Dell POWEREDGE M1000E User Manual

482

Fabric OS Command Reference

53-1002746-01

ipSecConfig

2

-mode tunnel | transport

Specifies the IPSec transform mode. In tunnel mode, the IP datagram is fully
encapsulated by a new IP datagram using the IPSec protocol. In transport
mode, only the payload of the IP datagram is handled by the IPSec protocol
inserting the IPSec header between the IP header and the upper-layer
protocol header.

-sa-proposal name

Specifies the SA proposal to be included in the transform. You must create
the SA proposal first before you can include it in the transform. Use
ipsecConfig --show policy ips sa-proposal -a for a listing of existing SA
proposals.

-action discard | bypass | protect

Specifies the protective action the transform should take regarding the traffic
flows.

-ike name

Specifies the IKE policy to be included in the transform. This operand is
optional. Use ipsecConfig --show policy ike -a for a listing of existing IKE
policies.

-local IP_address[/prefixlength]

Specifies the source IPv4 or IPv6 address. This operand is optional. If a local
source IP address is defined, a remote peer IP address must also be defined.

-remote IP_address[/prefixlength]

Specifies the peer IPv4 or IPv6 address. This operand is optional. If a remote
peer IP address is defined, a local source IP address must also be defined.

sa-proposal

Defines the security associations (SA) proposal, including name, SAs to be
included and lifetime of the proposal. The following operands are supported:

-tag name

Specifies a name for the SA proposal. This is a user-generated name. The
name must be between 1 and 32 characters in length, and may include
alphanumeric characters, dashes (-), and underscores (_).

-sa name[,name]

Specifies the SAs to include in the SA proposal. The bundle consists of one
or two SA names, separated by commas. For SA bundles, [AH, ESP] is the
supported combination. The SAs must be created prior to being included in
the SA proposal. This operand is required.

-lttime number

Specifies the SA proposal's lifetime in seconds. This operand is optional. If a
lifetime is not specified, the SA does not expire. If lifetime is specified both in
seconds and in bytes, the SA expires when the first expiration criterion is met.

-ltbyte number

Specifies the SA proposal's lifetime in bytes. The SA expiries after the
specified number of bytes have been transmitted. This operand is optional.

sa

Defines the Security Association. An SA specifies the IPSec protocol (AH or
ESP), the algorithms used for encryption and authentication, and the
expiration definitions used in security associations of the traffic. IKE uses
these values in negotiations to create IPSec SAs.

You cannot modify an SA once it is created. Use ipsecConfig --flush
manual-sa to remove all SA entries from the kernel SA database (SADB)
and start over.