Setting Up IPsec

You can set Internet Protocol Security with esxcli network ip ipsec commands or with the vicfg-ipsec command. which secures IP communications coming from and arriving at ESXi hosts. Administrators who perform IPsec setup must have a solid understanding of both IPv6 and IPsec.

ESXi hosts support IPsec only for IPv6 traffic, but not for IPv4 traffic.

Important In ESX/ESXi 4.1, ESXi 5.0, and ESXi 5.1, IPv6 is by default disabled. You can turn on IPv6 by running one of the following vCLI commands: esxcli <conn_options> network ip interface ipv6 set --enable-dhcpv6 esxcli <conn_options> network ip interface ipv6 address add   vicfg-vmknic <conn_options> --enable-ipv6

You cannot run vicfg-ipsec with a vCenter Server system as the target (using the --vihost option).

You can run esxcli network ip ipsec commands with a vCenter Server system as a target (using the --vihost option).

The VMware implementation of IPsec adheres to the following IPv6 RFCs:

■	4301 Security Architecture for the Internet Protocol

■	4303 IP Encapsulating Security Payload (ESP)

■	4835 Cryptographic Algorithm Implementation Requirements for ESP

■	2410 The NULL Encryption Algorithm and Its Use With IPsec

■	2451 The ESP CBC-Mode Cipher Algorithms

■	3602 The AES-CBC Cipher Algorithm and Its Use with IPsec

■	2404 The Use of HMAC-SHA-1-96 within ESP and AH

■	4868 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512

Using IPsec with ESXi

When you set up IPsec on an ESXi host, you enable protection of incoming or outgoing data. What happens precisely depends on how you set up the system’s Security Associations (SAs) and Security Policies (SPs).

■	An SA determines how the system protects traffic. When you create an SA, you specify the source and destination, authentication, and encryption parameters, and an identifier for the SA with the following options.

vicfg-ipsec	esxcli network ip ipsec
sa-src and sa-dst	--sa-source and --sa-destination
spi (security parameter index)	--sa-spi
sa-mode (tunnel or transport)	--sa-mode
ealgo and ekey	--encryption-algorithm and --encryption-key
ialgo and ikey	--integrity-algorithm and --integrity-key

■	An SP identifies and selects traffic that must be protected. An SP consists of two logical sections, a selector, and an action.

The selector is specified by the following options.

vicfg-ipsec	esxcli network ip ipsec
src-addr and src-port	--sa-source and --source-port
dst-addr and dst-port	--destination-port
ulproto	--upper-layer-protocol
direction (in or out)	--flow-direction

The action is specified by the following options

vicfg-ipsec	esxcli network ip ipsec
sa-name	--sa-name
sp-name	--sp-name
action (none, discard, ipsec	--action

Because IPsec allows you to target precisely which traffic should be encrypted, it is well suited for securing your vSphere environment. For example, you can set up the environment so all vMotion traffic is encrypted.

Managing Security Associations

You can specify an SA and request that the VMkernel use that SA. The following options for SA setup are supported.

vicfg-ipsec Option	esxcli Option	Description
sa-src <source_IP>	sa-source <source_IP>	Source IP for the SA.
sa-dst <destination_IP>	sa-destination <destination_IP>	Destination IP for the SA.
spi	sa-spi	Security Parameter Index (SPI) for the SA. Must be a hexadecimal number with a 0x prefix. When IPsec is in use, ESXi uses the ESP protocol (RFC 43030), which includes authentication and encryption information and the SPI. The SPI identifies the SA to use at the receiving host. Each SA you create must have a unique combination of source, destination, protocol, and SPI.
sa-mode [tunnel | transport]	sa-mode [tunnel | transport]	Either tunnel or transport. In tunnel mode, the original packet is encapsulated in another IPv6 packet, where source and destination addresses are the SA endpoint addresses.
ealgo [null | 3des-cbc | aes128-cbc]	encryption-algorithm [null | 3des-cbc | aes128-cbc]	Encryption algorithm to be used. Choose 3des-cbc or aes128-cbc, or null for no encryption.
ekey <key>	encryption-key <key>	Encryption key to be used by the encryption algorithm. A series of hexadecimal digits with a 0x prefix or an ASCII string.
ialgo [hmac-sha1 | hmac-sha2-256 ]	integrity-algorithm [hmac-sha1 | hmac-sha2-256 ]	Authentication algorithm to be used. Choose hmac-sha1 or hmac-sha2-256.
ikey	integrity-key	Authentication key to be used. A series of hexadecimal digits or an ASCII string.

