Ipsecconfig - Brocade Communications Systems Brocade 8/12c Command Reference Manual

ipSecConfig

Configures Internet Protocol security (IPSec) policies for Ethernet management interfaces.
Synopsis ipsecconfig --enable [default] --disable
ipsecconfig --add | --modify type [subtype] [arguments]
ipsecconfig --delete [type] arguments
ipsecconfig --flush manual-sa
ipsecconfig --show type [subtype] arguments
ipsecconfig --help [command type subtype]
Description Use this command to configure the Internet Protocol Security (IPSec) feature for traffic flows on
switch Ethernet management interfaces, or to display the current configuration.
Internet Protocol security (IPSec) is a framework of open standards that provides private, secure
communication over Internet Protocol (IP) networks through the use of cryptographic security
services.
IPSec uses different protocols to ensure the authentication, integrity, and confidentiality of the
communication.
•
•
IPSec can protect either the entire IP datagram or only the upper-layer protocols. The appropriate
modes are called tunnel mode and transport mode.
•
•
The IPSec key management supports Internet Key Exchange (IKE) or Manual key/SA entry.
•
•
The following IPSec configuration tasks can be performed with this command:
•
•
•
Fabric OS Command Reference
53-1001764-01
Encapsulating Security Payload (ESP) provides confidentiality, data integrity and data source
authentication of IP packets, and protection against replay attacks.
Authentication Header (AH) provides data integrity, data source authentication, and protection
against replay attacks, but unlike ESP, AH does not provide confidentiality.
In tunnel mode the IP datagram is fully encapsulated by a new IP datagram using the IPSec
protocol.
In transport mode only the payload of the IP datagram is handled by the IPSec protocol; it
inserts the IPSec header between the IP header and the upper-layer protocol header.
In IKE the IPSec protocol negotiates shared security parameters and keys. Security
Associations (SAs) used in IKE use automatically generated keys for authentication negotiation
between peers.
Manual key/SA entry requires the keys to be generated and managed manually, and it is
therefore suited for small static environments. For the selected authentication or encryption
algorithms, the correct keys must be generated. The key length is determined by the algorithm
selected. Refer to the Fabric OS Administrator's Guide for more information.
Enable or disable the IPSec policies.
Configure IP address for both IPv4 and IPv6 format.
Configure three types of policies and their respective components:
-
IPSec policy including selector, transform, SA-proposal, and SA.
-
IKE policy (automatic key management).
-
Manual SA (manual SA management).
2
ipSecConfig
433