Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual

Page 252

Advertising
background image

For more information on importing the pre-shared key file, refer to

Installing a switch certificate

on

page 181.

7. Configure an IKE policy for the remote peer.

switch:admin> ipsecconfig --add policy ike -t IKE01 -remote 10.33.69.132

-id 10.33.74.13 -remoteid 10.33.69.132 -enc 3des_cbc -hash hmac_md5

-prf hmac_md5 -auth psk -dh modp1024 -psk ipseckey.psk

NOTE
IKE version (‘-v’ option) needs to be set to 1 (IKEv1) if remote peer is a Windows XP or 2000 Host
as Windows XP and 2000 do not support IKEv2.

8. Create an IPsec transform named TRANSFORM01 to use transport mode to protect traffic identified

for IPsec protection and use IKE01 as key management policy.

switch:admin> ipsecconfig --add policy ips transform -t TRANSFORM01

-mode transport -sa-proposal IPSEC-AH -action protect -ike IKE01

9. Create traffic selectors to select the outbound and inbound traffic that needs to be protected.

switch:admin> ipsecconfig --add policy ips selector -t SELECTOR-OUT -d out

-l 10.33.74.13 -r 10.33.69.132 -transform TRANSFORM01

switch:admin> ipsecconfig --add policy ips selector -t SELECTOR-IN -d in

-l 10.33.69.132 -r 10.33.74.13 -transform TRANSFORM01

10.Verify the IPsec SAs created with IKE using the ipSecConfig --show manual-sa -a command.
11.Perform the equivalent steps on the remote peer to complete the IPsec configuration. Refer to your

server administration guide for instructions.

12.Generate IP traffic and verify that it is protected using defined policies.

a)

Initiate Telnet or SSH or ping session from BRCD300 to Remote Host.

b)

Verify that the IP traffic is encapsulated.

c)

Monitor IPsec SAs created using IKE for the above traffic flow.

• Use the ipSecConfig --show manual-sa -a command with the operands specified to

display the outbound and inbound SAs in the kernel SADB.

• Use the ipSecConfig --show policy ips sa -a command with the specified operands to

display all IPsec SA policies.

• Use the ipSecConfig --show policy ips sa-proposal -a command with the specified

operands to display IPsec proposals.

• Use the ipSecConfig --show policy ips transform -a command with the specified

operands to display IPsec transforms.

• Use the ipSecConfig --show policy ips selector -a command with the specified

operands to display IPsec traffic selectors.

• Use the ipSecConfig --show policy ike -a command with the specified operands to

display IKE policies.

• Use the ipSecConfig --flush manual-sa command with the specified operands to flush

the created SAs in the kernel SADB.

ATTENTION

Flushing SAs requires IPsec to be disabled and re-enabled. This operation is disruptive to
traffic using the tunnel.

Configuring Security Policies

252

Fabric OS Administrators Guide

53-1003130-01

Advertising
Popular Brands
Popular manuals