Configuring IPsec
Configuring IPsec on the OmniSwitch
Before configuring IPsec the following security best practices should be followed:
•
Set the Master Security Key—This is used to encrypt SA keys when stored.
•
Use SSH, HTTPS, or SNMPv3 to prevent sensitive information such as SA keys from being sent in the
clear.
•
Restrict IPsec commands to authorized users only. This is described in Chapter 6, "Managing Switch
User Accounts." in the OmniSwitch AOS Release 8 Switch Management Guide.
Configuring IPsec for securing IPv6 traffic on a switch requires several steps which are explained below
•
Configure the master security key for the switch which is used to encrypt and decrypt the configured
SA keys. This is described in
•
Configure an IPsec Security Policy on the switch. This is described in
on page
18-11.
•
Set an IPsec rule for the configured IPsec Security Policy on the switch. This is described in
"Configuring an IPsec Rule" on page
•
Enable the Security Policy. This is described in
•
Configure the authentication and encryption keys required for manually configured IPsec Security
associations (SA). This is described in
•
Configure an IPsec Security Association on the switch by setting parameters such as Security
Association type, encryption and authentication for SA. This is described in
SA" on page
18-15.
Configuring IPsec for discarding IPv6 traffic on a switch requires a single step:
•
Configure the IPsec Discard policy on the switch which is used to discard or filter the IPv6 packets.
This is described in
Configuring an IPsec Master Key
The master security key is used to encrypt and decrypt the configured SA keys that are saved to permanent
storage (e.g., boot.cfg file). To set a master security key the first time, simply enter the
command along with a new key value. For example:
-> ipsec security-key new_master_key_1
or
-> ipsec security-key 0x12345678123456781234567812345678
Note. The key value can be specified either in hexadecimal format (16 bytes in length) or as a string (16
characters in length). A warning message is logged if SA keys are set without the Master Key being set.
To change the master security key specify the old and new key values.
-> ipsec security-key new_master_key_1 new_master_key_2
OmniSwitch AOS Release 8 Network Configuration Guide
"Configuring an IPsec Master Key" on page
18-14.
"Configuring IPsec SA Keys" on page 18-16
"Discarding Traffic using IPsec" on page
Configuring IPsec on the OmniSwitch
"Configuring an IPsec Policy"
"Enabling and Disabling a Policy" on page
18-9.
December 2017
18-10.
18-12.
"Configuring an IPsec
ipsec security-key
page 18-10