Configuring IPv6 and IPsec on vSphere ESX, ESXi 4.1, 5.x and 6.0
search cancel

Configuring IPv6 and IPsec on vSphere ESX, ESXi 4.1, 5.x and 6.0

book

Article ID: 311255

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

VMware vSphere ESX/ESXi 4.1 supports IPv4 and IPv6, though IPv6 support is disabled by default. This article provides steps to enable IPv6, and configuring the IPsec for IPv6 VMkernel traffic.

For more information, see the Advanced Networking: Internet Protocol Version 6 section in the ESX/ESXi 4.1 Configuration Guide.
 
IPv6 is disabled by default in ESXi 5.0, and enabled by default in ESXi 5.1, 5.5 and 6.0. For more more information, see the Enable or Disable IPv6 Support on a Host by Using the vSphere Web Client section in the vSphere Networking Guide.



Environment

VMware ESXi 4.1.x Installable
VMware ESXi 4.1.x Embedded
VMware vSphere ESXi 6.0
VMware vSphere ESXi 5.1
VMware ESX 4.1.x
VMware vSphere ESXi 5.5
VMware vSphere ESXi 5.0

Resolution

VMware vSphere ESX/ESXi 4.1 supports IPv6 for use with the Service Console and VMkernel management interfaces, and is compatible with vMotion, High Availability (HA) and Fault Tolerance (FT).

Notes:

  • IPv6 should be considered experimental when used for iSCSI purposes in ESX/ESXi 4.x and 5.x.
  • IPv6 is not supported for use with iSCSI in ESXi 5.1 and ESXi 5.5. For more information, see ESXi iSCSI SAN Restrictions section in the vSphere Storage Guide.
  • IPv6 cannot be used with dependent hardware iSCSI initiators in conjunction with TCP Checksum Offload.

Enabling IPv6 on vSphere ESX/ESXi 4.1

IPv6 support can be enabled or disabled on a vSphere ESX/ESXi 4.1 host using the vSphere Client, the console or using the vSphere Command-Line Interface. Enabling IPv6 requires a restart to take effect.

To enable IPv6 using the vSphere Client:

  1. Connect to the host or vCenter Server using the vSphere Client.
  2. Select the host in the inventory and click the Configuration tab.
  3. Under the Hardware section, click the Networking.
  4. In the Virtual Switch view, click the top-level Properties.
  5. Select Enable IPv6 support on this host system.
  6. Click OK.
  7. Restart the host for changes to take effect.

    Note: To disable IPv6, deselect the checkbox and restart.

To enable IPv6 using the console or vCLI commands:

  1. Open a console to the ESX or ESXi host, or to the location the vCLI is installed. For more information, see:
  3. Enable IPv6 support on the VMkernel network interfaces by running one of these commands:

    • At the console: esxcfg-vmknic --enable-ipv6 true
    • Using the vCLI: vicfg-vmknic connection_options --enable-ipv6 true

  4. For ESX only, additionally enable IPv6 support for the Service Console network interfaces by running this command:

    • At the console: esxcfg-vswif --enable-ipv6 true

  5. Restart the host for the changes to take effect.

    Note: To disable IPv6, replace true with false in the commands and restart.

Enabling IPv6 on vSphere ESX/ESXi 5.5 and 6.0

To enable IPv6 in ESXi 5.5 and 6.0:

  1. In the vSphere Web Client, navigate to the host.
  2. In the Manage tab, click Networking and select Advanced.
  3. Click Edit.
  4. In the IPv6 support option, enable or disable IPv6 support.
  5. Click OK.
  6. Reboot the host to apply the changes in the IPv6 support.

Configuring IPv6 interface addresses on vSphere ESX/ESXi 4.1

IPv6 addresses can be configured for VMkernel and Service Console network interfaces using the vSphere Client or using the command line.

To set an IPv6 address using the vSphere Client, see the VMkernel Networking Configuration and Service Console Configuration section in the ESX/ESXi 4.1 Configuration Guide.

Set an IPv6 address for a VMkernel network interfaces using the console or vCLI by running one of these commands:

esxcfg-vmknic --ip X:X:X:X::/XPortgroupName

vicfg-vmknic connection_options --ip X:X:X:X::/X PortgroupName

Set an IPv6 address for a Service Console network interface using the console by running this command:

esxcfg-vswif --ip X:X:X:X::/X vSwifName

Configuring IPsec for IPv6 on vSphere ESXi 5.x and 6.0

Internet Protocol Security (IPsec) secures IP communications coming from and arriving at a host. ESXi hosts support IPsec using IPv6.

After you set up IPsec on a host, you enable authentication and encryption of incoming and outgoing packets. The time and the method of IP traffic encryption depends on the method you use to set up the security associations and the security policies of the system. For more information, see the vSphere Security Guide.

