Brocade Communications Systems 8 Command Reference Manual page 466

2
ipSecConfig
•
•
•
•
Representation of IP addresses
When configuring IPSec policies, IP addresses and ports must be specified in the following format:
IP address
network prefix
Notes IPSec configuration changes take effect upon execution and are persistent across reboot.
The execution of this command is subject to Virtual Fabric or Admin Domain restrictions that may
be in place. Refer to chapter 1, "Using Fabric OS commands" and Appendix A, "Command
Availability" for details.
This command does not provide IPSec protection for traffic flows on external management
interfaces of intelligent blades in a chassis, nor does it support protection of traffic flows on FCIP
interfaces.
This command does not support manipulating preshared keys corresponding to the identity of the
IKE peer or group of peers. Use secCertUtil to import, delete, or display the preshared keys in the
local switch database.
The MD5 hash algorithm is blocked when FIPS mode is enabled.
Refer to the example section for specific use cases and associated command sequences. Refer to
the Fabric OS Administrator's Guide for configuration procedures.
This command accepts abbreviated operands. The abbreviated string must contain the minimum
number of characters necessary to uniquely identify the operand within the set of available
operands.
Operands This command has the following operands:
--enable
--disable
--add |--modify
434
Modify existing IPSec and IKE policies.
Delete existing policies and SAs from the configuration database.
Flush existing SAs from the kernel SA database (SADB).
Display policy parameters.
IPv4 addresses are expressed in dotted decimal notation consisting of
numeric characters (0-9) and periods (.), for example,
IPv6 address consist of hexadecimal digits (09afAF), colons (:) and a percent
sign (%) if necessary, for example,
A network prefix is represented by a number followed by a slash (/), for
example:
Enables IPSec on the switch. Existing IPSec configurations are enabled by
this command. IPSec is by default disabled. It must be enabled before you
can configure the policies and parameters. The following operand is optional:
default Clears the existing policies (automatic key management and manual keyed
entries) and resets the configuration databases to default values.
Disables IPSec on the switch. All active TCP sessions are terminated when
you disable iPsec.
Adds or modifies an IPSec or IKE policy in an existing enabled configuration.
Not all parameters can be modified. Parameters that cannot be modified are
indicated below. When modifying a policy the names and identifiers need to
refer to valid existing entities. The syntax is as follows:
--add | --modify type [subtype] [arguments]
2001:200:0:8002:203:47ff:fea5:3085
::1/0.
203.178.141.194.
Fabric OS Command Reference
53-1001764-02