Enabling Ipsec And Ike Policies - Brocade Communications Systems StoreFabric SN6500B Administrator's Manual

•
•
•
•
•
•
•
•
•
•
•
•
•

Enabling IPsec and IKE policies

IPsec is configured on an FCIP tunnel level, not on a circuit level. It is enabled as an option of the
portcfg fciptunnel create and modify commands. The -i option activates IPsec. The -K option
specifies the IKE key. The -l (legacy) option specifies to use the IPsec connection process
compatible with Fabric OS releases prior to v7.0.0. Note that this option is a disruptive modify
request that causes the tunnel to bounce.
The IKE key must be a shared 32-character string. Both ends of the secure tunnel must be
configured with the same key string, referred to as a pre-shared key (PSK). If both ends are not
configured with the same key, the tunnel will not come up. The following examples show IPsec and
IKE keys enabled for traffic from VE_Ports 16 and 17 across multiple FCIP circuits.
portcfg fciptunnel
-K12345678901234567890123456789012 -l
portcfg fcipcircuit 16 create 1 192.168.1.90 192.168.1.80 50000 -x 0
portcfg fcipcircuit 16 create 2 192.168.2.90 192.168.2.80 50000 -x 0
portcfg fcipcircuit 16 create 3 192.168.3.90 192.168.3.80 50000 -x 0
portcfg fcipcircuit 16 create 4 192.168.4.90 192.168.4.80 50000 -x 0
portcfg fcipcircuit 16 create 5 192.168.5.90 192.168.5.80 50000 -x 0
Fabric OS FCIP Administrator's Guide
53-1002748-01
IKEv2 uses UDP port 500 to communicate between the peer switches or blades.
All IKEv2 traffic is protected using AES-GCM-ESP encryption.
Authentication requires the generation and configuration of 32-byte pre-shared secrets for
each tunnel.
An SHA-512 hash message authentication code (HMAC) is used to check data integrity and
detect third-party tampering.
Pseudo-random function (PRF) is used to strengthen security. The PRF algorithm generates
output that appears to be random data, using the SHA-512 HMAC as the seed value.
A 2048-bit Diffie-Hellman (DH) group is used for both IKEv2 and IPsec key generation.
The SA lifetime limits the length of time a key is used. When the SA lifetime expires, a new key
is generated, limiting the amount of time an attacker has to decipher a key. Depending on the
length of time expired or the length of the data being transferred, parts of a message may be
protected by different keys generated as the SA lifetime expires.
For the 7800 switch and FX8-24 blade, the SA lifetime is approximately eight hours or two
billion frames of data. The lifetime is based upon datagrams that have been encrypted over the
tunnel regardless of the number of bytes or the time that the tunnel has been up. Once an
IPSec SA has been used for 2B datagrams (FC frame batches), a new SA or re-key sequence is
initiated.
Encapsulating Security Payload (ESP) is used as the transport mode. ESP uses a hash
algorithm to calculate and verify an authentication value, and only encrypt the IP payload.
A circuit in a non-secure tunnel can use the same GbE interface as a circuit in a secure tunnel.
Each circuit can have a route configured on that GbE interface.
There are no topology restrictions with IPsec enabled.
Brocade IPsec is a hardware implementation that adds almost no latency to FCIP frame
processing.
Brocade IPsec does not preclude the use of compression or QoS.
When Brocade IPsec is enabled, it does not degrade FCIP throughput does compared to when
IPsec is disabled.
16 create
IPsec implementation over FCIP tunnels
192.168.0.90 192.168.0.80 50000 -x 0 -d c0 -i
2
31