Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Configuring IPv6 and IPsec on vSphere ESX, ESXi 4.1 and ESXi 5.x (1021769)

Purpose

VMware vSphere ESX/ESXi 4.1 supports IPv4 and IPv6, though IPv6 support is disabled by default. This article provides steps to enable IPv6, and optionally configure IPsec for IPv6 VMkernel traffic.

For more information, see Advanced Networking: Internet Protocol Version 6 in the ESX/ESXi 4.1 Configuration Guide.

For ESX/ESXi 4.0, see Configuring IPv6 on ESX 4.0.x (1010812).

Resolution

VMware vSphere ESX/ESXi 4.1 supports IPv6 for use with the Service Console and VMkernel management interfaces, and is compatible with vMotion, High Availability (HA) and Fault Tolerance (FT).

Notes:

  • IPv6 should be considered experimental when used for iSCSI purposes in ESX/ESXi 4.x and 5.0.
  • IPv6 is not supported for use with iSCSI in ESXi 5.1. For more information, please see ESXi iSCSI SAN Restrictions in the vSphere Documentation Center.
  • IPv6 cannot be used with dependent hardware iSCSI initiators in conjunction with TCP Checksum Offload.

Enabling IPv6 on vSphere ESX/ESXi 4.1

IPv6 support can be enabled or disabled on a vSphere ESX/ESXi 4.1 host using the vSphere Client, the console or using the vSphere Command-Line Interface. Enabling IPv6 requires a reboot to take effect.

To enable IPv6 using the vSphere Client:

  1. Connect to the host or vCenter Server using the vSphere Client.
  2. Select the host in the inventory and click the Configuration tab.
  3. Under the Hardware section, click the Networking link.
  4. In the Virtual Switch view, click the top-level Properties link.
  5. Select Enable IPv6 support on this host system.
  6. Click OK.
  7. Reboot the host for changes to take effect.

    Note: To disable IPv6, deselect the checkbox and reboot.

To enable IPv6 using the console or vCLI commands:

  1. Open a console to the ESX or ESXi host, or to the location the vCLI is installed. For more information, see:
  2. Enable IPv6 support on the VMkernel network interfaces using one of the commands:

    • At the console: esxcfg-vmknic --enable-ipv6 true
    • Using the vCLI: vicfg-vmknic <connection_options>--enable-ipv6 true

  3. For ESX only, additionally enable IPv6 support for the Service Console network interfaces using the command:

    • At the console: esxcfg-vswif --enable-ipv6 true

  4. Reboot the host for the changes to take effect.

    Note: To disable IPv6, replace true with false in the commands and reboot.

Configuring IPv6 interface addresses on vSphere ESX/ESXi 4.1

IPv6 addresses can be configured for VMkernel and Service Console network interfaces using the vSphere Client or using the command line.

To set an IPv6 address using the vSphere Client, see VMkernel Networking Configuration and Service Console Configuration in the ESX/ESXi 4.1 Configuration Guide.

To set an IPv6 address for a VMkernel network interfaces using the console or vCLI, use one of the commands:

esxcfg-vmknic --ip X:X:X:X::/XPortgroupName

vicfg-vmknic <connection_options> --ip X:X:X:X::/X PortgroupName

To set an IPv6 address for a Service Console network interface using the console, use the command:

esxcfg-vswif --ip X:X:X:X::/X vSwifName

Configuring IPsec for IPv6 on vSphere ESXi 5.x

In ESXi 5.x, you can use the esxcli commands from the command line to enable/disable IPv6. This allows you to restart the ESXi host later, instead of forcing you to restart it immediately.

To determine if IPv6 is currently enabled, run this command:

ESXi 5.0/5.1:

esxcli system module parameters list -m tcpip3
 
ESXi 5.5:

esxcli system module parameters list -m tcpip4

This command returns one of these values:
  • 1 – Indicates that IPv6 is enabled
  • 0 – Indicates that IPv6 is disabled 
To disable IPv6, run this command:
 
ESXi 5.0/5.1:

esxcli system module parameters set -m tcpip3 -p ipv6=0

ESXi 5.5:

esxcli system module parameters set -m tcpip4 -p ipv6=0

Alternatively, to enable IPv6, set ipv6 to 1.
 

Configuring IPsec for IPv6 on vSphere ESX/ESXi 4.1

Internet Protocol Security (IPsec) secures IP communications coming from and arriving at an ESX/ESXi host. VMware vSphere ESX/ESXi 4.1 supports IPsec using IPv6 with manual key exchange for VMkernel network interfaces only.

When IPsec is enabled on a host, authentication and encryption of incoming and outgoing packets is performed. When and how IP traffic is encrypted depends on configuration of the system's security associations and policies. For more information, see the Internet Protocol Security section of the ESX/ESXi Server Configuration Guide.

Configuration can be performed from the ESX/ESXi host console using the esxcfg-ipsec command, or remotely via the vSphere Command-Line Interface using the vicfg-ipsec command. Configuration of IPsec cannot be performed using the vSphere Client. The two commands have the same syntax, and only vicfg-ipsec is used in subsequent examples. For more information, see the vSphere Command-Line Interface documentation and the vicfg-ipsec command reference.

  • To add a Security Association (SA), use the command:

    vicfg-ipsec <connection_options> --add-sa --sa-src x:x::/x --sa-dst x:x::/x --sa-mode transport --ealgo null --spi 0x200 --ialgo hmac-sha1 --ikey keySAName

  • To add a Security Policy (SP), use the command:

    vicfg-ipsec <connection_options> --add-sp --sp-src x:x::/x --sp-dst x:x::/x --src-port 100 --dst-port 200 --ulproto tcp --dir out --action ipsec --sp-mode transport --sa-name SANameSPName

    For example, to add a generic security policy with default options:

    vicfg-ipsec <connection_options> --add-sp --sp-src any -sp-dst any --src-port any --dst-port any --ulproto any --dir out --action ipsec --sp-mode transport --sa-name SANameSPName

    For example, to add a security policy to filter traffic like a firewall:

    vixcfg-ipsec <connection_options> --add-sp --sp-src x:x::/x --sp-dst x:x::/x --src-port 100 --dst-port 200 --ulproto tcp --dir out --action discard SPName

  • To list the defined Security Associations and Security Policies, use the commands:

    vicfg-ipsec <connection_options> --list-sa
    vicfg-ipsec <connection_options> --list-sp

  • To delete a defined Security Association or Security Policy, use the commands:

    vicfg-ipsec <connection_options> --remove-sa SAName
    vicfg-ipsec <connection_options> --remove-sp SPName

Additional Information

The Internet Engineering Task Force has designated IPv6 as the successor to IPv4. The adoption of IPv6, both as a standalone protocol and in a mixed environment with IPv4, is rapidly increasing. With IPv6, you can use vSphere features in an IPv6 environment.

A major difference between IPv4 and IPv6 is address length. IPv6 uses a 128-bit address rather than the 32-bit addresses used by IPv4. This helps alleviate the problem of address exhaustion that is present with IPv4 and eliminates the need for network address translation (NAT). Other notable differences include link-local addresses that appear as the interface is initialized, addresses that are set by router advertisements, and the ability to have multiple IPv6 addresses on an interface.

An IPv6-specific configuration in vSphere involves providing IPv6 addresses, either by entering static addresses or by using an automatic address configuration scheme for all relevant vSphere networking interfaces.

For more information, see the Advanced Networking: Internet Protocol Version 6 section of the ESX/ESXi 4.1 Configuration Guide.

See Also

Update History

11/16/2012 - Added commands for ESXi 5.x

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 8 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 8 Ratings
Actions
KB: