Configuring Ipsec Vpn - Brocade Communications Systems RFS6000 System Reference Manual

6

Configuring IPSec VPN

5. Click the Stop Connection button to terminate the statistic collection of the selected IKE peer.
Configuring IPSec VPN
Use IPSec Virtual Private Network (VPN) to define secure tunnels between two peers. Configure
which packets are sensitive and should be sent through secure tunnels, and what should be used
to protect these sensitive packets. Once configured, an IPsec peer creates a secure tunnel and
sends the packet through the tunnel to the remote peer.
IPSec tunnels are sets of security associations (SA) established between two peers. The security
associations define which protocols and algorithms are applied to sensitive packets, and what
keying material is used by the two peers. Security associations are unidirectional and established
per security protocol.
To configure IPSec security associations, Brocade uses the Crypto Map entries. Crypto Map entries
created for IPSec pull together the various parts used to set up IPSec security associations. Crypto
Map entries include transform sets. A transform set is an acceptable combination of security
protocols, algorithms and other settings to apply to IPSec protected traffic.
The Internet Key Exchange (IKE) protocol is a key management protocol standard used in
conjunction with the IPSec standard. IKE automatically negotiates IPSec security associations and
enables IPSec secure communications without costly manual configuration. To support IPSec VPN
functionality, the following configuration activities are required:
•
•
•
•
404
Configure a DHCP Sever to assign public IP address
An IPSec client needs an IP address before it can connect to the VPN Server and create an
IPSec tunnel. A DHCP Server needs to be configured on the interface to distribute public IP
addresses to the IPSec clients.
Configure a Crypto policy (IKE)
IKE automatically negotiates IPSec security associations and enables IPSec secure
communications without costly manual pre-configuration. IKE eliminates the need to manually
specify all the IPSec security parameters in the Crypto Maps at both peers, allows you to
specify a lifetime for the IPSec security association, allows encryption keys to change during
IPSec sessions and permits Certification Authority (CA) support for a manageable, scalable
IPSec implementation. If you do not want IKE with your IPSec implementation, disable it for
IPSec peers. You cannot have a mix of IKE-enabled and IKE-disabled peers within your IPSec
network.
Configure security associations parameters
The use of manual security associations is a result of a prior arrangement between controller
users and the IPSec peer. If IKE is not used for establishing security associations, there is no
negotiation of security associations. The configuration information in both systems must be
the same for traffic to be processed successfully by IPSec.
Define transform sets
A transform set represents a combination of security protocols and algorithms. During the
IPSec security association negotiation, peers agree to use a particular transform set for
protecting data flow.
Brocade Mobility RFS6000 and RFS7000 System Reference Guide
53-1001858-01