Brocade Communications Systems RFS6000 System Reference Manual page 412

6
•
•
•
•
•
•
400
Configure a Crypto policy (IKE)
IKE automatically negotiates IPSec security associations and enables IPSec secure
communications without costly manual pre-configuration. IKE eliminates the need to manually
specify all the IPSec security parameters in the Crypto Maps at both peers, allows you to
specify a lifetime for the IPSec security association, allows encryption keys to change during
IPSec sessions and permits Certification Authority (CA) support for a manageable, scalable
IPSec implementation. If you do not want IKE with your IPSec implementation, disable it for
IPSec peers. You cannot have a mix of IKE-enabled and IKE-disabled peers within your IPSec
network.
Configure security associations parameters
The use of manual security associations is a result of a prior arrangement between switch
users and the IPSec peer. If IKE is not used for establishing security associations, there is no
negotiation of security associations. The configuration information in both systems must be
the same for traffic to be processed successfully by IPSec.
Define transform sets
A transform set represents a combination of security protocols and algorithms. During the
IPSec security association negotiation, peers agree to use a particular transform set for
protecting data flow.
With manually established security associations, there is no negotiation with the peer. Both
sides must specify the same transform set. If you change a transform set definition, the
change is only applied to Crypto Map entries that reference the transform set. The change is
not applied to existing security associations, but is used in subsequent negotiations to
establish new security associations.
Create Crypto Map entries
When IKE is used to establish security associations, the IPSec peers can negotiate the settings
they use for the new security associations. Therefore, specify lists (such as lists of acceptable
transforms) within the Crypto Map entry.
Apply Crypto Map sets to Interfaces
Assign a Crypto Map set to each interface through which IPSec traffic flows. The security
appliance supports IPSec on all interfaces. Assigning the Crypto Map set to an interface
instructs the security appliance to evaluate all the traffic against the Crypto Map set and use
the specified policy during connection or SA negotiation. Assigning a Crypto Map to an
interface also initializes run-time data structures (such as the SA database and the security
policy database). Reassigning a modified Crypto Map to the interface resynchronizes the
run-time data structures with the Crypto Map configuration. With the switch, a Crypto Map
cannot get applied to more than one interface at a time.
Monitor and maintain IPSec tunnels
New configuration changes only take effect when negotiating subsequent security
associations. If you want the new settings to take immediate effect, clear the existing security
associations so they will be re-established with the changed configuration.
For manually established security associations, clear and reinitialize the security associations
or the changes will not take effect.
For more information on configuring IPSec VPN, refer to the following:
•
Defining the IPSec Configuration
•
Defining the IPSec VPN Remote Configuration
Brocade Mobility RFS4000, RFS6000, and RFS7000 System Reference Guide
53-1002515-01