Ipsecconfig - Brocade Communications Systems Brocade 8/12c Command Reference Manual

22

ipSecConfig

ipSecConfig
Configures Internet Protocol security (IPSec) policies for Ethernet management interfaces.
SYNOPSIS
ipsecconfig --enable [default] --disable
ipsecconfig --add | --modify type [subtype] [arguments]
ipsecconfig --delete [type] arguments
ipsecconfig --flush manual-sa
ipsecconfig --show type [subtype] arguments
ipsecconfig --help [command_type subtype]
DESCRIPTION
Use this command to configure the Internet Protocol Security (IPSec) feature for traffic flows on switch
Ethernet management interfaces, or to display the current configuration.
Internet Protocol security (IPSec) is a framework of open standards that provides private, secure
communication over Internet Protocol (IP) networks through the use of cryptographic security services.
IPSec uses different protocols to ensure the authentication, integrity, and confidentiality of the
communication.
•
•
IPSec can protect either the entire IP datagram or only the upper-layer protocols. The appropriate modes
are called tunnel mode and transport mode.
•
•
The IPSec key management supports Internet Key Exchange (IKE) or Manual key/SA entry.
•
•
The following IPSec configuration tasks can be performed with this command:
•
•
•
•
•
454
Encapsulating Security Payload (ESP) provides confidentiality, data integrity and data source
authentication of IP packets, and protection against replay attacks.
Authentication Header (AH) provides data integrity, data source authentication, and protection
against replay attacks, but unlike ESP, AH does not provide confidentiality.
In tunnel mode the IP datagram is fully encapsulated by a new IP datagram using the IPSec
protocol.
In transport mode only the payload of the IP datagram is handled by the IPSec protocol; it inserts the
IPSec header between the IP header and the upper-layer protocol header.
In IKE the IPSec protocol negotiates shared security parameters and keys. Security Associations
(SAs) used in IKE use automatically generated keys for authentication negotiation between peers.
Manual key/SA entry requires the keys to be generated and managed manually, and it is therefore
suited for small static environments. For the selected authentication or encryption algorithms, the
correct keys must be generated. The key length is determined by the algorithm selected. Refer to
the Fabric OS Administrator's Guide for more information.
Enable or disable the IPSec policies.
Configure IP address for both IPv4 and IPv6 format.
Configure three types of policies and their respective components:
-
IPSec policy including selector, transform, SA-proposal, and SA.
-
IKE policy (automatic key management).
-
Manual SA (manual SA management).
Modify existing IPSec and IKE policies.
Delete existing policies and SAs from the configuration database.
Fabric OS Command Reference
53-1001764-01