Configuration is performed from the ESXi host console or remotely through the vSphere Command-Line Interface using the esxcli network ip ipsec command. Configuration of IPsec cannot be performed using the vSphere Client. For more information, see the vSphere Command-Line Interface documentation.
  • Add a Security Association (SA) by running this command:

    esxcli network ip ipsec sa add --sa-source x:x::/x --sa-destination x:x::/x --sa-mode transport --sa-spi 0x1000 --encryption-algorithm Algorithm --encryption-key Encrypton_Key --integrity-algorithm hmac-sha1 --integrity-key 0x6970763672656164796c6f67736861316f757432 --sa-name security_association_name

  • Add a Security Policy (SP) by running this command:

    esxcli network ip ipsec add --sp-source=x:x::/x --sp-destination=x:x::/x --source-port=port --destination-port= port --upper-layer-protocol=tcp --flow-direction= out --action=ipsec --sp-mode=transport --sa-name= security_association_name --sp-name=security_policy_name

  • List the defined Security Associations and Security Policies by running these commands:

    esxcli network ip ipsec sa list
    esxcli network ip ipsec sp list

  • Delete a defined Security Association or Security Policy by running these commands:

    esxcli network ip ipsec sa remove --sa-name security_association_name
    esxcli network ip ipsec sp remove --sa-name security_policy_name

Configuring IPsec for IPv6 on vSphere ESX/ESXi 4.1

Internet Protocol Security (IPsec) secures IP communications coming from and arriving at an ESX/ESXi host. VMware vSphere ESX/ESXi 4.1 supports IPsec using IPv6 with manual key exchange for VMkernel network interfaces only.

When IPsec is enabled on a host, authentication and encryption of incoming and outgoing packets is performed. When and how IP traffic is encrypted depends on configuration of the system's security associations and policies. For more information, see the Internet Protocol Security section of the ESX/ESXi Server Configuration Guide.

Configuration can be performed from the ESX/ESXi host console using the esxcfg-ipsec command, or remotely through the vSphere Command-Line Interface using the vicfg-ipsec command. Configuration of IPsec cannot be performed using the vSphere Client. The two commands have the same syntax, and only vicfg-ipsec is used in subsequent examples. For more information, see the vSphere Command-Line Interface documentation and the vicfg-ipsec command reference.

  • Add a Security Association (SA) by running this command:

    vicfg-ipsec connection_options --add-sa --sa-src x:x::/x --sa-dst x:x::/x --sa-mode transport --ealgo null --spi 0x200 --ialgo hmac-sha1 --ikey keySAName

  • Add a Security Policy (SP) by running this command:

    vicfg-ipsec connection_options --add-sp --sp-src x:x::/x --sp-dst x:x::/x --src-port 100 --dst-port 200 --ulproto tcp --dir out --action ipsec --sp-mode transport --sa-name SANameSPName

    For example, to add a generic security policy with default options:

    vicfg-ipsec connection_options --add-sp --sp-src any -sp-dst any --src-port any --dst-port any --ulproto any --dir out --action ipsec --sp-mode transport --sa-name SANameSPName

    For example, to add a security policy to filter traffic as in a firewall:

    vixcfg-ipsec connection_options --add-sp --sp-src x:x::/x --sp-dst x:x::/x --src-port 100 --dst-port 200 --ulproto tcp --dir out --action discard SPName

  • List the defined Security Associations and Security Policies by running these commands:

    vicfg-ipsec connection_options --list-sa
    vicfg-ipsec connection_options --list-sp

  • Delete a defined Security Association or Security Policy by running these command:

    vicfg-ipsec connection_options --remove-sa SAName
    vicfg-ipsec connection_options --remove-sp SPName


Additional Information

The Internet Engineering Task Force has designated IPv6 as the successor to IPv4. The adoption of IPv6, both as a standalone protocol and in a mixed environment with IPv4, is rapidly increasing. With IPv6, you can use vSphere features in an IPv6 environment.

A major difference between IPv4 and IPv6 is address length. IPv6 uses a 128-bit address rather than the 32-bit addresses used by IPv4. This helps alleviate the problem of address exhaustion that is present with IPv4 and eliminates the need for network address translation (NAT). Other notable differences include link-local addresses that appear as the interface is initialized, addresses that are set by router advertisements, and the ability to have multiple IPv6 addresses on an interface.

An IPv6-specific configuration in vSphere involves providing IPv6 addresses, either by entering static addresses or by using an automatic address configuration scheme for all relevant vSphere networking interfaces.

For more information, see the Advanced Networking: Internet Protocol Version 6 section of the ESX/ESXi 4.1 Configuration Guide.

Configuring IPv6 on ESX 4.0.x

Powered by Wolken Software