Example 3 – Dell POWEREDGE M1000E User Manual
Page 476
444
Fabric OS Command Reference
53-1001764-02
ipSecConfig
2
4. Configure the SA proposal lifetime in seconds.
switch:admin>
ipsecconfig --add policy ips sa-proposal -t IPSEC-ESP -lttime 280000 -sa ESP01
5. Import the public key for the BROCADE300 (Brocade300.pem), the private key for
BROCADE300 (Brocade300-key.pem), and the public key of the external host
(remote-peer.pem) in X.509 PEM format from the remote certificate server (10.6.103.139).
switch:admin>
seccertutil import -ipaddr 10.103.6.139 -remotedir /root/certs -certname \
Brocade300.pem
switch:admin>
seccertutil import -ipaddr 10.103.6.139 -remotedir /root/certs -certname \
Brocade300-key.pem
switch:admin>
seccertutil import -ipaddr 10.103.6.139 -remotedir /root/certs -certname \
remote-peer.pem
6. Import the CA certificate that was used to sign the public certificates of BROCADE300 and the
remote peer as IPSECCA.pem.
switch:admin>
seccertutil import -ipaddr 10.103.6.139 -remotedir /root/certs \
-certname IPSECCA.pem
7. Configure an IKE policy for the remote peer UNIX host.
switch:admin>
ipsecconfig --add policy ike -t IKE01 -remote fe80::205:1fff:fe51:f09e \
-id fe80::220:1aff:fe34:2e82 -remoteid fe80::205:1fff:fe51:f09e \
-enc 3des_cbc -hash hmac_md5 -prf hmac_md5 -auth rsasig -dh modp1024 \
-pubkey "Brocade300.pem" -privkey "Brocade300-key.pem" -peerpubkey "remote-peer.pem"
8. Create an IPSec transform TRANSFORM01 to use transport mode to protect traffic identified
for IPSec protection and use IKE01 as the key management policy.
switch:admin>
ipsecconfig --add policy ips transform -t TRANSFORM01 \
-mode transport -sa-proposal IPSEC-ESP -action protect -ike IKE01
9. Create traffic selectors to select outbound and inbound TCP traffic that needs to be protected.
switch:admin>
ipsecconfig --add policy ips selector -t SELECTOR-OUT \
-d out -l fe80::220:1aff:fe34:2e82 -r fe80::205:1fff:fe51:f09e \
-protocol "tcp" -transform TRANSFORM01
switch:admin>
ipsecconfig --add policy ips selector -t SELECTOR-IN \
-d in -l fe80::205:1fff:fe51:f09e -r fe80::220:1aff:fe34:2e82 \
-protocol "tcp" -t transform TRANSFORM01
10. Verify the IPSec SAs using ipSecConfig --show manual-sa -a. Refer to the
section for an example.
11. Perform the equivalent steps on the remote peer to complete the IPSec configuration. Refer to
your server administration guide for instructions.
Example 3
Secure traffic between two systems using AH with SHA1 and ESP protection with 3DES and
configure IKE with preshared keys. The two systems are a switch, BROCADE300 (IP address
10.33.74.13), and an external UNIX host (IPv4 address 10.33.69.132).
1. On the system console, log into the switch as Admin and enable IPSec.
switch:admin>
ipsecconfig --enable
2. Create an IPSec SA policy named AH01, which uses AH protection with SHA1.
switch:admin>
ipsecconfig --add policy ips sa -t AH01 -p ah -auth hmac_sha1