Configuring Ipsec - HP AE370A - Brocade 4Gb SAN Switch 4/12 Administrator's Manual
Hp storageworks fabric os 5.2.x administrator guide (5697-0014, may 2009)
Hide thumbs
Also See for AE370A - Brocade 4Gb SAN Switch 4/12:
- Installation instructions (2 pages) ,
- Administrator's manual (576 pages) ,
- Hardware reference manual (256 pages)
Table of Contents
Advertisement
Table 90
IPSec terminology
Term
3DES
ESP
MD5
SHA
MAC
HMAC
SA
The following limitations apply to using IPSec:
•
IPv6, NAT, and AH are not supported.
•
You can only create a single secure tunnel on a port; you cannot create a nonsecure tunnel on the same
port as a secure tunnel.
•
IPSec specific statistics are not supported.
•
Fastwrite and tape pipelining cannot be used in conjunction with secure tunnels.
•
To change the configuration of a secure tunnel, delete the tunnel and re-create it with the desired
options.
•
Jumbo frames are not supported for IPSec.
•
There is no RAS message support for IPSec.
•
Only a single route is supported on an interface with a secure tunnel.
Configuring IPSec
IPSEC requires predefined configurations for IKE and IPSEC. You can enable IPSEC only when these
configurations are well-defined and properly created in advance.
The following steps provide an overview of the IPSec protocol. All of these steps require that the correct
policies have been created. Because policy creation is an independent procedure from FCIP tunnel
creation, you must know which IPSec configurations have been created. This ensures that you choose the
correct configurations when you enable an IPSEC tunnel.
•
Some traffic from an IPSec peer with the lower local IP address initiates the IKE negotiation process.
•
IKE negotiates SAs and authenticates IPSec peers during phase 1 that sets up a secure channel for
negotiation of phase 2 (IPSec) SAs.
•
IKE negotiates SA parameters, setting up matching SAs in the peers. Some of the negotiated SA
parameters include encryption and authentication algorithms, Diffie-Hellman group and SA lifetimes.
•
Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA
database.
•
IPSec tunnel termination. SA lifetimes terminate through deletion or by timing out.
The first step to configuring IPSec is to create a policy for IKE and a policy for IPSec. Once the policies
have been created, you assign the policies when creating the FCIP tunnel.
372 Configuring and monitoring FCIP tunneling
Definition
Triple DES is a more secure variant of DES, it uses 3 different 56-bit keys to
encrypt blocks of 64-bit plain text. The algorithm is FIPS-approved for use by
Federal agencies.
Encapsulating Security Payload is the IPSec protocol that provides
confidentiality, data integrity and data source authentication of IP packets, and
protection against replay attacks.
Message Digest 5, like SHA- 1 , is a popular one-way hash function used for
authentication and data integrity.
Secure Hash Algorithm, like MD5, is a popular one-way hash function used for
authentication and data integrity.
Message Authentication Code is a key-dependent, one-way hash function used
for generating and verifying authentication data.
A stronger MAC because it is a keyed hash inside a keyed hash.
Security association is the collection of security parameters and authenticated
keys that are negotiated between IPSec peers.
- Quick Links:
- Configuring the Ethernet Interface
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
