Example of an end-to-end transport tunnel mode – Dell POWEREDGE M1000E User Manual

Page 238

Advertising
background image

238

Fabric OS Administrator’s Guide

53-1002745-02

Management interface security

7

10. Verify traffic is protected.

a. Initiate a telnet, SSH, or ping session from the two switches.

b. Verify that IP traffic is encapsulated.

c. Monitor IP sec SAs created using IKE for above traffic flow

Use the IP secConfig

-–

show manual-sa –a command with the operands specified to

display the outbound and inbound SAs in kernel SADB.

Use the IP secConfig

–-

show policy ips sa -a command with the specified operands to

display all IP sec SA policies.

Use the IP secConfig

–-

show policy ips sa-proposal –a command with the specified

operands to display IP sec proposals.

Use the IP secConfig

–-

show policy ips transform –a command with the specified

operands to display IP sec transforms.

Use the IP secConfig

–-

show policy ips selector –a command with the specified

operands to display IP sec traffic selectors.

Use the IP secConfig

–-

show policy ike –a command with the specified operands to

display IKE policies.

Use the IP secConfig

–-

flush manual-sa command with the specified operands to

flush the created SAs in the kernel SADB.

Example of an end-to-end transport tunnel mode

This example illustrates securing traffic between two systems using AH protection with MD5 and
configure IKE with pre-shared keys. The two systems are a switch, BROCADE300 (IPv4 address
10.33.74.13), and an external host (10.33.69.132).

NOTE

A backslash ( \ ) is used to skip the return character so you can continue the command on the next
line without the return character being interpreted by the shell.

1. On the system console, log in to the switch as Admin.

2. Enable IP sec.

a. Connect to the switch and log in using an account with admin permissions, or an account

with OM permissions for the IP sec RBAC class of commands.

b. Enter the IP secConfig

--

enable command to enable IP sec on the switch.

3. Create an IP sec SA policy named AH01, which uses AH protection with MD5.

switch:admin> IP secconfig --add policy ips sa -t AH01 \
-p ah -auth hmac_md5

4. Create an IP sec proposal IP sec-AH to use AH01 as SA.

switch:admin> IP secconfig --add policy ips sa-proposal \
-t IP sec-AH -sa AH01

5. Configure the SA proposal's lifetime in time units. The maximum lifetime is 86400, or one day.

switch:admin> IP secconfig --add policy ips sa-proposal \
-t IP sec-AH -lttime 86400 -sa AH01

Advertising
Popular Brands
Popular manuals