You can perform these main tasks with SAs:

■

Create an SA. You specify the source, the destination, and the authentication mode. You also specify the authentication algorithm and authentication key to use. You must specify an encryption algorithm and key, but you can specify null if you want no encryption. Authentication is required and cannot be null. The following example includes extra line breaks for readability. The last option (sa_2 in the example) is the name of the SA.

esxcli network ip ipsec sa add

            --sa-source 2001:DB8:1::121

            --sa-destination 2001:DB8:1::122

            --sa-mode transport

            --sa-spi 0x1000

            --encryption-algorithm 3des-cbc

            --encryption-key 0x6970763672656164796c6f676f336465736362636f757432

            --integrity-algorithm hmac-sha1

            --integrity-key 0x6970763672656164796c6f67736861316f757432

            --sa-name sa_2

■	List an SA with esxcli network ip ipsec sa list. This command returns SAs currently available for use by an SP. The list includes SAs you created.

■	Remove a single SA with esxcli network ip ipsec sa remove. If the SA is in use when you run this command, the command cannot perform the removal.

■	Remove all SAs with esxcli network ip ipsec sa remove --removeall. This option removes all SAs even when they are in use.

Caution Running esxcli network ip ipsec sa remove --removeall removes all SAs on your system and might leave your system in an inconsistent state.

Managing Security Policies

After you have created one or more SAs, you can add security policies (SPs) to your ESXi hosts. While the SA specifies the authentication and encryption parameters to use, the SP identifies and selects traffic.

The following options for SP management are supported.

vicfg-ipsec Option	esxcli Option	Description
sp-src <ip>/<p_len>	sp-source <ip>/<p_len>	Source IP address and prefix length.
sp-dst <ip>/<p_len>	sp-destination <ip>/<p_len>	Destination IP address and prefix length.
src-port <port>	source-port <port>	Source port (0-65535). Specify any for any ports.
dst-port <port>	destination-port <port>	Destination port (0-65535). Specify any for any ports. If ulproto is icmp6, this number refers to the icmp6 type. Otherwise, this number refers to the port.
ulproto [any | tcp | udp | icmp6]	upper-layer-protocol [any | tcp | udp | icmp6]	Upper layer protocol. Use this option to restrict the SP to only certain protocols, or use any to apply the SP to all protocols.
dir [in | out]	flow-direction [in | out]	Direction in which you want to monitor the traffic. To monitor traffic in both directions, create two policies.
action [none | discard | ipsec]	action [none | discard | ipsec]	Action to take when traffic with the specified parameters is encountered. none -- Take no action, that is, allow traffic unmodified. discard -- Do not allow data in or out. ipsec -- Use the authentication and encryption information specified in the SA to determine whether the data come from a trusted source.
sp-mode [tunnel | transport]	sp-mode [tunnel | transport]	Mode, either tunnel or transport.
sa-name	sa-name	Name of the SA to use by this SP.

You can perform these main tasks with SPs:

■

Create an SP with esxcli network ip ipsec add. You identify the data to monitor by specifying the selector’s source and destination IP address and prefix, source port and destination port, upper layer protocol, direction of traffic, action to take, and SP mode. The last two option are the name of the SA to use and the name of the SP that is being created. The following example includes extra line breaks for readability.

esxcli network ip ipsec add

--sp-source=2001:0DB8:0001:/48

--sp-destination=2001:0DB8:0002:/48

--source-port=23

--destination-port=25

--upper-layer-protocol=tcp

--flow-direction=out

--action=ipsec

--sp-mode=transport

--sp-name sp_2

■	List an SP with esxcli network ip ipsec list. This command returns SPs currently available. All SPs are created by the administrator.

■	Remove an SP with esxcli network ip ipsec remove. If the SP is in use when you run this command, the command cannot perform the removal. You can run esxcli network ip ipsec remove --removeall instead to remove the SP even when it is in use.

Caution Running esxcli network ip ipsec remove --removeall removes all SPs on your system and might leave your system in an inconsistent state.