Ipsecconfig – Dell POWEREDGE M1000E User Manual

Fabric OS Command Reference

479

53-1002746-01

ipSecConfig

2

ipSecConfig

Configures Internet Protocol security (IPSec) policies for Ethernet management interfaces.

SYNOPSIS

ipsecconfig --enable [default] --disable

ipsecconfig --add | --modify type [subtype] [arguments]

ipsecconfig --delete [type] arguments

ipsecconfig --flush manual-sa

ipsecconfig --show type [subtype] arguments

ipsecconfig --help [command_type subtype]

DESCRIPTION

Use this command to configure the Internet Protocol Security (IPSec) feature for traffic flows on switch
Ethernet management interfaces, or to display the current configuration.

Internet Protocol security (IPSec) is a framework of open standards that provides private, secure
communication over Internet Protocol (IP) networks through the use of cryptographic security services.

IPSec uses different protocols to ensure the authentication, integrity, and confidentiality of the
communication.

•

Encapsulating Security Payload (ESP) provides confidentiality, data integrity and data source
authentication of IP packets, and protection against replay attacks.

•

Authentication Header (AH) provides data integrity, data source authentication, and protection
against replay attacks, but unlike ESP, AH does not provide confidentiality.

IPSec can protect either the entire IP datagram or only the upper-layer protocols. The appropriate modes
are called tunnel mode and transport mode.

•

In tunnel mode the IP datagram is fully encapsulated by a new IP datagram using the IPSec
protocol.

•

In transport mode only the payload of the IP datagram is handled by the IPSec protocol; it inserts the
IPSec header between the IP header and the upper-layer protocol header.

The IPSec key management supports Internet Key Exchange (IKE) or Manual key/SA entry.

•

In IKE the IPSec protocol negotiates shared security parameters and keys. Security Associations
(SAs) used in IKE use automatically generated keys for authentication negotiation between peers.

•

Manual key/SA entry requires the keys to be generated and managed manually, and it is therefore
suited for small static environments. For the selected authentication or encryption algorithms, the
correct keys must be generated. The key length is determined by the algorithm selected. Refer to
the Fabric OS Administrator's Guide for more information.

The following IPSec configuration tasks can be performed with this command:

•

Enable or disable the IPSec policies.

•

Configure IP address for both IPv4 and IPv6 format.

•

Configure three types of policies and their respective components:

-

IPSec policy including selector, transform, SA-proposal, and SA.

-

IKE policy (automatic key management).

-

Manual SA (manual SA management).

•

Modify existing IPSec and IKE policies.

•

Delete existing policies and SAs from the configuration database.