$linuxcli.in _    [commands]    [tips & tricks]    [manpage]    [ESXi CLi]    [what is my ip?]    [pingme!]    [BIOS lock code]    [Code repo]

esxcfg-ipsec -

    
    esxcfg-ipsec  
    --add-sa                   Add a Security Association, requires sa-src, sa-dst, 
                               spi, sa-mode, ealgo and ialgo 
    --add-sp                   Add a Security Policy, requires sp-src, src-port,
                               sp-dst, dst-port, action, ulproto, dir, sp-mode
                               sa-name. Specify sa-name only for unique SA, otherwise specify 'auto'.
    --remove-sa                Remove the given Security Association from kernel.
    --remove-sp                Remove the given Security Policy from kernel.
    --flush-sa                 Remove all SAs
    --flush-sp                 Remove all SPs
    -l|--list-sa               List all SAs.
    -L|--list-sp               List all SPs.
    --sa-src                   SA source IPv6 address 
    --sp-src                   SP source IPv6 address and prefix length 
    --sa-dst                   SA destination IPv6 address 
    --sp-dst                   SP destination IPv6 address and prefix length 
    --src-port                 Source Port for SP
    --dst-port                 Destination Port for SP
    --ulproto                  Upper layer protocol for SP 
                               any, tcp, udp or icmpv6
    --dir                      Flow direction for SP  
    --action                   Action for SP .
    --sa-mode                  SA mode .
    --sp-mode                  SP mode .
    --sa-name                  SA name. Specify 'auto' to let vmkernel automatically choose an SA.
                               If no applicable SA exists, then vmkernel may request one using IKE.
    --spi                      SPI value for the SA.
    --ealgo                    Encryption algorithm for the SA .
    --ekey                     Encryption key (ASCII or hex). Length of hex key is dependent upon algorithm used.
                               (optional if ealgo is null).
    --ialgo                    Integrity algorithm for the SA .
    --ikey                     Integrity key (ASCII or hex). Length of hex key is dependent upon algorithm used.
    -h|--help                  Show this message.
    Examples:
      To add a SA
          esxcfg-ipsec --add-sa --sa-src x:x:x:: --sa-dst x:x:x:: --sa-mode transport --ealgo null --spi 0x200 --ialgo hmac-sha1 --ikey key saname
      To add a SP
          esxcfg-ipsec --add-sp --sp-src x:x::/x --sp-dst x:x::/x --src-port 100 --dst-port 200 --ulproto tcp --dir out --action ipsec --sp-mode transport --sa-name saname spname
          or to add a generic SP with default options
          esxcfg-ipsec --add-sp --sp-src any -sp-dst any --src-port any --dst-port any --ulproto any --dir out --action ipsec --sp-mode transport --sa-name saname spname
          or to add a SP like a firewall rule
          esxcfg-ipsec --add-sp --sp-src x:x::/x --sp-dst x:x::/x --src-port 100 --dst-port 200 --ulproto tcp -dir out --action discard spname
      To delete a SA
          esxcfg-ipsec --remove-sa saname
      To delete a SP
          esxcfg-ipsec --remove-sp spname
      To delete an auto SA
          esxcfg-ipsec --remove-sa --sa-src x:x:x:: --sa-dst x:x:x:: --spi 0x300 auto
      To flush all SPs
          esxcfg-ipsec --flush-sp