A number of new enhancements around Microsoft Clustering Services (MSCS) have been introduced in vSphere 5.5. I wanted to cover those in this post as I know many of you continue to use MSCS for service availability in your vSphere environments.
Hmm, it seems to be the week that’s in it for storage issues. After publishing the DELL EQL & VMFS issue earlier this week, I have now been given a heads-up on an EMC VNXe & iSCSI issue. The symptoms are ESXi hosts being unable to boot from an iSCSI LUN on the VNXe or ESXi hosts losing connectivity to iSCSI datastores.
A little while ago, I researched a support statement regarding Software iSCSI & IPsec. After digging around a bit, I found out that the answer was no, it is not supported since we have not yet done a complete set of tests on this combination of products/features.
However, in the course of my research, I came across some conflicting support statements about Software iSCSI & IPv6.
- KB article 1010812 – IPv6 Storage (Software iSCSI and NFS) is experimental in ESX 4.0
- KB article 1021769 – VMware vSphere ESX/ESXi 4.1 supports IPv6 for use with the Service Console and VMkernel management interfaces, and is compatible with Software iSCSI, vMotion, High Availability (HA) and Fault Tolerance (FT). Note: IPv6 is not supported for a dependent hardware iSCSI adapter or with TCP Checksum Offload.
- And in the vSphere 5.1 Storage Guide, page 78, it states that ESXi does not support IPv6 with software iSCSI and dependent hardware iSCSI.
It appears we went from experimental, to supported to not supported. Really?
This came up in a conversation today. Does VMware’s Software iSCSI implementation support Internet Protocol Security (IPsec) in vSphere 5.1? Internet Protocol Security (IPsec) secures IP communications coming from and arriving at an ESXi host.
Although KB article 1021769 states that IPv6 is compatible with Software iSCSI, it doesn’t state whether or not IPsec is supported with Software iSCSI. To find this information, you have to reach for the vSphere Security Guide. Under the section ‘Securing iSCSI Devices Through Authentication’, it states:
ESXi does not support Kerberos, Secure Remote Protocol (SRP), or public-key authentication methods for iSCSI. Additionally, it does not support IPsec authentication and encryption.
Therefore the answer is no, Software iSCSI currently does not support IPsec at this time.
Get notification of these blogs postings and more VMware Storage information by following me on Twitter: @VMwareStorage