Configuring Ipsec - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

Table 100 IPSec terminology
Term
MAC
HMAC
SA
The following limitations apply to using IPSec:
• IPv6, NAT, and AH are not supported.
• You can only create a single secure tunnel on a port; you cannot create a nonsecure tunnel on the same
port as a secure tunnel.
• IPSec specific statistics are not supported.
• Fastwrite and tape pipelining cannot be used in conjunction with secure tunnels.
• To change the configuration of a secure tunnel, delete the tunnel and re-create it with the desired
options.
• Jumbo frames are not supported for IPSec.
• There is no RAS message support for IPSec.
• Only a single route is supported on an interface with a secure tunnel.

Configuring IPSec

IPSEC requires predefined configurations for IKE and IPSEC. You can enable IPSEC only when these
configurations are well-defined and properly created in advance.
The following steps provide an overview of the IPSec protocol. All of these steps require that the correct
policies have been created. Because policy creation is an independent procedure from FCIP tunnel
creation, you must know which IPSec configurations have been created. This ensures that you choose the
correct configurations when you enable an IPSEC tunnel.
• Some traffic from an IPSec peer with the lower local IP address initiates the IKE negotiation process.
IKE negotiates SAs and authenticates IPSec peers during phase 1 that sets up a secure channel for
•
negotiation of phase 2 (IPSec) SAs.
• IKE negotiates SA parameters, setting up matching SAs in the peers. Some of the negotiated SA
parameters include encryption and authentication algorithms, Diffie-Hellman group and SA lifetimes.
• Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA
database.
• IPSec tunnel termination. SA lifetimes terminate through deletion or by timing out.
The first step to configuring IPSec is to create a policy for IKE and a policy for IPSec. Once the policies
have been created, you assign the policies when creating the FCIP tunnel.
IKE negotiates SA parameters and authenticates the peer using the preshared key authentication method.
Once the 2 phases of the negotiation are completed successfully, the actual encrypted data transfer can
begin.
IPSec policies are managed using the policy command.
You can configure up to 32 IKE and 32 IPSec policies. Policies cannot be modified; they must be deleted
and recreated in order to change the parameters. You can delete and recreate any policy as long as the
policy is not being used by an active FCIP tunnel.
Each FCIP tunnel is configured separately and may have the same or different IKE and IPSec policies as
any other tunnel. Only one IPSec tunnel can be configured for each GbE port.
Definition
Message Authentication Code is a key-dependent, one-way hash function used
for generating and verifying authentication data.
A stronger MAC because it is a keyed hash inside a keyed hash.
Security association is the collection of security parameters and authenticated
keys that are negotiated between IPSec peers.
Fabric OS 5.3.0 administrator guide 407