About Ipsec Pre-Shared Keys; About Ipsec Policies; Ipsec Considerations And Limitations - Dell EqualLogic PS6100 series Configuration Manual

You can generate certificates suitable for use in IPsec connections to the PS Series using any
Windows, OpenSSL, or other commercial Certificate Authority product.
You can use the Group Manager CLI to import, display, and delete certificates. using the IPsec
certificate commands. See the Dell EqualLogic Group Manager CLI Reference Guide for more
information.
6.3.6

About IPsec Pre-Shared Keys

In addition to using certificates, you can use pre-shared keys to authenticate secured connections.
Pre-shared keys are identical strings that are specified at both ends of the communications pathway.
This allows the systems to correctly identify each other.
You can use either ASCII or hexadecimal strings. ASCII can be used in most situations. However, you
can also use hexadecimal strings if your organization mandates their use, if you have systems that do
not support the use of ASCII strings, or if you want to use unsupported characters.
6.3.7

About IPsec policies

Traffic that meets the conditions stipulated by the policy can either be passed, dropped, or protected
using an IPsec security parameter associated with the policy.
You can use IPsec policies to apply IPsec protection to traffic that meets one or more of the following
criteria:
•
Data traveling to or from specific IP addresses, or a range of IP addresses defined by a specific
subnet or netmask
•
IPv4 or IPv6 traffic
•
Specific network protocols: TCP, UDP, or ICMP (either IPv4 or IPv6)
Unless explicitly specified by the policy, traffic is allowed to pass. If you want to drop all traffic that is
not explicitly protected or passed, you must create an IPsec policy that drops traffic by default.
If there are multiple IPsec policies in place, the system determines their priority by the order in which
they were created; policies created first take precedence over policies created later.
You can also use IPsec policies to determine what traffic is being protected using IPsec, and what
traffic is being passed or dropped without encryption.
IPsec policies are managed using the IPsec policy commands. See the Dell EqualLogic Group Manager
CLI Reference Guide for more information.
6.3.8

IPsec considerations and limitations

The limitations listed in the sections below apply when implementing IPsec.
Configuration limitations
•
IPsec is only supported for certain PS Series array models, and can only be enabled for a group if
all members support IPsec. See the Dell EqualLogic PS Series Storage Arrays Release Notes for
more information.
•
IPsec can only be enabled and configured using the Group Manager CLI. The Group Manager GUI
provides no facility for configuring or monitoring IPsec.
•
The PS Series array does not serve as an IPsec-secured gateway; it only behaves as an IPsec-
secured host.
•
You cannot use the save-config CLI command to preserve the group's IPsec certificates and pre-
shared keys. The save-config command saves the CLI commands that were used to configure
IPsec, but it does not save certificates that have been transferred to the array using FTP. Therefore,
when you restore a configuration, you must manually restore any configuration options set using
the IPsec certificate load, IPsec security-params create certificate, and IPsec security-params pre-
shared-key commands.
March 2013 Dell EqualLogic Configuration Guide v14.1 6-58