Home / server / Questions / 1010194
In Process
SF.express
Asked: 2020-03-31 23:16:58 +0800 CST

What's an "auto SA" for ESXi's IPsec command "esxcli network ip ipsec sa remove"?

  • 772

The help for esxcli network ip ipsec sa remove mentions auto SA but I failed to find any info from Google.

[root@j2-ceriqv-050:~] esxcli network ip ipsec sa remove --help
Usage: esxcli network ip ipsec sa remove [cmd options]

Description:
  remove                Operation to remove Security Association(s)

Cmd options:
  -a|--remove-all       Set to remove all Security Associations.
  -d|--sa-destination=<str>
                        Ipv6 address of Security Association destination. This option needs to be
                        specified when removing an auto SA.
                                                   ^^^^^^^
  -n|--sa-name=<str>    Name for the Security Association to be removed. Specify 'auto' to remove an
                        auto SA.
                        ^^^^^^^
  -s|--sa-source=<str>  Ipv6 address of Security Association source. This option needs to be specified
                        when removing an auto SA.
                                         ^^^^^^^
  -p|--sa-spi=<str>     SPI value for the Security Association (hex). This option needs to be specified
                        when removing an auto SA
                                         ^^^^^^^

The esxcli network ip ipsec sa add command does not mention auto SA:

[root@j2-ceriqv-050:~] esxcli network ip ipsec sa add --help
Usage: esxcli network ip ipsec sa add [cmd options]

Description:
  add                   Add a Security Association.

Cmd options:
  -e|--encryption-algorithm=<str>
                        Encryption algorithm for the Security Association. Should be one in set  [null,
                        3des-cbc, aes128-cbc]. (required)
  -k|--encryption-key=<str>
                        Encryption key(ASCII or hex). Length of hex key is dependent upon algorithm
                        used. Required when a encryption algorithm has been specified.
  -i|--integrity-algorithm=<str>
                        Integrity algorithm for the Security Association. Should be one in set
                        [hmac-sha1, hmac-sha2-256]. (required)
  -K|--integrity-key=<str>
                        Integrity key(ASCII or hex). Length of hex key is dependent upon algorithm used.
                        (required)
  -d|--sa-destination=<str>
                        Ipv6 address of Security Association destination. Can be specified as 'any' or a
                        correct IPv6 address. (required)
  -m|--sa-mode=<str>    Security Association mode. Should be one in set  [transport, tunnel].
  -n|--sa-name=<str>    Name for the Security Association to be added. (required)
  -s|--sa-source=<str>  Ipv6 address of Security Association source. Can be specified as 'any' or a
                        correct IPv6 address. (required)
  -p|--sa-spi=<str>     SPI value for the Security Association(hex). (required)
vmware-esxi

1 Answers

  1. The documentation of network ip ipsec sp add includes the following:

    --sa-name | -a
    Name for the Security Association. Not being Specified lets vmkernel automatically choose an Security Association. If no applicable Security Association exists, then vmkernel may request one using IKE.

    (highligting by me)

    So, you need to provide --sa-name=auto when you want to remove a SA that has been chosen automatically earlier.

    • 1