Example 4 – Dell POWEREDGE M1000E User Manual

Page 477

Advertising
background image

Fabric OS Command Reference

445

53-1001764-02

ipSecConfig

2

3. Create an IPSec SA policy named ESP01, which uses ESP protection with 3DES.

switch:admin>

ipsecconfig --add policy ips sa -t ESP01 -p esp -enc 3des_cbc

4. Create an IPSec proposal IPSEC-AHESP to use an AH01 and ESP01 bundle.

switch:admin>

ipsecconfig --add policy ips sa-proposal -t IPSEC-AHESP -sa AH01,ESP01

5. Import the preshared key file (e.g., ipseckey.psk) using the secCertUtil import command.

6. Create an IKE policy for the remote peer.

switch:admin>

ipsecconfig --add policy ike -t IKE01 -remote 10.33.69.132 -id 10.33.74.13 \

-remoteid 10.33.69.132 -enc 3des_cbc -hash hmac_md5 -prf hmac_md5 \
-auth psk -dh modp1024 -psk ipseckey.psk

7. Create an IPSec transform TRANSFORM01 configured with transport mode to protect traffic

identified for IPSec protection and use IKE01 as a key management policy.

switch:admin>

ipsecconfig --add policy ips transform -t TRANSFORM01 -mode transport \

-sa-proposal IPSEC-AHESP -action protect -ike IKE01

8. Create traffic selectors to protect outbound and inbound traffic.

switch:admin>

ipsecconfig --add policy ips selector -t SELECTOR-OUT \

-d out -l 10.33.74.13 -r 10.33.69.132 -transform TRANSFORM01
switch:admin> ipsecconfig --add policy ips selector -t SELECTOR-IN \
-d in -l 10.33.69.132 -r 10.33.74.13 -transform TRANSFORM01

9. Verify the IPSec SAs using ipSecConfig --show manual-sa -a. Refer to the

“IPSec display

commands”

section for an example.

10. Perform the equivalent steps on the remote peer to complete the IPSec configuration. Refer to

your server administration guide for instructions.

Example 4
Secure traffic between two systems using protection with MD5 and Manually keyed SAs. The two
systems are a switch, the BROCADE300 (IPv4 address 10.33.74.13), and an external UNIX host
(IPv4 address 10.33.69.132).

1. On the system console, log into the switch as Admin and enable IPSec.

switch:admin>

ipsecconfig --enable

2. Create an IPSec Manual SA that uses AH protection with MD5 for outbound traffic:

switch:admin>

ipsecconfig --add manual-sa -spi 0x300 -l 10.33.74.13 -r 10.33.69.132 \

-p any -d out -m transport -ipsec ah -ac protect -auth hmac_md5 -auth-key "TAHITEST89ABCDEF"

3. Create an SA for inbound traffic.

switch:admin>

ipsecconfig --add manual-sa -spi 0x200 -l 10.33.69.132 -r 10.33.74.13 \

-p any -d in -m transport -ipsec ah -ac protect -auth hmac_md5 -auth-key "TAHITEST89ABCDEF"

4. Verify the SAs using ipsecConfig --show manual-sa -a. Refer to the

“IPSec display

commands”

section for an example.

5. Perform the equivalent steps on the remote peer to complete the IPSec configuration. Refer to

your server administration guide for instructions.

Advertising
Popular Brands
Popular manuals