Dell POWEREDGE M1000E User Manual

480

Fabric OS Command Reference

53-1002746-01

ipSecConfig

2

•

Flush existing SAs from the kernel SA database (SADB).

•

Display policy parameters.

Representation of IP addresses

When configuring IPSec policies, IP addresses and ports must be specified in the following format:

IP address

IPv4 addresses are expressed in dotted decimal notation consisting of numeric
characters (0-9) and periods (.), for example, 203.178.141.194.
IPv6 address consist of hexadecimal digits (09afAF), colons (:) and a percent sign
(%) if necessary, for example, 2001:200:0:8002:203:47ff:fea5:3085

network prefix

A network prefix is represented by a number followed by a slash (/), for example,
1/0.

NOTES

IPSec configuration changes take effect upon execution and are persistent across reboot.

The execution of this command is subject to Virtual Fabric or Admin Domain restrictions that may be in
place. Refer to Chapter 1, "Using Fabric OS Commands" and Appendix A, "Command Availability" for
details.

This command does not provide IPSec protection for traffic flows on external management interfaces of
intelligent blades in a chassis, nor does it support protection of traffic flows on FCIP interfaces.

This command does not support manipulating preshared keys corresponding to the identity of the IKE
peer or group of peers. Use secCertUtil to import, delete, or display the preshared keys in the local
switch database.

The MD5 hash algorithm is blocked when FIPS mode is enabled.

Refer to the Examples section for specific use cases and associated command sequences. Refer to the
Fabric OS Administrator's Guide for configuration procedures.

This command accepts abbreviated operands. The abbreviated string must contain the minimum number
of characters necessary to uniquely identify the operand within the set of available operands.

OPERANDS

This command has the following operands:

--enable

Enables IPSec on the switch. Existing IPSec configurations are enabled by this
command. IPSec is disabled by default. It must be enabled before you can
configure the policies and parameters. The following operand is optional:

default

Clears the existing policies (automatic key management and manual keyed
entries) and resets the configuration databases to default values.

--disable

Disables IPSec on the switch. All active TCP sessions are terminated when you
disable iPsec.

--add | --modify

Adds or modifies an IPSec or IKE policy in an existing enabled configuration. Not
all parameters can be modified. Parameters that cannot be modified are indicated
below. When modifying a policy the names and identifiers need to refer to valid
existing entities. The syntax is as follows:

--add | --modify type [subtype] [arguments]