-addr and dst-port

--destination-port

ulproto

--upper-layer-protocol

direction (in or out)

--flow-direction

The action is specified by the following options.

vicfg-ipsec

esxcli network ip ipsec

sa-name

--sa-name

sp-name

--sp-name

action (none, discard, ipsec)

--action

Because IPsec allows you to target precisely which traffic should be encrypted, it is well suited for securing your vSphere environment. For example, you can set up the environment so all vMotion traffic is encrypted.