About Ike - Cisco MDS 9000 Series Configuration Manual

Configuring IPSec Network Security
Note • The Encapsulating Security Payload (ESP) protocol is a header inserted into an existing TCP/IP packet,
• IPsec encryption is not supported on FCIP tunnels with MTU greater than 2500. We recommend that
• When using IPsec and IKE, each Gigabit Ethernet interface on the IPS module (either on 14+2 LC or
Figure 9: FCIP and iSCSI Scenarios Using MPS-14/2 Modules, on page 169
Figure 9: FCIP and iSCSI Scenarios Using MPS-14/2 Modules

About IKE

IKE automatically negotiates IPsec security associations and generates keys for all switches using the IPsec
feature. Specifically, IKE provides these benefits:
the size of which depends on the actual encryption and authentication algorithms negotiated. To avoid
fragmentation, the encrypted packet fits into the interface maximum transmission unit (MTU). The path
MTU calculation for TCP takes into account the addition of ESP headers, plus the outer IP header in
tunnel mode, for encryption. The MDS switches allow 100 bytes for packet growth for IPsec encryption.
you configure an MTU of 2500 or lesser when FCIP and IPsec are being used together.
18+4 LC) must be configured in its own IP subnet. If there are multiple Gigabit Ethernet interfaces
configured with IP address or network-mask in the same IP subnet, IKE packets may not be sent to the
right peer and thus IPsec tunnel will not come up.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
About IKE
shows different IPsec scenarios.
169