Hello,
I have an operating system running inside VMWare ESXi 5.1. Let's call is "MyLinux". It's a modified version of Linux which does not support IPSec. So I'm trying to get VMWare to handle IPSec for MyLinux.
I've used esxcli commands to successfully create IPSec configurations between VMWare itself and other systems.
However, I'm wondering if I can use the same esxcli commands to configure IPSec between MyLinux and other systems? In my tests, VMWare does not appear to perform IPSec tunneling of data between running virtual machines and other systems.
This is an illustration of the configuration I created for MyLinux in VMWare. I also created a security policy which is not shown.
Name Source Address Destination Address State SPI Mode Encryption Algorithm Integrity Algorithm Lifetime
-------- ------------------------------------- ------------------------------------- ------ ----- --------- -------------------- ------------------- --------
MyLinuxToExternalSA MyLINUX.IPv6.ADDRESS EXTERNAL.IPv6.ADDRESS mature 0x300 transport 3des-cbc hmac-sha2-256 infinite
ExternalToMyLinuxSA EXTERNAL.IPv6.ADDRESS MyLINUX.IPv6.ADDRESS mature 0x256 transport 3des-cbc hmac-sha2-256 infinite
When I captured a TCP trace of ping between MyLinux and the external system, MyLinux never sent IPSec packets. Everything was sent in the clear. This suggests VMWare does not apply the rule to MyLinux, but would like to confirm. Thanks.
Kwabena
When you configure IPSec on ESXi you will secure the VMkernel traffic, not the virtual machine traffic... if you want protect the virtual machine traffic, you will need enable IPSec on guest OS.
Here is more info about IPSec on ESXi: VMware KB: Configuring IPv6 and IPsec on vSphere ESX, ESXi 4.1 and ESXi 5.x
When you configure IPSec on ESXi you will secure the VMkernel traffic, not the virtual machine traffic... if you want protect the virtual machine traffic, you will need enable IPSec on guest OS.
Here is more info about IPSec on ESXi: VMware KB: Configuring IPv6 and IPsec on vSphere ESX, ESXi 4.1 and ESXi 5.x
Thank you for the information.