Dell POWEREDGE M1000E User Manual

Page 518

Advertising
background image

490

Fabric OS Command Reference

53-1002746-01

ipSecConfig

2

3.

Create an IPSec proposal IPSEC-ESP to use ESP01 as the SA.

switch:admin> ipsecconfig --add policy ips sa-proposal \
-t IPSEC-ESP -sa ESP01

4.

Configure the SA proposal lifetime in seconds.

switch:admin> ipsecconfig --add policy ips sa-proposal \
-t IPSEC-ESP -lttime 280000 -sa ESP01

5.

Import the public key for the BROCADE300 (Brocade300.pem), the private key for BROCADE300
(Brocade300-key.pem), and the public key of the external host (remote-peer.pem) in X.509 PEM
format from the remote certificate server (10.6.103.139).

switch:admin> seccertutil import -ipaddr 10.103.6.139 \
-remotedir /root/certs -certname Brocade300.pem

switch:admin> seccertutil import -ipaddr 10.103.6.139 \
-remotedir /root/certs -certname Brocade300-key.pem

switch:admin> seccertutil import -ipaddr 10.103.6.139 \
-remotedir /root/certs -certname remote-peer.pem

6.

Import the CA certificate that was used to sign the public certificates of BROCADE300 and the
remote peer as IPSECCA.pem.

switch:admin> seccertutil import -ipaddr 10.103.6.139 \
-remotedir /root/certs -certname IPSECCA.pem

7.

Configure an IKE policy for the remote peer UNIX host.

switch:admin> ipsecconfig --add policy ike -t IKE01 -remote \
fe80::205:1fff:fe51:f09e -id fe80::220:1aff:fe34:2e82 \
-remoteid fe80::205:1fff:fe51:f09e \
-enc 3des_cbc -hash hmac_md5 -prf hmac_md5 -auth rsasig \
-dh modp1024 -pubkey "Brocade300.pem" \
-privkey "Brocade300-key.pem" -peerpubkey "remote-peer.pem"

8.

Create an IPSec transform TRANSFORM01 to use transport mode to protect traffic identified for
IPSec protection and use IKE01 as the key management policy.

switch:admin> ipsecconfig --add policy ips transform \
-t TRANSFORM01 -mode transport -sa-proposal IPSEC-ESP \
-action protect -ike IKE01

9.

Create traffic selectors to select outbound and inbound TCP traffic that needs to be protected.

switch:admin> ipsecconfig --add policy ips selector \
-t SELECTOR-OUT -d out -l fe80::220:1aff:fe34:2e82 \
-r fe80::205:1fff:fe51:f09e \
-protocol "tcp" -transform TRANSFORM01

switch:admin> ipsecconfig --add policy ips selector \
-t SELECTOR-IN -d in -l fe80::205:1fff:fe51:f09e -r \
fe80::220:1aff:fe34:2e82 -protocol "tcp" -t transform TRANSFORM01

10. Verify the IPSec SAs using ipSecConfig --show manual-sa -a. Refer to the "IPSec display

commands" section for an example.

11. Perform the equivalent steps on the remote peer to complete the IPSec configuration. Refer to your

server administration guide for instructions.

Advertising
Popular Brands
Popular manuals