Using Ipsec With The Cn4093 - Lenovo Flex System Fabric CN4093 Application Manual

Using IPsec with the CN4093

© Copyright Lenovo 2017
IPsec supports the fragmentation and reassembly of IP packets that occurs when
data goes to and comes from an external device. The Lenovo Flex System Fabric
CN4093 10 Gb Converged Scalable Switch acts as an end node that processes any
fragmentation and reassembly of packets but does not forward the IPsec traffic.
The IKEv2 key must be authenticated before you can use IPsec.
The security protocol for the session key is either ESP or AH. Outgoing packets are
labeled with the SA SPI (Security Parameter Index), which the remote device will
use in its verification and decryption process.
Every outgoing IPv6 packet is checked against the IPsec policies in force. For each
outbound packet, after the packet is encrypted, the software compares the packet
size with the MTU size that it either obtains from the default minimum maximum
transmission unit (MTU) size (1500) or from path MTU discovery. If the packet size
is larger than the MTU size, the receiver drops the packet and sends a message
containing the MTU size to the sender. The sender then fragments the packet into
smaller pieces and retransmits them using the correct MTU size.
The maximum traffic load for each IPSec packet is limited to the following:
 IKEv2 SAs: 5
 IPsec SAs: 10 (5 SAs in each direction)
SPDs: 20 (10 policies in each direction)

IPsec is implemented as a software cryptography engine designed for handling
control traffic, such as network management. IPsec is not designed for handling
data traffic, such as a VPN.
Chapter 25: Using IPsec with IPv6
419