Configuring IPv6 and IPsec on vSphere ESX, ESXi 4.1 and ESXi 5.x

VMware vSphere ESX/ESXi 4.1 supports IPv4 and IPv6, though IPv6 support is disabled by default. This article provides steps to enable IPv6, and optionally configure IPsec for IPv6 VMkernel traffic.

VMware vSphere ESX/ESXi 4.1 supports IPv6 for use with the Service Console and VMkernel management interfaces, and is compatible with Software iSCSI, vMotion, High Availability (HA) and Fault Tolerance (FT).
Note: IPv6 is not supported for a dependent hardware iSCSI adapter or with TCP Checksum Offload.

Enabling IPv6 on vSphere ESX/ESXi 4.1

IPv6 support can be enabled or disabled on a vSphere ESX/ESXi 4.1 host using the vSphere Client, the console or using the vSphere Command-Line Interface. Enabling IPv6 requires a reboot to take effect.
To enable IPv6 using the vSphere Client:

1. Connect to the host or vCenter Server using the vSphere Client.
2. Select the host in the inventory and click the Configuration tab.
3. Under the Hardware section, click the Networking link.
4. In the Virtual Switch view, click the top-level Properties link.
5. Select Enable IPv6 support on this host system.
6. Click OK.
7. Reboot the host for changes to take effect.
   
   Note: To disable IPv6, deselect the checkbox and reboot.

To enable IPv6 using the console or vCLI commands:

1. Open a console to the ESX or ESXi host, or to the location the vCLI is installed. For more information, see:
2. • Unable to connect to an ESX host using Secure Shell (SSH) (1003807)
   • Using Tech Support Mode in ESXi 4.1 (1017910)
   • vSphere Command-Line Interface documentation.
     
3. Enable IPv6 support on the VMkernel network interfaces using one of the commands:
   
   
   • At the console: esxcfg-vmknic --enable-ipv6 true
   • Using the vCLI: vicfg-vmknic --enable-ipv6 true
   
   
4. For ESX only, additionally enable IPv6 support for the Service Console network interfaces using the command:
   
   
   • At the console: esxcfg-vswif --enable-ipv6 true
   
   
5. Reboot the host for the changes to take effect.
   
   Note: To disable IPv6, replace true with false in the commands and reboot.

Configuring IPv6 interface addresses on vSphere ESX/ESXi 4.1

IPv6 addresses can be configured for VMkernel and Service Console network interfaces using the vSphere Client or using the command line.
To set an IPv6 address using the vSphere Client, see VMkernel Networking Configuration and Service Console Configuration in the ESX/ESXi 4.1 Configuration Guide.
To set an IPv6 address for a VMkernel network interfaces using the console or vCLI, use one of the commands:

esxcfg-vmknic --ip X:X:X:X::/X PortgroupName
vicfg-vmknic --ip X:X:X:X::/X PortgroupName

To set an IPv6 address for a Service Console network interface using the console, use the command:

esxcfg-vswif --ip X:X:X:X::/X vSwifName

Configuring IPsec for IPv6 on vSphere ESXi 5.x
In ESXi 5.x, you can use the esxcli commands from the command line to enable/disable IPv6. This allows you to restart the ESXi host later, instead of forcing you to restart it immediately.

To determine if IPv6 is currently enabled, run this command:

 

esxcli system module parameters list -m tcpip3

 

This command returns one of these values:

• 1 – Indicates that IPv6 is enabled
• 0 – Indicates that IPv6 is disabled 

To disable IPv6, run this command:

 

esxcli system module parameters set -m tcpip3 -p ipv6=0
Alternatively, to enable IPv6, set ipv6 to 1.

 

Configuring IPsec for IPv6 on vSphere ESX/ESXi 4.1

Internet Protocol Security (IPsec) secures IP communications coming from and arriving at an ESX/ESXi host. VMware vSphere ESX/ESXi 4.1 supports IPsec using IPv6 with manual key exchange for VMkernel network interfaces only.
When IPsec is enabled on a host, authentication and encryption of incoming and outgoing packets is performed. When and how IP traffic is encrypted depends on configuration of the system's security associations and policies. For more information, see the Internet Protocol Security section of the ESX/ESXi Server Configuration Guide.
Configuration can be performed from the ESX/ESXi host console using the esxcfg-ipsec command, or remotely via the vSphere Command-Line Interface using the vicfg-ipsec command. Configuration of IPsec cannot be performed using the vSphere Client. The two commands have the same syntax, and only vicfg-ipsec is used in subsequent examples. For more information, see the vSphere Command-Line Interface documentation and the vicfg-ipsec command reference.

• To add a Security Association (SA), use the command:
  
  vicfg-ipsec --add-sa --sa-src x:x::/x --sa-dst x:x::/x --sa-mode transport --ealgo null --spi 0x200 --ialgo hmac-sha1 --ikey key SAName
  
  
• To add a Security Policy (SP), use the command:
  
  vicfg-ipsec --add-sp --sp-src x:x::/x --sp-dst x:x::/x --src-port 100 --dst-port 200 --ulproto tcp --dir out --action ipsec --sp-mode transport --sa-name SAName SPName
  
  For example, to add a generic security policy with default options:
  
  vicfg-ipsec --add-sp --sp-src any -sp-dst any --src-port any --dst-port any --ulproto any --dir out --action ipsec --sp-mode transport --sa-name SAName SPName
  
  For example, to add a security policy to filter traffic like a firewall:
  
  vixcfg-ipsec --add-sp --sp-src x:x::/x --sp-dst x:x::/x --src-port 100 --dst-port 200 --ulproto tcp --dir out --action discard SPName
  
  
• To list the defined Security Associations and Security Policies, use the commands:
  
  vicfg-ipsec --list-sa
vicfg-ipsec --list-sp
  
• To delete a defined Security Association or Security Policy, use the commands:
  
  vicfg-ipsec --remove-sa SANamevicfg-ipsec --remove-sp SPName